All Products
Search
Document Center

NAT Gateway:Anti-DDoS Origin Basic

Last Updated:Aug 17, 2023

Distributed Denial of Service (DDoS) attacks are cyber attacks against targeted systems that make services unavailable to users. Alibaba Cloud provides Anti-DDoS Origin Basic for NAT gateways free of charge. Anti-DDoS Origin Basic can mitigate DDoS attacks at up to 5 Gbit/s.

How Anti-DDoS Origin Basic works

By default, Anti-DDoS Origin Basic is enabled for NAT gateways and can mitigate DDoS attacks at up to 5 Gbit/s. All traffic from the Internet must pass through Alibaba Cloud Security before the traffic reaches a NAT gateway. Alibaba Cloud Security scrubs the traffic to mitigate attacks. For more information, see What is Anti-DDoS Origin?.
Note If the amount of Internet traffic to a cluster exceeds the capacity of Anti-DDoS, the traffic is routed to a blackhole to protect the cluster. In this case, all traffic is blocked. For more information about the default thresholds at which Anti-DDoS Origin Basic automatically triggers blackhole filtering in each region, see View the thresholds that trigger blackhole filtering in Anti-DDoS Origin Basic. The thresholds to trigger blackhole filtering for NAT gateways are determined by the region and bandwidth. For more information, see Assets.
Whether traffic scrubbing is triggered is determined by the following factors:
  • Traffic patterns. If traffic patterns match the patterns of attack traffic, traffic scrubbing is triggered.
  • Traffic amounts. Anti-DDoS Origin Basic automatically sets scrubbing thresholds based on the bandwidth of NAT gateways. When traffic reaches a specified threshold, Alibaba Cloud Security scrubs the traffic regardless of whether the traffic is service traffic or attack traffic.
The methods of traffic scrubbing include attack packet filtering, bandwidth throttling, and packet throttling. The following scrubbing thresholds are provided by Anti-DDoS Origin Basic:
  • Scrubbing threshold based on bits per second (BPS): When the amount of inbound traffic per second exceeds this value, scrubbing is triggered.
  • Scrubbing threshold based on packets per second (PPS): When the number of inbound packets per second exceeds this value, scrubbing is triggered.

Scrubbing threshold

The following table describes how to calculate the scrubbing thresholds of a NAT gateway:
EIP bandwidth (Unit: Mbit/s)Maximum BPS-based scrubbing threshold (Unit: Mbit/s)Maximum PPS-based scrubbing threshold (Unit: pps)
≤ 300450 100,000
> 300EIP bandwidth × 1.5EIP bandwidth × 1,000

For example, if the bandwidth of an EIP is 1,000 Mbit/s, the maximum BPS-based scrubbing threshold is 1,500 Mbit/s and the maximum PPS-based scrubbing threshold is one million packets per second.

After the EIP is associated with a cloud resource, the scrubbing thresholds are changed. For more information, see the Assets page in the Anti-DDoS console. For more information, see View the Assets page.