This topic describes how to configure the Diversion from Origin Server policy to block network traffic transmitted from regions outside mainland China through China Telecom or China Unicom lines. Each Alibaba Cloud account can enable this policy up to 10 times and disable it at any time.

Prerequisites

An Anti-DDoS Pro instance is available.
Note The Diversion from Origin Server policy is available only for Anti-DDoS Pro.

Background information

Notice In the top navigation bar of the Anti-DDoS Pro or Anti-DDoS Premium console, you can switch the region (Mainland China and Outside Mainland China), and the system switches between Anti-DDoS Pro and Anti-DDoS Premium accordingly for you to manage and configure Anti-DDoS Pro or Premium instances. Ensure that you switch to the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.

We recommend that you enable this policy if your Anti-DDoS Pro instance is under volumetric attacks that are about to exceed the protection capability. For example, if 30% of the attacks are launched from regions outside mainland China, you can use this policy to block these attacks in order to reduce the stress on your Anti-DDoS Pro instance.

After the Diversion from Origin Server policy is enabled, the specified network traffic is dropped at the data center. This minimizes the possibility of triggering a black hole. This way, you can protect your China Telecom or China Unicom lines. A black hole is triggered based on the same rules as Diversion from Origin Server, such as the volume of attack traffic and attack source. Therefore, the Diversion from Origin Server policy can minimize the possibility of triggering a black hole.

Procedure

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select Mainland China.
  3. In the left-side navigation pane, choose Mitigation Settings > General Policies.
  4. On the Protection for Infrastructure tab, select the target instance from the list on the left side.
    Note You can also search for instances by instance ID or description.
  5. In the Diversion from Origin Server section, perform the following operations as required.Diversion from Origin Server
    • Block network traffic transmitted from regions outside mainland China through China Telecom lines: Click Blocked next to Blocked Regions:China Telecom (International). In the Block Flow dialog box, set Blocking Period and click Confirm.
      Note The minimum blocking period is 15 minutes, and the maximum is 23 hours and 59 minutes.
      Block Flow
    • Block network traffic transmitted from regions outside mainland China through China Unicom lines: Click Blocked next to Blocked Regions:China Unicom (International). In the Block Flow dialog box, set Blocking Period and click Confirm.
      Note The minimum blocking period is 15 minutes, and the maximum is 23 hours and 59 minutes.
      Block Flow
    Note
    • We recommend that you block network traffic transmitted from regions outside mainland China through China Telecom lines. You also need to monitor the changes in the volume of attack traffic. If the volume of attack traffic is about to exceed the protection capability of your instance, block the network traffic transmitted from regions outside mainland China through China Unicom lines.
    • Each Alibaba Cloud account can enable this policy up to 10 times. Each time you enable this policy, the remaining quota is reduced by one.
    If you fail to enable this policy, an error message appears. Follow the instructions to troubleshoot the error and try again. If no message appears, this policy is enabled.
  6. Optional:In the Diversion from Origin Server section, click View Blocked Region. In the Flow Blocking for Source pane, you can view the blocked regions and the blocking periods.Flow Blocking for Source
  7. Optional:Unblock network traffic.
    To unblock the network traffic that you have blocked before the blocking period expires, click Deactivate Blackhole.