Anti-DDoS Origin Basic is a free service that protects Elastic Compute Service (ECS) instances from DDoS attacks. If inbound traffic to an ECS instance exceeds the maximum traffic rate allowed by the instance type, Anti-DDoS Origin Basic throttles traffic to prevent issues such as data breach, server disconnections, and service inaccessibility. This topic describes the features and principles of Anti-DDoS Origin Basic.
Anti-DDoS Origin Basic is a free service provided by Alibaba Cloud. Anti-DDoS Origin Basic provides up to 5 Gbit/s of mitigation capacity against DDoS attacks free of charge. The free mitigation capacity provided for ECS instances varies based on the instance type. You can check the actual mitigation capacity of your ECS instance in the Traffic Security console. For more information, see What is Security Center? and View the thresholds that trigger blackhole filtering in Anti-DDoS Origin Basic.
How Anti-DDoS Origin Basic works
After you activate Anti-DDoS Origin Basic, it monitors inbound traffic to ECS instances in real time. When an ultra-large amount of traffic or suspicious traffic such as DDoS attack traffic is detected, Anti-DDoS Origin Basic redirects traffic from the intended paths to a scrubbing device. The scrubbing device identifies and removes malicious traffic and then returns legitimate traffic. Then, the legitimate traffic is forwarded to ECS instances by using the intended paths. The preceding process is called traffic scrubbing. For more information, see What is an Anti-DDoS Origin paid edition?
If Anti-DDoS Origin Basic is activated for an ECS instance, Anti-DDoS Origin Basic triggers blackhole filtering when inbound traffic from the Internet exceeds 5 Gbit/s. All traffic to the instance is routed to a blackhole and all access requests from the Internet to the instance are blocked to ensure cluster-wide security. For more information, see Blackhole filtering policy of Alibaba Cloud in Anti-DDoS documentation.
Conditions for triggering traffic scrubbing
To trigger traffic scrubbing, make sure that the following conditions are met:
Traffic pattern: When inbound traffic matches an attack traffic pattern, traffic scrubbing is triggered.
Traffic amount: In most cases, DDoS attacks generate flood traffic at a magnitude of Gbit/s. When inbound traffic to an ECS instance reaches a specific threshold, traffic scrubbing is triggered regardless of whether traffic is normal.
Methods of traffic scrubbing
Traffic scrubbing methods include filtering out attack packets, throttling bandwidth, and throttling the packet forwarding rate. When you use Anti-DDoS Origin Basic, you must configure the following thresholds. For more information, see Configure a traffic scrubbing threshold.
BPS-based scrubbing threshold: When inbound traffic exceeds this threshold, traffic scrubbing is triggered.
PPS-based scrubbing threshold: When the inbound packet forwarding rate exceeds this threshold, traffic scrubbing is triggered.
Scrubbing thresholds of ECS instances
The traffic scrubbing feature is available in the following regions: China (Heyuan), China (Guangzhou), China (Chengdu), China (Hohhot), China (Ulanqab), China (Hong Kong), UAE (Dubai), UK (London), Germany (Frankfurt), Australia (Sydney), Philippines (Manila), Malaysia (Kuala Lumpur), Indonesia (Jakarta), India (Mumbai), Japan (Tokyo), US (Virginia), US (Silicon Valley), and Singapore.
The scrubbing threshold of an ECS instance varies based on the purchased public bandwidth and instance type. The following table describes the methods used to calculate the scrubbing threshold of an ECS instance.
Purchased public bandwidth (Mbit/s) | Maximum BPS-based scrubbing threshold (Mbit/s) | Maximum PPS-based scrubbing threshold (pps) |
≤ 300 | The maximum bandwidth allowed by the ECS instance type or 450, whichever is lower. | The maximum packet forwarding rate allowed by the ECS instance type or 100,000, whichever is lower. |
> 300 | The maximum bandwidth allowed by the ECS instance type or the product of the purchased bandwidth value multiplied by 1.5, whichever is smaller. | The maximum packet forwarding rate allowed by the ECS instance type or the product of the purchased bandwidth value multiplied by 1,000, whichever is smaller. |
For information about the bandwidth and packet forwarding rate of the BPS-based and PPS-based scrubbing thresholds, see the Network bandwidth and Packet forwarding rate rows in the "Instance type specifications" section of the Overview of instance families topic.
If no bandwidth metrics are available for an instance family, the scrubbing threshold displayed in the Traffic Security console prevails.
The threshold for triggering blackhole filtering displayed in the Traffic Security console prevails. For more information, see View the thresholds that trigger blackhole filtering in Anti-DDoS Origin Basic.
For example, if you purchase an ECS instance of the ecs.g5.16xlarge instance type and the purchased public bandwidth is 100 Mbit/s, the maximum bandwidth of the instance is 20,000 Mbit/s and the maximum packet forwarding rate is 4,000,000. The following table describes how to calculate the scrubbing threshold of the instance.
Purchased public bandwidth (Mbit/s) | Maximum BPS-based scrubbing threshold (Mbit/s) | Maximum PPS-based scrubbing threshold (pps) |
100 < 300 | 20,000 or 450, whichever is smaller. The result is 450. | 4,000,000 or 100,000, whichever is smaller. The result is 100,000. |
The final scrubbing threshold displayed in the Traffic Security console prevails. For more information, see View the Assets page. The following figure shows an example.
References
By default, Anti-DDoS Origin Basic is enabled for ECS instances. After you create an ECS instance, you can perform the following operations:
Specify scrubbing thresholds. After an ECS instance is created, the maximum thresholds of Anti-DDoS Origin Basic for the instance types are used. The maximum BPS-based scrubbing threshold for specific instance types may be too high. You must change the threshold based on your business requirements. For more information, see Configure a traffic scrubbing threshold in the DDoS documentation.
(Not recommended) Disable traffic scrubbing. When traffic scrubbing is enabled and inbound traffic to an ECS instance reaches a specific threshold, traffic scrubbing is triggered regardless of whether traffic is normal. This may affect or interrupt normal business. You can disable traffic scrubbing for ECS instances. For more information, see Cancel traffic cleaning.
WarningAfter traffic scrubbing is disabled for an ECS instance, when inbound traffic to the instance exceeds 5 Gbit/s, all traffic to the instance is routed to a blackhole. Proceed with caution.
Compared with traditional security solutions to DDoS attacks, Alibaba Cloud Anti-DDoS Proxy has the advantages of easy deployment, high BGP network quality, comprehensive protection capability, stable system availability, precise protection, and advanced AI intelligent protection technology. For more information, see What is Anti-DDoS Proxy?
For information about how to select anti-DDoS solutions, see Scenario-specific anti-DDoS solutions.