After you add your service to Anti-DDoS Pro or Anti-DDoS Premium, if attack traffic is not scrubbed and directly targets the origin server, the IP address of the origin server may have been exposed. In this case, you must change the IP address of the origin server.

Check for risks that cause IP address exposure

Before you change the IP address of the origin server, make sure that you eliminate all risks to prevent the IP address from being exposed again. You can check for the following exposure risks:
  • Check whether the origin server contains security risks, such as trojans and backdoors.

    We recommend that you use Alibaba Cloud Security Center to check and fix security vulnerabilities. For more information, see What is Security Center?.

  • Check whether the origin server runs services that are not added to Anti-DDoS Pro or Anti-DDoS Premium. For example, you have added MX records to configure an email server or other DNS records to configure a BBS website for the origin server.
    Notice Make sure that no DNS records map a domain name to the IP address of the origin server.
  • Check whether the source code of the website is exposed. For example, the phpinfo() function may contain the IP address of the origin server.
  • Check whether the origin server encounters malicious scanning. You can allow inbound traffic only from the back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium to access the origin server. For more information, see Configure protection policies for the origin server.

Change the IP address of the origin server

After you eliminate all risks that may cause the exposure, you can change the IP address of the origin server. For more information, see Change ECS IP.

If you do not want to change the IP address or the new IP address is also exposed, we recommend that you deploy an SLB instance to connect the ECS instance. For more information, see Quick Start of SLB. You can adopt the following network architecture: Client > Anti-DDoS Pro or Anti-DDoS Premium > SLB instance > ECS instance.

In this architecture, even if the origin server encounters attacks that trigger blackhole filtering, the service is not interrupted. Traffic from the SLB instance to the origin server is transmitted over the internal network. If blackhole filtering is triggered for the public IP address of the origin server, Anti-DDoS Pro or Anti-DDoS Premium can still access the origin server through the SLB instance.
Note To apply the preceding network architecture, you must set the origin server address to the IP address of the SLB instance in the Anti-DDoS Pro or Anti-DDoS Premium console.