This topic provides an overview of attach protection for ApsaraDB for RDS.

DDoS attack prevention

When you access an ApsaraDB for RDS instance from the Internet, the instance is vulnerable to DDoS attacks. ApsaraDB for RDS provides the traffic scrubbing and black hole filtering features that are automatically triggered and terminated by the RDS security system. When a DDoS attack is detected, the RDS security system first scrubs the inbound traffic. If traffic scrubbing is not sufficient or if the traffic exceeds a specified threshold, black hole filtering is triggered.

Note We recommend that you access RDS instances over an internal network to protect them against DDoS attacks.

Traffic scrubbing

Traffic scrubbing is only for traffic flows from the Internet and does not affect normal operations of your instance.

Traffic scrubbing is triggered for a single ApsaraDB for RDS instance if any of the following conditions are met:

  • Packets per second (PPS) reaches 30,000.
  • Bits per second (BPS) reaches 180 Mbit/s.
  • The number of new concurrent connections per second reaches 10,000.
  • The number of active concurrent connections reaches 10,000.
  • The number of idle concurrent connections reaches 100,000.

Black hole filtering

Black hole filtering is only for traffic flows from the Internet. If an RDS instance is undergoing black hole filtering, the instance cannot be accessed from the Internet and the connected applications are unavailable. Black hole filtering guarantees availability of RDS.

Black hole filtering is triggered if any of the following conditions are met:

  • BPS reaches 2 Gbit/s.
  • Traffic scrubbing is insufficient to protect against DDoS attacks.

Black hole is automatically deactivated in 2.5 hours.