Use an anti-DDoS diversion Anti-DDoS Origin instance to enable automatic protection for your assets - Anti-DDoS

This topic describes the best practices to use an anti-DDoS diversion Anti-DDoS Origin instance to automatically protect your assets against volumetric DDoS attacks. If an attack occurs, you can call operations to enable automatic mitigation.

Prerequisites

An Anti-DDoS Origin instance of a paid edition is purchased. For more information, see Purchase an Anti-DDoS Origin instance of a paid edition.
An anti-DDoS diversion Anti-DDoS Origin instance is enabled. To do so, you must contact the sales personnel.
Alert contacts and alert contact groups are created in CloudMonitor. For more information, see Create an alert contact or alert contact group.

Background information

An anti-DDoS diversion Anti-DDoS Origin instance can be use to mitigate DDoS attacks for data centers, small Internet service providers (ISPs), customers outside the Chinese mainland, and customers who have their own Border Gateway Protocol (BGP) networks. You do not need to change your service IP addresses and network architecture. The following figure shows the mitigation mechanism of an anti-DDoS diversion Anti-DDoS Origin instance. 代播模式架构图

Description:

If the service traffic is normal or a small-scale attack occurs, the traffic is forwarded to the local scrubbing center of Anti-DDoS Origin paid editions. The service latency does not increase.
If a DDoS attack occurs, the scrubbing centers that are distributed across the world declare routes to forward and scrub the traffic. The service latency slightly increases, but the mitigation capability can reach a Tbit/s level.

You can configure alert rules in CloudMonitor to monitor DDoS attacks in the local scrubbing center of Anti-DDoS Origin paid editions. If an attack occurs, you can call operations to enable traffic redirection for an anti-DDoS diversion Anti-DDoS Origin instance and disable traffic redirection after the attack stops.

Note

In this topic, API request parameters are described in the <Parameter description> format. For example, the ID of an anti-DDoS diversion Anti-DDoS Origin instance is in the instanceId=<yourOnDemandInstanceId> format.

You must replace <Parameter description> with the actual parameter value. For example, contact the sales personnel to obtain the ID of your anti-DDoS diversion Anti-DDoS Origin instance and replace <yourOnDemandInstanceId> with the ID.

Procedure

Configure an alert rule in CloudMonitor to monitor blackhole filtering and traffic scrubbing events in the local scrubbing center of Anti-DDoS Origin paid editions.
1. Log on to the CloudMonitor console.
2. In the left-side navigation pane, choose Event Center > System Event.
3. On the Event-triggered Alert Rules tab, click Create Alert Rule. In the Create/Modify Event-triggered Alert Rule panel, configure the parameters.
  Set Product Type to Anti-DDoS Origin, Event Type to DDoS Attacks, Event Level to CRITICAL, Event Name to ddosbgp_event_blackhole and ddosbgp_event_clean, and Resource Range to All Resources. For more information about other parameters, see Manage system event-triggered alert rules.
4. Click OK.
The created alert rule automatically takes effect. If the Anti-DDoS Origin instance of a paid edition detects a DDoS attack, alert contacts in the alert contact group are notified.
If a DDoS attack occurs, the contacts are notified of the blackhole filtering or traffic scrubbing event. In this case, call the ModifyOnDemaondDefenseStatus operation to redirect traffic to the global anycast scrubbing centers of Alibaba Cloud. For more information, see ModifyOnDemaondDefenseStatus.
You must specify the following request parameters:
```
?Action=ModifyOnDemaondDefenseStatus
&DdosRegionId=<yourInstanceRegionId>
&DefenseStatus=Defense
&InstanceId=<yourOnDemandInstanceId>
```
Optional. Disable blackhole filtering for the Anti-DDoS Origin instance of a paid edition.
- If blackhole filtering is not triggered, skip this step.
- If blackhole filtering is triggered, call the DeleteBlackhole operation to deactivate blackhole filtering 10 seconds after you enable traffic redirection. For more information, see DeleteBlackhole.
  You must specify the following request parameters:
```
?Action=DeleteBlackhole
&InstanceId=<yourOnDemandInstanceId>
&Ip=<yourOnDemandInstanceIp>
```
Call the DescribeTopTraffic operation to check whether the DDoS attack stops. For more information, see DescribeTopTraffic.
You must specify the following request parameters:
```
?Action=DescribeTopTraffic
&Ipnet=<onDemandInstanceIpnetToQuery>
&InstanceId=<yourOnDemandInstanceId>
&StartTime=<startTimeToQuery>
&EndTime=<endTimeToQuery>             
```
If the value of the AttackBps parameter that is returned by the operation is smaller than 300000 for more than 30 minutes, the DDoS attack stops. This parameter indicates the volume of attack traffic, in Kbit/s.
After the DDoS attack stops, call the ModifyOnDemaondDefenseStatus operation during off-peak hours to stop traffic redirection in the anti-DDoS diversion Anti-DDoS Origin instance. For more information, see ModifyOnDemaondDefenseStatus.
Note
We recommend that you call this operation during off-peak hours to minimize the service impact caused by traffic switching.
You must specify the following request parameters:
```
?Action=ModifyOnDemaondDefenseStatus
&DdosRegionId=<yourDdosRegionId>
&DefenseStatus=UnDefense
&InstanceId=<yourOnDemandInstanceId>
```