All Products
Search
Document Center

Object Storage Service:OSS sandbox

Last Updated:Feb 01, 2024

When your Object Storage Service (OSS) bucket is under attack or is used to distribute illegal content, OSS automatically moves the bucket to the sandbox. The buckets that are in the sandbox can still respond to requests, but service degradation may occur. In this case, network availability may be affected, and a request timeout error is returned. After OSS automatically moves the bucket to the sandbox, your application may be aware of the operation.

Usage notes

  • If your bucket is under attack, OSS automatically moves the bucket to the sandbox. In this case, you must bear the costs that result from the attack.

  • If your user uses your bucket to distribute illegal content that involves pornography and terrorism, OSS also moves the bucket to the sandbox. Users are held liable for violations of the law.

Preventive measures against attacks

To prevent your bucket from being moved to the sandbox due to attacks such as DDoS attacks and Challenge Collapsar (CC) attacks, you can configure OSS DDoS protection for the bucket. You can also configure a reverse proxy by using an Elastic Compute Service (ECS) instance to access the bucket and configure an Anti-DDoS Pro instance for the ECS instance. The following table describes the advantages and disadvantages of the two solutions.

Solution

Description

Advantage

Disadvantage

Solution 1: Configure OSS DDoS protection

OSS DDoS protection is a proxy-based attack mitigation service that integrates OSS with Anti-DDoS. When a bucket for which OSS DDoS protection is enabled suffers a DDoS attack, OSS DDoS protection diverts incoming traffic to an Anti-DDoS instance for scrubbing and then redirects normal traffic to the bucket. This ensures the continuity of your business in the event of DDoS attacks.

  • Diversified scenarios: You can use this solution to protect bucket domain names and the custom domain name that is mapped to the bucket.

  • Low costs: You are charged for OSS DDoS protection based on the number of Anti-DDoS instances that you configure for your bucket, the traffic that is protected by these instances, and the number of API requests sent to your bucket. For more information, see OSS DDoS protection fees.

  • Simple configurations: You can configure OSS DDoS protection in the OSS console.

Limited number of protected buckets: You can create only one OSS DDoS protection instance within a region. You can attach each instance to up to 10 buckets that are located in the same region.

Solution 2: Configure a reverse proxy by using an ECS instance to access the bucket and configure an Anti-DDoS Pro instance for the ECS instance

To ensure data security, the default domain name of a bucket is resolved to a random IP address each time the bucket is accessed. If you want to use a static IP address to access the bucket, you can configure a reverse proxy by using an ECS instance to access the bucket. You can associate the elastic IP address (EIP) of the ECS instance with an Anti-DDoS Pro instance to prevent the bucket from DDoS attacks and CC attacks.

You can use this solution to protect your bucket when you use a static IP address to access OSS.

  • Complex configurations: You must manually configure an NGINX reverse proxy.

  • High costs: You must purchase an ECS instance to configure an NGINX reverse proxy.

Procedure

  • Solution 1: Configure OSS DDoS protection

    Perform the following steps:

    1. Creates an Anti-DDoS instance.

    2. Attach the bucket that you want to protect to the Anti-DDoS instance.

      After that, the Anti-DDoS instance starts to protect access to the bucket by using the public endpoint of the bucket.

      OSS DDoS protection can protect access by using only the public endpoints of the buckets, such as oss-cn-hangzhou.aliyuncs.com. OSS DDoS Protection cannot protect access by using the following endpoints:

      • Acceleration endpoints include the global acceleration endpoint (oss-accelerate.aliyuncs.com) and the acceleration endpoint of regions outside the Chinese mainland (oss-accelerate-overseas.aliyuncs.com).

      • Access point endpoints, such as ap-01-3b00521f653d2b3223680ec39dbbe2****-ossalias.oss-cn-hangzhou.aliyuncs.com.

      • Object FC Access Point endpoints, such as fc-ap-01-3b00521f653d2b3223680ec39dbbe2****-opapalias.oss-cn-hangzhou.aliyuncs.com).

      • Endpoints accessed over IPv6, such as cn-hangzhou.oss.aliyuncs.com.

      • Amazon Simple Storage Service (S3) endpoints, such as s3.oss-cn-hongkong.aliyuncs.com.

      For more information, see OSS DDoS protection.

  • Solution 2: Configure a reverse proxy by using an ECS instance to access the bucket and configure an Anti-DDoS Pro instance for the ECS instance

    Perform the following steps:

    1. Configure a reverse proxy by using an ECS instance to access your bucket.

      1. Create an ECS instance that runs CentOS or Ubuntu. For more information, see Create an instance on the Custom Launch tab.

        Important

        If the bucket encounters bursts of network traffic or spikes in access requests, you need to upgrade the hardware configurations of ECS or create ECS clusters.

      2. Configure a reverse proxy by using an ECS instance to access the bucket. For more information, see Use an ECS instance that runs CentOS to configure a reverse proxy for access to OSS.

    2. Configure an Anti-DDoS Pro instance.

      1. Purchase an Anti-DDoS Pro instance based on your business requirements. For more information, visit the buy page of Anti-DDoS Pro.

      2. Configure an Anti-DDoS Pro instance. Enter the endpoint of the bucket that you want to protect by using the ECS reverse proxy in Domain. Select Origin Server IP for Server IP and enter the public IP address of the ECS instance in the field. For more information about how to configure other parameters, see Add one or more websites.3