Configure traffic scrubbing thresholds

Updated at:
Copy as MD

When inbound traffic to your cloud product meets specific conditions, Anti-DDoS Basic scrubs it to ensure your services remain available. This topic describes how to configure traffic scrubbing thresholds.

What is traffic scrubbing

During a DDoS attack, traffic scrubbing uses Anti-DDoS Basic to monitor, analyze, and filter your network traffic in real time. It separates malicious traffic from legitimate traffic, then blocks or drops the malicious traffic. This process allows only legitimate traffic to reach your server, which ensures that your network services remain available.

Anti-DDoS Basic uses two methods to determine when to trigger traffic scrubbing: the BPS/PPS scrubbing thresholds that you configure and an AI-powered intelligent analysis. By leveraging Alibaba Cloud's big data capabilities, the system learns your service's traffic baseline and uses algorithms to identify attack patterns. Traffic scrubbing is triggered only when the AI analysis detects a DDoS attack and the inbound traffic exceeds your configured BPS or PPS threshold. This dual-check mechanism helps prevent false positives, which can occur if a normal traffic spike exceeds a fixed threshold.

Scrubbing thresholds

Anti-DDoS Basic allows you to use the default scrubbing threshold or configure a custom one.

Default scrubbing threshold

Alibaba Cloud dynamically adjusts the scrubbing threshold for each cloud product based on its traffic load. This adjustment is typically based on the following factors:

  • Cloud product instance specifications and public bandwidth: For cloud products such as ECS and NAT Gateway, Alibaba Cloud calculates the default scrubbing threshold based on the instance specifications and the purchased public bandwidth. For more information, see Cloud product specifications and scrubbing thresholds.

  • Overall platform stability and resource allocation: Alibaba Cloud must ensure the stability of the entire cloud platform and prevent an attack on one cloud product from affecting other users or cloud products. When calculating the default scrubbing threshold, Alibaba Cloud considers factors such as total platform resources, current instance loads, and historical attack data. This ensures that resources are allocated reasonably for traffic scrubbing during an attack while maintaining overall platform stability.

Note

The default scrubbing threshold is typically the maximum value you can set. You can lower the threshold based on your actual business needs.

Custom scrubbing threshold

A custom scrubbing threshold allows you to customize the trigger conditions for traffic scrubbing based on your specific business requirements, network environment, and security policies.

Threshold recommendations and considerations

Recommendations

The scrubbing threshold should be set slightly higher than your normal traffic baseline. A threshold that is too high may not provide effective protection, while a threshold that is too low can trigger traffic scrubbing on normal traffic and affect legitimate access.

For example, you can lower the scrubbing threshold for high-security services like financial transactions, critical government systems, or small websites that have previously experienced low-volume, high-intensity attacks. This helps prevent the system from overlooking small amounts of malicious traffic during periods of stable traffic. Conversely, you can raise the threshold during promotional events, major gaming tournaments, or peak hours on ApsaraVideo Live. This helps avoid false positives caused by legitimate traffic spikes.

Considerations

After you set a custom scrubbing threshold:

  • If you upgrade a cloud product: The custom scrubbing threshold takes precedence and remains unchanged.

  • If you downgrade a cloud product:

    • If the new default scrubbing threshold after the downgrade is lower than your custom threshold, the setting reverts to the default, and your custom configuration is discarded. The scrubbing threshold will remain the default for any subsequent upgrades or downgrades.

    • If the new default scrubbing threshold after the downgrade is higher than your custom threshold, your custom threshold takes precedence and remains unchanged.

Adjust scrubbing threshold for a single asset

  1. Go to the Assets page of the Traffic Security console. In the top navigation bar, select the region of your asset.

  2. Click the tab for the target cloud product, such as ECS.

    Note

    Scrubbing settings are not supported for assets on the CIDR Block of Data Center and Private Addresses tabs.

  3. In the IP asset list, click the target IP address. In the IP Address Details panel, click Traffic Scrubbing Settings.

  4. In the Traffic Scrubbing Settings panel, configure the Scrubbing Threshold and click OK.

    • Default: The system automatically adjusts the scrubbing threshold based on the cloud product's traffic load.

    • Manual:

      • Scrubbing Threshold (BPS): The threshold cannot exceed 1.5 times the public bandwidth of the instance and must be at least 60 Mbps.

      • Scrubbing Threshold (PPS): The threshold cannot exceed 1.5 times the PPS specification of the instance and must be at least 12,000 pps.

Adjust scrubbing thresholds for multiple assets

Important

This feature is available only for Anti-DDoS Native.

  1. Go to the Protected Objects page of the Traffic Security console.

  2. In the top navigation bar, select the resource group to which the instances belong and the region in which the instances reside.

    • Anti-DDoS Origin 1.0 (Subscription) instances: Select the region in which the instance resides.

    • Anti-DDoS Origin 2.0 (Subscription) and Anti-DDoS Origin 2.0 (Pay-as-you-go) instances: Select All Regions.

  3. At the top of the page, select an Anti-DDoS Native instance and click Batch Adjust Traffic Scrubbing Thresholds.

  4. On the Scrubbing Threshold tab, select the IP addresses of the assets and set the BPS and PPS thresholds for the selected assets.

    1. Scrubbing Threshold (BPS): The threshold cannot exceed 1.5 times the public bandwidth of the instance and must be at least 60 Mbps.

    2. Scrubbing Threshold (PPS): The threshold cannot exceed 1.5 times the PPS specification of the instance and must be at least 12,000 pps.

    Important
    • Anti-DDoS Pro EIPs do not support batch modification of scrubbing thresholds. You can modify the scrubbing threshold for a single Anti-DDoS Pro EIP only on the Assets page.

    • You can adjust thresholds for up to 500 IP addresses at a time.

    • For batch configuration, select assets that belong to the same cloud product and have the same scrubbing threshold.

    • If the configuration of some assets fails, follow the instructions in the message to proceed.