By default, OSS protects every bucket with Anti-DDoS Origin at no additional cost. If an attack exceeds Anti-DDoS Origin's protection threshold, bucket access may be disrupted. OSS DDoS protection addresses this gap: it integrates OSS with Anti-DDoS Pro and Anti-DDoS Premium to automatically divert attack traffic to a dedicated scrubbing infrastructure, so legitimate requests continue reaching your bucket without interruption.
How it works
When attack traffic exceeds the Anti-DDoS Origin threshold, OSS automatically diverts all traffic for the affected bucket to an Anti-DDoS instance. Scrubbing centers filter out malicious traffic; clean traffic is forwarded back to the bucket through port and protocol forwarding. After the attack ends, traffic switches back to Anti-DDoS Origin.
What OSS DDoS protection covers
OSS DDoS protection handles volumetric and flood attacks, with a mitigation capacity of hundreds of Gbps and millions of queries per second (QPS), and attack switching in seconds.
| OSI layer | Covered attack types |
|---|---|
| L3/L4 | SYN Flood, ACK Flood, ICMP Flood, UDP Flood, NTP Flood, SSDP Flood |
| L7 | DNS Flood, HTTP Flood |
What OSS DDoS protection does not cover
| Traffic type | Recommended alternative |
|---|---|
| Low-volume fraudulent traffic that mimics normal requests | Configure access control using policies or access control lists (ACLs), or enable Web Application Firewall (WAF) protection. See How do I prevent fraudulent traffic from accessing OSS? |
| Medium-scale CC attacks | OSS DDoS protection cannot effectively mitigate these. Consider WAF for application-layer protection. |
Limitations
Region availability
OSS DDoS protection is available in the following regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), and China (Hong Kong).
Endpoint coverage
OSS DDoS protection covers public endpoints only (for example, oss-cn-hangzhou.aliyuncs.com). The following endpoint types are not protected:
| Endpoint type | Example |
|---|---|
| Acceleration endpoints | oss-accelerate.aliyuncs.com, oss-accelerate-overseas.aliyuncs.com |
| Access point endpoints | ap-01-3b00521f653d2b3223680ec39dbbe2****-ossalias.oss-cn-hangzhou.aliyuncs.com |
| Object FC Access Point endpoints | fc-ap-01-3b00521f653d2b3223680ec39dbbe2****-opapalias.oss-cn-hangzhou.aliyuncs.com |
| IPv6 endpoints | cn-hangzhou.oss.aliyuncs.com |
| Amazon S3-compatible endpoints | s3.oss-cn-hongkong.aliyuncs.com |
Instance and bucket limits
| Item | Limit |
|---|---|
| Anti-DDoS instances per region | 1 |
| Buckets per Anti-DDoS instance | 10 (same region) |
| Custom domain names in the protection list per bucket | 5 (belonging to a maximum of 4 different sites) |
| Minimum usage period per Anti-DDoS instance | 7 days. If you delete the instance within this period, you are charged the basic resource fee for the remainder of the 7-day period. See DDoS protection fees. |
Behavior after attaching a bucket
Browser preview is disabled. After a bucket is attached to an Anti-DDoS instance, resources in the bucket cannot be previewed in a browser.
Custom domain names are not protected by default. During an attack, the bucket is inaccessible through custom domain names unless you add them to the protection list (see Step 3 below).
Domain name conflict. If a custom domain name you want to protect (for example,
www.example.com) matches an exact or wildcard domain name (for example,*.example.com) already configured in an Anti-DDoS Pro forwarding rule, you must first remove that rule from the Anti-DDoS Pro console. Otherwise, the bucket remains inaccessible through the custom domain name during an attack. For details on forwarding rules, see Add a website configuration.
Enable OSS DDoS protection
Prerequisites
Before you begin, ensure that you have:
An OSS bucket in a supported region
Sufficient permissions to manage OSS and Anti-DDoS resources
Step 1: Create an Anti-DDoS instance
Log on to the OSS console.
In the left navigation pane, choose Data Service > Anti-DDoS Pro.
If this is your first time using OSS DDoS protection, click Activate Now on the Anti-DDoS Pro page.
Click Create Anti-DDoS Instance, then select a Region.
Click OK.
Step 2: Attach a bucket
In the Actions column of the instance, click View and Attach Buckets.
In the View and Attach Buckets panel, click Attach Protected Buckets.
In the Attach Protected Buckets dialog box, select a bucket from the Bucket drop-down list.
Buckets already attached to an Anti-DDoS instance do not appear in this list.
Click OK.
The bucket status changes from Initializing to Protecting when the Anti-DDoS instance begins protecting the bucket's public endpoint.
Step 3: Add custom domain names to the protection list (optional)
By default, OSS does not protect custom domain names associated with a bucket. Add them to the protection list if you need to access the bucket through custom domain names during an attack.
Each bucket supports up to 5 custom domain names in the protection list, belonging to a maximum of 4 different sites. For example, a.mycname.com and b.mycname.com belong to the same site, while c.othercname.com belongs to a different site.
If a custom domain name is not yet attached to the bucket, attach it first. See Attach a custom domain name.
To add an already-attached custom domain name to the protection list:
In the Actions column of the protected bucket, click Modify Custom Domain Name.
Select the custom domain names to protect.
Click OK.
The Anti-DDoS instance begins protecting the selected custom domain names.
Billing
Anti-DDoS instances have a minimum usage period of 7 days. If you delete an instance within this period, you are charged the basic resource fee for the remainder of the 7-day period. For full pricing details, see DDoS protection fees.