Anti-DDoS Diversion protects servers in Internet Data Centers (IDCs) outside the Chinese mainland from DDoS attacks. It redirects inbound traffic to the Alibaba Cloud traffic scrubbing center, where malicious traffic is filtered out and legitimate traffic is reinjected into the network. This topic outlines Anti-DDoS Diversion and explains how it protects IDC servers.
Introduction
Anti-DDoS Diversion protects IDC servers deployed on-premises or in the cloud outside the Chinese mainland. It provides DDoS protection for public Classless Inter-Domain Routing (CIDR) blocks to mitigate common network and transport layer DDoS attacks without changing original IP addresses or network architecture. With mitigation capabilities at the Tbit/s level, Anti-DDoS Diversion is ideal for protecting on-premises servers and small Internet service providers (ISPs) outside the Chinese mainland.
Anti-DDoS Diversion consists of four key components: attack detection, traffic diversion, traffic reinjection, and mitigation reports, as detailed below:
Attack detection
When an IDC's normal operation is disrupted, your O&M team diagnoses and analyzes attack patterns, such as sudden traffic influx from numerous IPs or spikes in specific packet types, to confirm a DDoS attack. After an attack is identified, the O&M team should manually initiate Anti-DDoS Diversion through the traffic security console or by calling the API.
Traffic diversion
During an attack, the traffic scrubbing center advertises Border Gateway Protocol (BGP) updates to global carriers, redirecting all inbound traffic destined for the protected CIDR block to the scrubbing center for DDoS mitigation.
Traffic reinjection
After the Alibaba Cloud traffic scrubbing center scrubs the traffic, it is reinjected into your IDC through connections such as Generic Routing Encapsulation (GRE) tunnels and Cross Connects. This process uses Layer 2 or Layer 2.5 forwarding within the OSI model of TCP/IP protocol, preventing scrubbed traffic from being routed back to the scrubbing center after being released on the Internet.
Mitigation reports
Comprehensive logs and statistics are provided for all detected and mitigated attack traffic, including pre-attack and post-scrubbing traffic data, and attack magnitude. These insights help you understand network traffic conditions more effectively.
Diversion modes
There are two diversion modes: On-demand mode and Always-on mode.
On-demand
In On-demand mode, traffic is not redirected to the scrubbing center under normal circumstances. When a DDoS attack occurs, the IDC O&M team manually activates diversion protection to route traffic to the scrubbing center. However, there may be a short delay between attack detection and activation, during which your service could experience interruptions. This mode is ideal for businesses that experience occasional attacks.
On-demand mode offers two Anti-DDoS Diversion instances based on the number of mitigation sessions:
Insurance (two sessions per month): Provides two mitigation sessions per month. After exhausting these sessions, you can contact Alibaba Cloud technical support to switch to Unlimited mode for access to unlimited sessions.
Unlimited (unlimited sessions): Offers unlimited mitigation sessions each month.
Always-on
In Always-on mode, all traffic is continuously routed to the scrubbing center, ensuring immediate protection against attacks at all times. This mode introduces slight latency to your business due to additional traffic processing, but provides unlimited mitigation sessions. It is slightly more expensive than On-demand mode but better suited for businesses that frequently experience attacks.
How it works
The following example explains how On-demand mode works when using GRE tunnels to reinject traffic:
Set up a GRE tunnel and establish a BGP peering relationship between the virtual border router (VBR) of IDC and Alibaba Cloud traffic scrubbing center.
When the IDC O&M team detects a DDoS attack, they initiate diversion.
Alibaba Cloud traffic scrubbing center advertises the protected CIDR block globally using AS134963.
Inbound traffic is no longer routed to your IDC. Instead, it is redirected to the scrubbing center. This routing path change typically takes effect within two to three minutes. Outbound traffic remains unaffected, flowing directly from the IDC server to the ISP.
If inbound traffic still reaches the IDC directly after diversion activation, verify the effectiveness of Routing Assets Database (RADB) and Resource Public Key Infrastructure (RPKI). Check whether both your IDC server and the scrubbing center are advertising the same subnet CIDR block in the same format, such as 1.1.XX.XX/24. If so, stop your VBR from advertising the same BGP updates to the ISP as the scrubbing center.
Once traffic arrives at the scrubbing center, it is filtered based on predefined thresholds. Clean traffic is then forwarded back to the IDC through the established GRE tunnel.
To stop diversion, the scrubbing center will cease advertising your CIDR block. If you previously stopped advertising BGP updates to the ISP, ensure you republish the announcement before discontinuing diversion.
Differences between Anti-DDoS Diversion and Anti-DDoS Proxy
Both Anti-DDoS Diversion and Anti-DDoS Proxy can protect IDC servers deployed on-premises or in the cloud. The key differences are as follows:
Protection scope:
Anti-DDoS Diversion: Protects IDC servers against network layer attacks such as ICMP and UDP flood, and transport layer attacks such as TCP SYN flood.
Anti-DDoS Proxy: In addition to offering protection against network and transport layer attacks, Anti-DDoS Proxy extends its capabilities to safeguard against application layer attacks, such as HTTP/HTTPS floods, offering a more robust and comprehensive security solution.
Focus:
Anti-DDoS Diversion: Primarily focuses on protecting the underlying infrastructure of your network.
Anti-DDoS Proxy: Designed to shield specific applications or business systems from the attacks.