Anti-DDoS Origin can mitigate DDoS attacks for Elastic Compute Service (ECS), Classic Load Balancer (CLB), Web Application Firewall (WAF), and Elastic IP Address (EIP). Anti-DDoS Origin is integrated with the preceding services. You can use Anti-DDoS Origin without the need to change IP addresses. In addition, no limits of Layer 4 ports or Layer 7 domain names are imposed on Anti-DDoS Origin.

Overview

By default, Anti-DDoS Origin (Basic Edition) is enabled for CLB free of charge. Anti-DDoS Origin (Basic Edition) provides a maximum bandwidth capacity of 5 Gbit/s. All data from the Internet is filtered by Alibaba Cloud Security before the data is transferred to CLB. Alibaba Cloud Security filters out and mitigates DDoS attacks such as SYN flood, UDP flood, ACK flood, ICMP flood, and DNS flood attacks.

Anti-DDoS Origin adopts passive scrubbing as a major protection policy and active blocking as an auxiliary policy to mitigate DDoS attacks. Anti-DDoS Origin uses conventional technologies such as reverse detection, blacklists, whitelists, and packet compliance. These technologies allow protected resources to work as expected under attack. The following figure shows the network topology of Anti-DDoS Origin.

Anti-DDoS Origin (Basic Edition) sets thresholds for scrubbing and blackholing based on the bandwidth of Internet-facing CLB instances. When the inbound traffic reaches the threshold, scrubbing or blackholing is triggered:

  • Scrubbing: When the system detects attacks that match specific models or a large number of attacks from the Internet, Alibaba Cloud Security automatically scrubs the attacks through packet filtering, traffic throttling, and packet throttling.
  • Blackholing: When the system receives a large number of attacks that exceed the threshold, all requests are dropped to ensure security.
Thresholds are calculated based on the following rules:
  • The outbound bandwidth of a CLB instance determines the threshold. A greater outbound bandwidth value specifies a higher threshold.
  • The blackholing threshold is determined by your security credit score.
    Note However, your security credit score does not affect the scrubbing threshold.

Calculate the thresholds

You can perform the following steps to calculate the thresholds.

  1. CLB provides a recommended threshold based on the bandwidth resources that you purchase for your CLB instances.
    Note If you purchase a pay-by-data-transfer CLB instance, the outbound bandwidth equals the maximum bandwidth supported by the region where the CLB instance is deployed. All regions in mainland China support a maximum bandwidth capacity of 5 Gbit/s. For more information, see Bandwidth limits.
    • The correlation between the CLB bandwidth and scrubbing threshold (bit/s)
      • When the CLB bandwidth value is less than 100 Mbit/s: Default scrubbing threshold (Mbit/s) = 120
      • When the CLB bandwidth value is greater than 100 Mbit/s: Default scrubbing threshold (Mbit/s) = CLB bandwidth value × 1.2
    • Correlation between the CLB bandwidth and scrubbing threshold (packet/s)

      Scrubbing threshold (packet/s) = CLB bandwidth value/500 × 150000

      Bandwidth values are measured in Mbit/s.

    • Correlation between the CLB bandwidth and blackholing threshold (bit/s)
      • When the CLB bandwidth value is less than 1 Gbit/s: Default blackholing threshold (Gbit/s) = 2
      • When the CLB bandwidth value is greater than 1 Gbit/s: Default blackholing threshold (Gbit/s) = Max {CLB bandwidth value × 1.5, 2}
  2. Alibaba Cloud Security calculates the final thresholds based on the recommended thresholds, security credit score, and resources in each region.
    • Alibaba Cloud Security evaluates the rules of thresholds (bit/s and packet/s).
      The minimum value of the threshold is 1000 in Mbit/s and 300000 in packet/s.
      • If the threshold calculated by CLB is less than the preceding minimum value, the minimum value prevails.
      • If the threshold calculated by CLB is greater than the preceding minimum value, the threshold calculated by CLB prevails.
    • Alibaba Cloud Security determines the blackholing threshold based on your security credit score.

Grant read-only permissions to a RAM user

Perform the following steps to grant a RAM user the read-only permissions on Anti-DDoS Origin (Basic Edition).

Note You must use your Alibaba Cloud account to grant the read-only permissions to a RAM user.
  1. Log on to the RAM console with your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user in the User Logon Name/Display Name column and click Add Permissions.
  4. On the System Policy tab, select AliyunYundunDDosFullAccess in the Authorization Policy Name column to add it to the Selected list. Then, click OK.

View thresholds

Perform the following steps to view thresholds:

  1. Log on to the CLB console.
  2. In the left-side navigation pane, choose Instances > Instances.
  3. Select the region where the CLB instance is deployed and move the pointer over the Alibaba Cloud Security icon to view the scrubbing threshold (bit/s and packet/s) and blackholing threshold. For more information, go to the Anti-DDoS console
    • Scrubbing threshold (bit/s): When the inbound data per second exceeds this value, scrubbing is triggered.
    • Scrubbing threshold (packet/s): When the inbound packets per second exceed this value, scrubbing is triggered.
    • Blackholing threshold: When the inbound data per second exceeds this value, all requests are dropped.