If your source IP can still be attacked after being protected under Anti-DDoS Pro, you can change the source IP address.
Insecure factors checklist
- Check whether the origin server contains security risks such as Trojans or webshells.
- Check whether Anti-DDoS Pro is enabled for all services in the origin server, especially the records other than Web records such as MX records for mail servers and bbs records.
Note Double-check your DNS records to confirm that no record points to the source IP.
- Check whether the source code leaks your website information. For example, the
phpinfo()command may contain IP addresses and other information.
- Check the origin server for malicious scanning. You can prevent this risk by only allowing the Anti-DDoS Pro IP addresses on the origin. Check if you have businesses resolved to the origin server. For more information, see Protect the origin.
- Make sure that no business is resolved to the origin.
- Use a Ping tester (for example DNS Checker) to test the current domain name.
- Check your DNS records again to make sure no record points to the source IP.
Change source IP
After eliminating all the insecure factors that may expose the source IP, you can change the exposed source IP. For more information, see Change ECS IP.
If you do not want to change the source IP or have changed the source IP but still have a problem, we recommend that you deploy an SLB server in front of the backend of your ECS server.
With this architecture, even if the origin is put into a black hole after being attacked, to access the server through Anti-DDoS Pro remains unaffected. Because the traffic from the load balancing server to the origin is transmitted through the intranet, even if the origin IP is put into a black hole, Anti-DDoS Pro can still access the origin through the load balancing server.