Step 2. Whitelist local IP subnet

Last Updated: Apr 10, 2017

Procedure

  1. Select the domain name to be configured on the Instance List page.

    31

  2. Click Expand protection panel.

    31'

  3. Select Black/White list configuration under Website black/white list.

    32

  4. Maintain the domain’s blacklist or whitelist on the prompt page.

    33

The most recent local IP subnets (generally, fixed subnets) can be viewed through Anti-DDoS Service PRO back-to-source CIDR block on the Instance List page.

34

The Alibaba scrubbing center (AliSC) of Anti-DDoS Pro acts as a reverse proxy, ensuring the invisibility of the origin server to the client server. AliSC handles all requests from clients by blocking malicious requests while forwarding legitimate requests to the origin. Therefore, malicious traffic is mitigated when it goes through the Anti-DDoS Pro.

In Full-NAT proxy mode, Anti-DDoS Pro uses the local IP as the source IP to establish connection with the origin server, as illustrated in the following figure.

35

  • Multiple local IP addresses are available as AliSC has multiple physical servers.
  • In Full NAT mode, each packet’s source IP address will be a local IP address.
  • The origin server must whitelist all existing local IP addresses that are fixed to guarantee accessibility.
  • AliSC uses local IP addresses to visit the IDC network and keeps the real client IP address in HTTP/HTTPS header’s X-forwarded-for field.

For origin, Anti-DDoS Pro makes source IP addresses more concentrated, and improves the transmission speed of packets from them. Under this circumstance, however, the local IPs may be determined as suspicious to the origin server’s firewall or security software (if such software is applied). In case of the local IP being blocked or limited, make sure all local IPs are whitelisted before being diverted to Alibaba Cloud.

For a deeper level of safety consideration, it is recommended to block all requests to the origin server from IP addresses except local IP addresses. By doing this, the origin is better protected even if the real IP addresses are disclosed.

Thank you! We've received your feedback.