All Products
Search

This Product

    Anti-DDoS:FAQ about Anti-DDoS Origin

    Document Center

    Anti-DDoS:FAQ about Anti-DDoS Origin

    Last Updated:Nov 15, 2023

    This topic provides answers to some commonly asked questions about Anti-DDoS Origin Basic and Enterprise.

    Anti-DDoS Origin Basic

    Why does Anti-DDoS Origin Basic not protect my Elastic Compute Service (ECS) instance against an attack of 20 Mbit/s?

    Anti-DDoS Origin Basic is provided free of charge. Anti-DDoS Origin Basic does not provide protection against attacks whose bandwidth is lower than 100 Mbit/s. We recommend that you optimize your server, install a host-based firewall, such as Yunsuo, or purchase an Anti-DDoS Pro or Anti-DDoS Premium instance to protect against attacks whose bandwidth is lower than 100 Mbit/s For more information, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance.

    Why cannot I manually deactivate blackhole filtering for an Anti-DDoS Origin Basic instance?

    In most cases, DDoS attacks occur for a period of time and do not stop immediately after blackhole filtering is deactivated. The attack duration of DDoS attacks is different for different attacks. The Alibaba Cloud security team automatically determines the blackhole filtering duration based on the results that are obtained by using intelligent algorithms. In most cases, blackhole filtering lasts for 30 minutes to 24 hours. In rare cases, if DDoS attacks frequently occur, the duration of blackhole filtering is extended.

    Blackhole filtering occurs on Internet Service Provider (ISP) networks and discards the traffic that is at the traffic source. This prevents the overall network and your services from being unavailable due to DDoS attacks. If you deactivate blackhole filtering before the attacks stop, another blackhole filtering is triggered. During the time period from the time when blackhole filtering is deactivated and the time when another blackhole filtering is triggered, the attacks affect services of other tenants in the cloud. ISPs have limits on the occurrences and frequency of deactivating blackhole filtering. Alibaba Cloud cannot immediately deactivate blackhole filtering that is triggered on your service.

    Even if you deactivate blackhole filtering, DDoS attacks cannot be mitigated. Frequent flapping due to blackhole filtering affects network stability. You can purchase a service to increase mitigation capabilities to avoid the negative effects of blackhole filtering and service unavailability. For example, you can purchase Anti-DDoS Origin Enterprise, Anti-DDoS Pro, or Anti-DDoS Premium instances that are provided by Alibaba Cloud, or a DDoS mitigation service that is provided by a third-party provider. For more information, see What is Anti-DDoS Origin? and What are Anti-DDoS Pro and Anti-DDoS Premium?.

    Can I use ACLs to mitigate DDoS attacks and prevent blackhole filtering from being triggered?

    No, you cannot use access control lists (ACLs) to mitigate DDoS attacks and prevent blackhole filtering from being triggered. ACLs take effect only when attacks reach the edge of the Alibaba Cloud network in which your server resides. ACLs cannot mitigate DDoS attacks that are initiated from multiple botnets and destined for your server. When the DDoS attacks reach the edge of the Alibaba Cloud network in which your server resides, the volume of attacks far exceeds the mitigation capability of the ACLs. To mitigate the DDoS attacks, you must deploy mitigation policies at the edge of an Internet service provider (ISP) backbone network.

    You can use traffic analysis and filtering methods together with sufficient network bandwidth to scrub attack traffic. If you want to expand the network bandwidth of your server to the bandwidth of the attack traffic and deploy a scrubbing center to scrub the attack traffic, the costs generated by bandwidth expansion and the servers used for traffic scrubbing can be excessively high. If each user deploys a scrubbing center, the overall mitigation costs significantly increase.

    In this case, a cost-effective DDoS mitigation plan is provided. Cloud service providers offer large network bandwidths and deploy scrubbing centers at their ISP networks. DDoS attacks are scrubbed in the scrubbing center closest to the location where the attacks are initiated. The cloud service providers offer the Software-as-a-Service (SaaS)-based anti-DDoS services for users to purchase. This way, the scrubbing centers can be repeatedly used, and the costs for each user are reduced.

    Why the traffic data in the Anti-DDoS Origin console differs from that in Cloud Monitor and other cloud services?

    In most cases, the traffic in the Anti-DDoS Origin console is higher than that in Cloud Monitor and other cloud services.

