All Products
Search
Document Center

Elastic Compute Service:Anti-DDoS Origin Basic

Last Updated:Feb 27, 2024

Anti-DDoS Origin Basic is a service that protects Elastic Compute Service (ECS) instances from DDoS attacks to help ensure system stability. If inbound traffic to an ECS instance exceeds the maximum traffic rate allowed by the instance type, Alibaba Cloud Security Center throttles traffic.

Anti-DDoS Origin Basic is a free service available in Alibaba Cloud Security Center. Anti-DDoS Origin Basic provides up to 5 Gbit/s of mitigation capacity against DDoS attacks free of charge. The free mitigation capacity provided for an ECS instance varies based on the instance type. You can check the actual mitigation capacity of your ECS instance in the Traffic Security (Anti-DDoS Basic) console. For more information, see What is Security Center? and View the thresholds that trigger blackhole filtering in Anti-DDoS Origin Basic.

How Anti-DDoS Origin Basic works

After you activate Anti-DDoS Origin Basic, Security Center monitors inbound traffic to ECS instances in real time. When an excessively large amount of traffic or suspicious traffic such as DDoS attack traffic is detected, Security Center redirects traffic from the intended paths to a scrubbing device. The scrubbing device identifies and removes malicious traffic and then returns legitimate traffic. Then, legitimate traffic is forwarded to ECS instances by using the intended paths. The preceding process is called traffic scrubbing. For more information, see What is an Anti-DDoS Origin paid edition?

Note

If Anti-DDoS Origin Basic is enabled for an ECS instance, Security Center triggers blackhole filtering when inbound traffic from the Internet exceeds 5 Gbit/s. All traffic to the instance is routed to a blackhole, and all access requests from the Internet to the instance are blocked to ensure cluster-wide security. For more information, see Blackhole filtering policy of Alibaba Cloud in the Anti-DDoS documentation.

Conditions for triggering traffic scrubbing

To trigger traffic scrubbing, make sure that the following conditions are met:

  • Traffic pattern: When inbound traffic matches an attack traffic pattern, traffic scrubbing is triggered.

  • Traffic amount: In most cases, DDoS attacks generate flood traffic at a magnitude of Gbit/s. When inbound traffic to an ECS instance reaches a specific threshold, traffic scrubbing is triggered regardless of whether traffic is normal.

Methods of traffic scrubbing

Traffic scrubbing methods include filtering out attack packets, throttling bandwidth, and throttling the packet forwarding rate. When you use Anti-DDoS Origin Basic, you must configure the following thresholds. For more information, see Configure a traffic scrubbing threshold.

  • BPS-based scrubbing threshold: When inbound traffic exceeds this threshold, traffic scrubbing is triggered.

  • PPS-based scrubbing threshold: When the inbound packet forwarding rate exceeds this threshold, traffic scrubbing is triggered.

Scrubbing thresholds of ECS instances

Note

The traffic scrubbing feature is available in the following regions: China (Heyuan), China (Guangzhou), China (Chengdu), China (Hohhot), China (Ulanqab), China (Hong Kong), UAE (Dubai), UK (London), Germany (Frankfurt), Australia (Sydney), Philippines (Manila), Malaysia (Kuala Lumpur), Indonesia (Jakarta), India (Mumbai), Japan (Tokyo), US (Virginia), US (Silicon Valley), and Singapore.

The scrubbing threshold of an ECS instance is determined by the purchased public bandwidth and instance type. The following table describes the methods used to calculate the scrubbing threshold of an ECS instance.

Purchased public bandwidth ( Mbit/s)

Maximum BPS-based scrubbing threshold (Mbit/s)

Maximum PPS-based scrubbing threshold (pps)

≤ 300

The maximum bandwidth allowed by the ECS instance type or 450, whichever is smaller.

The maximum packet forwarding rate allowed by the ECS instance type or 100,000, whichever is smaller.

> 300

The maximum bandwidth allowed by the ECS instance type or the product of the purchased bandwidth value multiplied by 1.5, whichever is smaller.

The maximum packet forwarding rate allowed by the ECS instance type or the product of the purchased bandwidth value multiplied by 1,000, whichever is smaller.

Note

For example, if you purchase an ECS instance of the ecs.g5.16xlarge instance type and the purchased public bandwidth is 100 Mbit/s, the maximum bandwidth of the instance is 20,000 Mbit/s and the maximum packet forwarding rate is 4,000,000. The following table describes how to calculate the scrubbing threshold of the instance.

Purchased public bandwidth (Mbit/s)

Maximum BPS-based scrubbing threshold (Mbit/s)

Maximum PPS-based scrubbing threshold (pps)

100 < 300

20,000 or 450, whichever is smaller.

The result is 450.

4,000,000 or 100,000, whichever is smaller.

The result is 100,000.

The final scrubbing threshold displayed in the Traffic Security console prevails. For more information, see View the Assets page. The following figure shows an example.资产中心

Related operations

By default, Anti-DDoS Origin Basic is enabled for ECS instances. After you create an ECS instance, you can perform the following operations:

  • Specify scrubbing thresholds. After an ECS instance is created, the maximum thresholds of Anti-DDoS Origin Basic for the instance type are used. The maximum BPS-based scrubbing threshold for specific instance types may be too high. You must specify a threshold based on your business requirements. For more information, see Configure a traffic scrubbing threshold in the DDoS documentation.

  • (Not recommended) Disable traffic scrubbing. When traffic scrubbing is enabled and inbound traffic to an ECS instance reaches a specific threshold, traffic scrubbing is triggered regardless of whether traffic is normal. This may affect or interrupt normal business. You can manually disable traffic scrubbing for ECS instances. For more information, see Cancel traffic cleaning in the DDoS documentation.

    Warning

    After you disable traffic scrubbing for an ECS instance, blackhole filtering is triggered for the instance when inbound traffic to the instance exceeds 5 Gbit/s. Proceed with caution.