Anti-DDoS:Configure Anti-DDoS Diversion

Prerequisites

Before you start, make sure you have the following:

• An Alibaba Cloud account with access to the Traffic Security console.

• The CIDR blocks you want to protect (in the range /16 to /28).

• A clear understanding of your IDC network topology, including the number of IDCs and the regions where your servers are deployed.

• Contact information for your Alibaba Cloud pre-sales manager or technical support representative.

Step 1: Purchase an Anti-DDoS Diversion instance

1. Go to the Anti-DDoS Diversion buy page.

2. Configure the following parameters, review the service agreement, and complete your purchase.

   Configuration item	Description
   Diversion Mode	On-demand: Rerouting activates only when you trigger it (manually or via API) during an attack. Ideal for services under occasional attacks. Always-on: Traffic is continuously rerouted through scrubbing centers regardless of whether an attack is in progress. Ideal for services under frequent attacks.
   Mitigation Threshold	Best-effort protection. For details, see Best-effort protection.
   Protection Mode	Insurance (2 sessions per month): Provides two best-effort protection sessions per month. The counter resets at the start of each month. Unlimited (unlimited times): Provides unlimited best-effort protection sessions per month. For more information, see Mitigation sessions.
   Clean Bandwidth	The normal traffic bandwidth of your service. Default: 100 Mbit/s. Increment: 100 Mbit/s. Maximum: 100,000 Mbit/s.
   C-class IP Addresses	The number of C-class IP address ranges in your IDC. Default: 1. Maximum: 10,000.
   Data Centers	The number of IDCs. Default: 1. Maximum: 10.
   Initial Installation Mode	The initial method used to install the diversion infrastructure.
   Quantity	Determined by the configuration of your reinjection point.

3. Contact your pre-sales manager to complete the configuration.

Step 2: Add CIDR blocks to your Anti-DDoS Diversion instance

1. Log on to the Traffic Security console.

2. In the left-side navigation pane, choose Network Security > Anti-DDoS Native > Protected Objects, and then select Outside Chinese Mainland in the top navigation bar.

3. Select your Anti-DDoS Diversion instance, and then click Reinjection Configurations to create an injection point.

   • Injection type: Configure this parameter after consulting Alibaba Cloud technical support.

   • Injection point: The location of the traffic scrubbing center from which business traffic is injected. The injection point is typically in the same region as your IDC. You can configure one or more injection regions based on your needs.

4. Click Add CIDR block for Forwarding to add the CIDR blocks you want to protect.

   • Add CIDR Block: Enter a CIDR block with a subnet mask. Supported ranges:

     Block type	Supported range
     Non-extended blocks	/22 to /28
     Extended blocks	/16 to /22

     Note

     To protect CIDR blocks larger than /22 (up to /16), expand the subnet and configure Anti-DDoS Diversion for each subnet individually. You can enable or disable protection for each subnet as needed.

   • Reinjection Type: Configure this parameter after consulting Alibaba Cloud technical support. Choose one of the following reinjection regions:

     • Unified Reinjection from All Traffic Scrubbing Centers: Clean traffic is first forwarded to the scrubbing centers located at your configured injection point. The injection point then reroutes the traffic back to your IDC.

     • Separate Reinjection from Individual Traffic Scrubbing Center: Clean traffic is forwarded to the scrubbing centers at each injection point, and then each injection point reroutes the traffic back to the IDC.

Step 3: Complete the Anti-DDoS Diversion configuration

1. In the BYOIP Mode column, set the rerouting mode. The default mode is Manual. In Manual mode, you must start Anti-DDoS Diversion manually when a DDoS attack occurs and stop it after the attack subsides.

2. In the Status column, select Review to submit a compliance check request to Alibaba Cloud for the current CIDR block. Once approved, the CIDR blocks are eligible for rerouting. We recommend contacting Alibaba Cloud technical support after you submit your request.

3. In the Mitigation Policy column, select one of the following mitigation templates:

   Template	Protection operations	Recommended for
   General Policy	Filters out malformed packets that do not adhere to protocol specifications. Filters out TCP, UDP, and ICMP packets with clear attack signatures. Filters out fragmented packets and packets not transmitted over TCP, UDP, or ICMP. Verifies specific IP addresses that generate abnormal requests and applies rate limiting to those addresses.	Most services. Provides protection against common DDoS attacks.
   Office Policy	Filters out malformed packets that do not adhere to protocol specifications. Filters out TCP, UDP, and ICMP packets with clear attack signatures. Filters out fragmented packets. Allows packets transmitted over GRE and IPsec. Applies loose verification to IP addresses that generate requests.	Office networks that need more relaxed outbound access restrictions.
   TCP Game Policy	All operations from the General Policy, plus: Strictly verifies UDP packets and limits UDP packets based on verification results.	TCP-based services.
   UDP Game Policy	Filters out malformed packets that do not adhere to protocol specifications. Filters out TCP, UDP, and ICMP packets with clear attack signatures. Filters out fragmented packets and packets not transmitted over TCP, UDP, or ICMP. Applies loose verification to UDP packets.	UDP-based services.

Step 4: Start Anti-DDoS Diversion

How you start and stop Anti-DDoS Diversion depends on your diversion mode.

On-demand

• Use the console

  When your IDC O&M engineer detects a DDoS attack, click Start Traffic Rerouting in the Actions column. The Traffic Rerouting Status changes to Traffic Rerouting, which indicates that DDoS protection is active for the traffic of the protected assets.

  To stop protection after the attack subsides, click Pause Rerouting. After you click Pause Rerouting, the system stops rerouting traffic destined for your protected assets and no longer mitigates DDoS attacks for those assets.

• Call an API operation

  You can call ConfigNetStatus to enable or disable Anti-DDoS Diversion programmatically.

Always-on

In Always-on mode, inbound traffic is continuously rerouted to the traffic scrubbing center, providing protection at all times regardless of whether an attack is in progress.

To activate Always-on mode, click Start Traffic Rerouting in the Actions column. The Traffic Rerouting Status changes to Traffic Rerouting, confirming that DDoS protection is active for the protected assets.

Step 5: Verify that diversion and reinjection are working

After you enable Anti-DDoS Diversion, verify that traffic is being rerouted and reinjected correctly:

1. Check the route path: Run the traceroute command to verify whether traffic is passing through AS134963. If so, traffic is being routed through the Alibaba Cloud scrubbing centers.

2. Check the monitoring report: In the console, review the monitoring report to confirm that diversion is in effect.

3. Check the reinjection status: Verify that the Reinjection Status displays Normal. If the status is not Normal, contact Alibaba Cloud technical support for assistance.

Step 6: View the protection report

After an attack ends, you can review the attack data. In the Actions column, click View Monitoring Details or View IDC Attack Analysis to see the details.

API reference

• ConfigNetStatus - Enable or disable Anti-DDoS Diversion.

• ListInstance - List Anti-DDoS Diversion instances.

• QueryNetList - Query the CIDR block list.