    Assume that your ECS instance is under DDoS attacks, which triggers traffic scrubbing when the traffic reaches 2.5 Gbit/s. Alibaba Cloud notifies you that the traffic scrubbing provided by Anti-DDoS Origin Basic instance is triggered. However, the CloudMonitor console shows that the inbound bandwidth of the elastic IP address (EIP) associated with your ECS instance is 1.2 Gbit/s during traffic scrubbing.

    The reasons for this difference include:

    • Anti-DDoS Origin collects traffic data before traffic scrubbing is triggered, whereas Cloud Monitor collects traffic data after traffic scrubbing is triggered.

    • Anti-DDoS Origin monitors all network traffic destined for your ECS instance, including malicious traffic, whereas Cloud Monitor monitors only normal traffic.

    • Anti-DDoS Origin and Cloud Monitor collect traffic data at different intervals. Anti-DDoS Origin collects traffic data at intervals of seconds so that DDoS attacks can be detected at the earliest opportunity. Cloud Monitor collects the traffic data of EIPs at intervals of minutes and displays the data in charts in the Cloud Monitor console.

    • Anti-DDoS Origin and Cloud Monitor collect traffic data from different sources. Anti-DDoS Origin collects the traffic data of EIPs from the border gateway devices between Alibaba Cloud and the Internet, whereas Cloud Monitor collects the traffic data of EIPs from the devices that forward traffic.

    Note

    The difference in traffic data can happen to Alibaba Cloud services, such as ECS, Server Load Balancer (SLB), EIP, and NAT Gateway, that are Infrastructure as a Service (IaaS) and support Internet access.

    What is the billing difference between best-effort protection of Anti-DDoS Origin Enterprise and burstable protection of Anti-DDoS Pro?

    • Anti-DDoS Origin Enterprise provides the best-effort protection (Anti-DDoS Origin) capability. If DDoS attacks are detected, the Anti-DDoS Origin Enterprise instance uses all the protection capacity for the region where it resides to defend against the DDoS attacks. Best-effort protection is included in the Anti-DDoS Origin Enterprise instance that you have purchased. No additional fee is charged for best-effort protection.

    • Burstable protection of Anti-DDoS Pro is charged based on the peak value of the burstable protection bandwidth on the current day. For more information, see Billing of Anti-DDoS Pro.

    What do I do if blackhole filtering is activated for an IP address that is protected by Anti-DDoS Origin Enterprise?

    You can manually deactivate blackhole filtering.

    What do I do if I deployed an Anti-DDoS Origin Enterprise instance in the wrong region?

    If the IP address that you want to protect is not in the same region as the purchased Anti-DDoS Origin Enterprise instance, contact technical support by using ticket to apply for a refund. After you receive the refund, you can purchase a new instance to protect the IP address.

    When I add the IP address of a service, the system prompts that the number of IP addresses reaches the upper limit. What do I do?

    If the number of protected IP addresses reaches the value of Protected IP Addresses that you specify on the Anti-DDoS Origin Enterprise buy page, increase the value of Protected IP Addresses or purchase a new Anti-DDoS Origin Enterprise instance. For more information, see Upgrade an Anti-DDoS Origin Enterprise instance and Purchase an Anti-DDoS Origin instance of a paid edition.

    What do I do if the error message "The IP address does not belong to your account" is displayed when I add an IP address to Anti-DDoS Origin?

    If you receive the error message The IP address does not belong to your account when you add an IP address in the Anti-DDoS Origin console, perform the following steps to troubleshoot the error:

    1. Verify that you have entered the correct IP address.

    2. Verify that the IP address is located in the same region as the purchased Anti-DDoS Origin Enterprise instance.

    3. If you want to protect the IP address of a WAF instance, verify that Anti-DDoS Origin Enterprise is available in the region of the WAF instance. For more information about regions that are supported by Anti-DDoS Origin Enterprise, see What is Anti-DDoS Origin?.

    How do I add my asset protected by an instance of a member to an instance of the management account after I enable the multi-account management feature?

    You can add an asset that is assigned a public IP address to only one instance for protection. If you want to add your asset protected by an instance of a member to an instance that of the management account, you must remove the asset from the instance that belongs to the member and then add the asset to the instance that belongs to the management account. For more information about how to remove or add an object for protection, see Add an object for protection.