The Alibaba scrubbing center (AliSC) of Anti-DDoS Pro acts as a reverse proxy, ensuring the invisibility of the origin server to the client server. AliSC handles all requests from clients by blocking malicious requests while forwarding legitimate requests to the origin. Therefore, malicious traffic is mitigated when it goes through the Anti-DDoS Pro.
In Full-NAT proxy mode, Anti-DDoS Pro uses the local IP as the source IP to establish connection with the origin server, as illustrated in the following figure.
- Multiple local IP addresses are available because AliSC has multiple physical servers.
- In Full NAT mode, each packet’s source IP address will be a local IP address.
- The origin server must whitelist all existing local IP addresses that are fixed to guarantee accessibility.
- AliSC uses local IP addresses to visit IDC network and keeps the real client IP address in HTTP/HTTPS header’s X-forwarded-for field.
For origin, Anti-DDoS Pro makes source IP addresses more concentrated, and improves the transmission speed of packets from them. Under this circumstance, however, the local IPs may be determined as suspicious to the origin server’s firewall or security software (if such software is applied). In case of the local IP being blocked or limited, make sure all the local IPs are whitelisted before being diverted to Alibaba Cloud.
For a deeper level of safety considerations, it is recommended to block all requests to the origin server from IP addresses except local IP addresses. By doing this, the origin is better protected even if the real IP addresses are disclosed.