Anti-DDoS Origin can mitigate DDoS attacks for Elastic Compute Service (ECS), Classic Load Balancer (CLB), Web Application Firewall (WAF), and Elastic IP Address (EIP). Anti-DDoS Origin is integrated with the preceding services. You can use Anti-DDoS Origin without the need to change IP addresses. In addition, no limits of Layer 4 ports or Layer 7 domain names are imposed on Anti-DDoS Origin.

Overview

By default, Anti-DDoS Origin Basic is enabled for CLB free of charge. Anti-DDoS Origin Basic provides a maximum bandwidth capacity of 5 Gbit/s. All traffic from the Internet must pass through Alibaba Cloud Security before the traffic reaches a CLB instance. Alibaba Cloud Security scrubs the traffic to mitigate common attacks, such as SYN flood attacks, UDP flood attacks, ACK flood attacks, ICMP flood attacks, DNS flood attacks, and DDoS attacks.

Anti-DDoS Origin adopts passive scrubbing as a major protection policy and active blocking as an auxiliary policy to mitigate DDoS attacks. Anti-DDoS Origin uses conventional technologies such as reverse detection, blacklists, whitelists, and packet compliance. These technologies allow protected resources to work as expected under attack. The following figure shows the network topology of Anti-DDoS Origin.

Anti-DDoS Origin Basic sets thresholds for scrubbing and blackholing based on the bandwidth of Internet-facing CLB instances. When the inbound traffic reaches the threshold, scrubbing or blackholing is triggered:

  • Scrubbing: When the system detects attacks that match specific models or a large number of attacks from the Internet, Alibaba Cloud Security automatically scrubs the attack traffic through packet filtering, traffic throttling, and packet throttling.
  • Blackholing: When the system receives a large number of attacks that exceed the threshold, all requests are dropped to ensure security.
The thresholds are calculated based on the following principles:
  • The outbound bandwidth of a CLB instance determines the threshold. A greater outbound bandwidth value specifies a higher threshold.
  • The blackholing threshold is determined by your security credit score.
    Note However, your security credit score does not affect the scrubbing threshold.

Calculate the thresholds

You can perform the following steps to calculate the thresholds.

  1. CLB provides a recommended threshold based on the bandwidth resources that you purchase for your CLB instances.
    Note If you purchase a pay-by-data-transfer CLB instance, the outbound bandwidth equals the maximum bandwidth supported by the region where the CLB instance is deployed. All regions in the Chinese mainland support a maximum bandwidth capacity of 5 Gbit/s. For more information, see Maximum bandwidth.
    • The correlation between the CLB bandwidth and scrubbing threshold (bit/s)
      • When the CLB bandwidth value is less than 100 Mbit/s: Default scrubbing threshold (Mbit/s) = 120
      • When the CLB bandwidth value is greater than 100 Mbit/s: Default scrubbing threshold (Mbit/s) = CLB bandwidth value × 1.2
    • Correlation between the CLB bandwidth and scrubbing threshold (packet/s)

      Scrubbing threshold (packet/s) = CLB bandwidth value/500 × 150,000

      Bandwidth values are measured in Mbit/s.

    • Correlation between the CLB bandwidth and blackholing threshold (bit/s)
      • When the CLB bandwidth value is less than 1 Gbit/s: Default blackholing threshold (Gbit/s) = 2
      • When the CLB bandwidth value is greater than 1 Gbit/s: Default blackholing threshold (Gbit/s) = Max {CLB bandwidth value × 1.5, 2}
  2. Alibaba Cloud Security calculates the final thresholds based on the recommended thresholds, security credit score, and resources in each region.
    • Alibaba Cloud Security uses the following rules to evaluate thresholds (bit/s and packet/s).
      The minimum value of the threshold is 1000 in Mbit/s and 300000 in packet/s.
      • If the threshold calculated by CLB is less than the preceding minimum value, the minimum value prevails.
      • If the threshold calculated by CLB is greater than the preceding minimum value, the threshold calculated by CLB prevails.
    • Alibaba Cloud Security determines the blackholing threshold based on your security credit score.

Grant read-only permissions to a RAM user

Perform the following steps to grant a RAM user the read-only permissions on Anti-DDoS Origin Basic.

Note You must use your Alibaba Cloud account to grant the read-only permissions to a RAM user.
  1. Log on to the RAM console with your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, grant permissions to the RAM role.
    1. Select the authorization scope.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The permissions take effect on resources in a specified resource group.
    2. Specify the principal.
    3. Select a policy.

      On the System Policy tab, select AliyunYundunDDosFullAccess in the Authorization Policy Name column to add it to the Selected list. Then, click OK.

View thresholds

  1. Log on to the CLB console.
  2. In the top navigation bar, select the region where the CLB instance is deployed.
  3. On the Instances page, find the CLB instance, and move the pointer over the Alibaba Cloud Security icon of the CLB instance to view the scrubbing threshold (bit/s and packet/s) and blackholing threshold. For more information, visit the Anti-DDoS console.
    • Scrubbing threshold (bit/s): When the inbound data per second exceeds this value, scrubbing is triggered.
    • Scrubbing threshold (packet/s): When the inbound packets per second exceed this value, scrubbing is triggered.
    • Blackholing threshold: When the inbound data per second exceeds this value, all requests are dropped.