Anti-DDoS Basic is a service that protects Elastic Compute Service (ECS) instances from distributed denial-of-service (DDoS) attacks to ensure system stability. If inbound traffic to an instance exceeds the maximum traffic rate allowed by the instance type, Alibaba Cloud Security throttles the traffic.

Anti-DDoS Basic is a free service included in Alibaba Cloud Security. It offers up to 5 Git/s of mitigation capacity against common DDoS attacks for free. The instance type of an ECS instance determines the mitigation capacity that is provided in the free tier. You can log on to the Traffic Security (Anti-DDoS Basic) console to check the actual mitigation capacity threshold. For more information, see View black hole triggering thresholds in Anit-DDoS Origin Basic.

How Anti-DDoS Basic works

After Anti-DDoS Basic is enabled, Alibaba Cloud Security monitors inbound traffic to ECS instances in real time. When large amounts of traffic or suspicious traffic such as DDoS attack traffic is detected, Alibaba Cloud Security redirects the traffic from the destination network to a scrubbing device. The scrubbing device identifies and removes malicious traffic and then returns legitimate traffic to the destination network to be forwarded to the ECS instances. This process is called traffic scrubbing. For more information, see How Anti-DDoS Basic works.

Note If Anti-DDoS Basic is enabled for an ECS instance, Alibaba Cloud Security triggers a blackhole when inbound traffic from the Internet exceeds 5 Gbit/s. All traffic to the instance is routed to the blackhole and all accesses from the Internet to the instance are blocked to ensure cluster-wide security. For more information, see Blackhole filtering policy of Alibaba Cloud in DDoS Protection documentation.

Trigger conditions:

  • Traffic pattern. When inbound traffic matches an attack traffic pattern, traffic scrubbing is triggered.
  • Traffic amounts. Typically, DDoS attacks generate flood traffic on a magnitude of Gbit/s. When inbound traffic to an ECS instance reaches a specified threshold, traffic scrubbing is triggered regardless of whether the traffic is normal.

The methods of traffic scrubbing include filtering attack packets, throttling bandwidth, and throttling the packet forwarding rate.

Therefore, you must configure the following thresholds when you use Anti-DDoS Basic:
  • BPS threshold: When inbound traffic exceeds this threshold, traffic scrubbing is triggered.
  • Scrubbing threshold (packet/s): When the number of inbound packets per second exceeds this threshold, traffic scrubbing is triggered.
The actual scrubbing thresholds are displayed in the Traffic Security console, as shown in the following figure. For information about how to view the thresholds, see Assets. ddos-threshold

Operations

By default, Anti-DDoS Basic is enabled for ECS. You can perform the following operations after you create an ECS instance:

  • Configure scrubbing thresholds. After an ECS instance is created, the maximum thresholds of Anti-DDoS Basic for the instance type are used. However, the maximum BPS threshold for some instance types may be high and not safe. You must set the threshold based on your business needs. For more information, see Configure a traffic scrubbing threshold in Anti-DDoS Basic User Guide.
  • (Not recommended) Disable traffic scrubbing. When traffic scrubbing is enabled and inbound traffic to an ECS instance reaches a specified threshold, traffic scrubbing is triggered regardless of whether the traffic is normal. This may affect or interrupt normal business. You can manually disable traffic scrubbing for ECS instances. For more information, see Cancel traffic cleaning in Anti-DDoS Basic User Guide.
    Warning After traffic scrubbing is disabled for an ECS instance, when inbound traffic to the instance exceeds 5 Gbit/s, all traffic to the instance is routed to a blackhole. Proceed with caution.