You can view Alibaba Cloud Security thresholds of an Internet SLB instance on the SLB console.
Introduction to Anti-DDoS Basic
Alibaba Cloud provides up to 5 Gbps basic anti-DDoS protection for SLB. As shown in the following figure, all traffic from the Internet must first go through Alibaba Cloud Security before arriving at SLB. Anti-DDoS Basic cleans and filters common DDoS attacks and protects your services against attacks such as SYN flood, UDP flood, ACK flood, ICMP flood, and DNS Query flood.
Anti-DDoS Basic sets the cleaning threshold and blackhole threshold according to the bandwidth of the Internet SLB instance. When the inbound traffic reaches the threshold, the cleaning or blackhole is triggered:
- Cleaning: When the attack traffic from the Internet exceeds the cleaning threshold or matches certain attack traffic model, Alibaba Cloud Security starts cleaning the attack traffic. The cleaning operation includes packet filtration, traffic speed limitation, packet speed limitation and so on.
- Blackhole: When the attack traffic from the Internet exceeds the blackhole threshold, blackhole is triggered and all inbound traffic is dropped.
You can view the thresholds of an instance on the SLB console. If you cannot view the thresholds using a RAM account, ask your system administrator to grant the permission for you. For more information, see Allow read-only access to Anti-DDoS Basic.
To view thresholds, complete these steps:
- Log on to the SLB console.
- Select a region.
- Hover the mouse pointer to the DDoS icon next to the target instance. You can click the link to go to the DDoS console to view more information.
- BPS threshold: When the inbound traffic exceeds the BPS cleaning threshold, cleaning is triggered.
- PPS threshold: When the inbound packets exceed the PPS cleaning threshold, cleaning is triggered.
- Blackhole threshold: When the inbound traffic exceeds the blackhole threshold, blackhole is triggered.
Allow read-only access to Anti-DDoS Basic
To allow read-only access to Anti-DDoS Basic, complete these steps:
|You have to use the primary account to complete the authorization.|
- Use the primary account to log on to the RAM console.
- In the left-side navigation pane, click Users, find the target RAM account and click Manage.
- Click User Authorization Policies, and then click Edit Authorization Policy.
- In the displayed dialog box, search AliyunYundunDDosReadOnlyAccess, and then add it to the Selected Authorization Policy Names list. Click OK.