High security

Last Updated: Dec 04, 2017

Anti-DDoS attack

Notice: We recommend that RDS instances are accessed over the intranet to avoid DDoS attacks.

When Internet connection is used to access RDS instances, the risk of DDoS attacks occurring on the network is possible. If this occurs, the RDS security system enables flow cleaning operation first. If the flow cleaning operation fails or the attack reaches the black hole threshold, black hole processing is triggered.

The following describes how flow cleaning and black hole processing work and when they are triggered:

  • Flow cleaning:

    • This applies only to inbound traffic from the Internet. During this process, the RDS instance can be normally accessed. Flow cleaning is triggered if a single ApsaraDB instance meets any of the following conditions:

      • Package Per Second (PPS) reaches 30,000.

      • Bits Per Second (BPS) reaches 180 Mbps.

      • The number of concurrent connections created per second reaches 10,000.

      • The number of concurrent active connections reaches 10,000.

      • The number of concurrent inactive connections reaches 10,000.

    • The system automatically triggers and terminates flow cleaning.

  • Black hole processing:

    • This only applies to inbound traffic from the Internet. Black hole processing guarantees security of the overall RDS service by blocking malicious attacks. During this process, RDS instances and the services cannot be accessed from the Internet. Black hole processing is triggered if the following conditions are met:

      • BPS reaches 2 Gbps.

      • Flow cleaning is ineffective.

    • The black hole is removed automatically after 2.5 hours.

Access control policy

You can define the IP addresses that are allowed to access RDS. IP addresses that have not been specified are denied access.

Each account can only view and operate its own database.

System security

RDS is protected by multiple firewall layers that can effectively block a variety of malicious attacks and guarantee data security.

Direct logon to the RDS server is not allowed. Only the port required by the specific database service is open.

The RDS server cannot initiate an external connection. It can only accept access requests.

Professional support team

Alibaba Cloud’s security team provide rapid security technology support for RDS.

Thank you! We've received your feedback.