Configure automatic diversion for DDoS Origin Protection

Updated at:
Copy as MD

Use the on-demand edition of DDoS Origin Protection with API calls to automatically enable diversion mode and mitigate large-scale DDoS attacks on your Alibaba Cloud IP assets.

Prerequisites

Background

The on-demand edition of DDoS Origin Protection provides DDoS mitigation for on-premises IDCs, Alibaba Cloud customers outside the Chinese mainland, small carriers, and customers managing their own BGP networks — without changing existing service IP addresses or network architecture.On-demand diversion architecture

How it works:

  • Normal traffic or low-volume attacks: Traffic flows directly to the local DDoS Origin Protection scrubbing center with no extra latency and mitigates low-volume attacks.

  • During a DDoS attack: The scrubbing center announces routes and diverts traffic to global scrubbing centers. Latency increases slightly, but protection capacity scales to Tbps.

This topic describes how to configure Cloud Monitor alerts for DDoS attacks on your local scrubbing center. When an attack is detected, an API call enables traffic diversion for your on-demand instance. After the attack ends, another API call stops the diversion.

Note

In this topic, API request placeholders are formatted as <placeholder_description>. For example, the parameter for an on-demand edition instance ID appears as InstanceId=<yourOnDemandInstanceId>.

When calling an API, replace the <placeholder_description> with the actual value. For example, get the InstanceId of your on-demand instance from your sales representative and replace <yourOnDemandInstanceId>.

Procedure

  1. Configure a Cloud Monitor alert rule for blackhole and scrubbing events on your local scrubbing center.

    1. Log on to the Cloud Monitor console.

    2. In the left-side navigation pane, choose Event Center > system event.

    3. On the Event Monitoring tab, click Save as Alert Rule. On the Create/Modify Event-triggered Alert Rule page, configure the following parameters.

      Set Product Type to Anti-DDoS Origin, Event Type to DDoS Attack, Event Level to Critical, Event Name to blackhole and scrubbing, and Resource Range to All Resources. Configure remaining parameters based on Create an alert rule for a system event.

    4. Click OK.

    The specified contact group receives notifications when a DDoS attack targets your DDoS Origin Protection instance.

  2. When a DDoS attack occurs (indicated by a blackhole or scrubbing notification), call the Configure BGP Advertised IP Address Segment API to enable traffic diversion for your on-demand instance. Traffic is rerouted to Alibaba Cloud's global Anycast scrubbing centers.

    Specify the following request parameters:

    ?Action=ConfigNetStatus
    &Net=<yourNet>
    &Status=enable
    &SaleId=<yourOnDemandInstanceId>
  3. Optional: Remove the blackhole status from your DDoS Origin Protection Anti-DDoS Native (Enterprise) instance.

    • If your instance is not in a blackhole state, skip this step.

    • If your instance is in a blackhole state, wait about 10 seconds after enabling traffic diversion, then call the Remove blackhole status for a protected IP API to clear the blackhole status.

      Specify the following request parameters:

      ?Action=DeleteBlackhole
      &InstanceId=<yourOnDemandInstanceId>
      &Ip=<yourOnDemandInstanceIp>
  4. Call the Query traffic for a specified protection package API to check if the DDoS attack has ended.

    Specify the following request parameters:

    ?Action=DescribeTraffic
    &Ipnet=<yourOnDemandInstanceIpnet>
    &InstanceId=<yourOnDemandInstanceId>
    &StartTime=<startTimeToQuery>
    &EndTime=<endTimeToQuery>             

    If the returned AttackBps (attack traffic in Kbps) value stays below 300,000 for more than 30 minutes, the DDoS attack has ended.

  5. After confirming the attack has ended, call the Configure BGP Advertised IP Address Segment API during off-peak hours to disable traffic diversion for the on-demand instance.

    Note

    Disable traffic diversion during off-peak hours to minimize traffic switching impact.

    Specify the following request parameters:

    ?Action=ConfigNetStatus
    &Net=<yourNet>
    &Status=disable
    &SaleId=<yourOnDemandInstanceId>