All Products
Search

This Product

    Anti-DDoS:Compliance description

    Document Center

    Anti-DDoS:Compliance description

    Last Updated:Aug 13, 2024

    This topic describes cross-border data transfer, centralized management and control, and cookie insertion in Anti-DDoS Proxy.

    Cross-border data transfer

    Involved service: Anti-DDoS Proxy (Outside Chinese Mainland)

    Scenario 1: If you use an Anti-DDoS Proxy (Outside Chinese Mainland) instance to protect your cloud service, your service data needs to be transferred to the region that you select or the region in which the instance resides. This may require cross-border data transfer.

    Scenario 2: If your Anti-DDoS Proxy (Outside Chinese Mainland) instance uses the anycast network architecture, the system performs traffic scrubbing near the attack source. However, if network exceptions occur, the system performs scheduling to ensure service availability. This may require cross-border data transfer.

    Before you use Anti-DDoS Proxy (Outside Chinese Mainland), take note of the following items:

    • If you use an Anti-DDoS Proxy (Outside Chinese Mainland) instance to protect your cloud service, your service data needs to be transferred to the region that you select or the region in which the instance resides. This may require cross-border data transfer.

    • You acknowledge and confirm that you have full permissions to manage your service data and agree to be solely responsible for the data transfer.

    • You shall make sure that the transfer of your service data complies with all applicable laws, including providing adequate technologies and policies for data protection, obtaining the required consent from relevant individuals, and evaluating and reporting the security of cross-border data transfer. In addition, you shall make sure that your service data does not contain content that is limited or prohibited from being transferred or disclosed by applicable laws.

    • You shall bear the corresponding legal consequences for failing to comply with the foregoing and indemnify Alibaba Cloud and its affiliates against any loss or damages in connection to any breach of the foregoing.

    Centralized management and control of Anti-DDoS Proxy

    Involved services: Anti-DDoS Proxy (Chinese Mainland) and Anti-DDoS Proxy (Outside Chinese Mainland)

    Anti-DDoS Proxy provides two management platforms to collect logs based on the regions of purchased Anti-DDoS Proxy instances. The logs of Anti-DDoS Proxy (Chinese Mainland) instances are managed by using the management platform in the China (Hangzhou) region. Logs are delivered to the China (Hangzhou) region after processing. The logs of Anti-DDoS Proxy (Outside Chinese Mainland) instances are managed by using the management platform in the Singapore region. Logs are delivered to the Singapore region or Indonesia (Jakarta) region based on your configuration. On the Security Overview and Attack Analysis pages, you can view the statistics about the service traffic of and attacks on services that are added to Anti-DDoS Proxy. Anti-DDoS Proxy displays charts and information based on the instances that you purchase in different regions.

    Cookie insertion

    Involved services: Anti-DDoS Proxy (Chinese Mainland) and Anti-DDoS Proxy (Outside Chinese Mainland)

    If you use Anti-DDoS Proxy to protect your website, cookies are inserted in the following scenarios:

    • Scenario 1: The HTTP flood mitigation feature is enabled.

      After you enable the HTTP flood mitigation feature, Anti-DDoS Proxy inserts cookies into the client of your website, such as a browser, to distinguish your client from other clients and collect statistics on your client. When users visit your website, the inserted cookies are included in HTTP requests. Anti-DDoS Proxy checks whether HTTP flood attacks exist in traffic based on the statistics. If attacks occur, traffic scrubbing is triggered to mitigate the attacks. To disable the HTTP flood mitigation feature and prohibit cookies from being inserted, go to the Mitigation Settings > General Policies > Protection for Website Services tab. If you disable the HTTP flood mitigation feature, Anti-DDoS Proxy cannot proactively identify and mitigate HTTP flood attacks.

    • Scenario 2: The Action parameter of a mitigation rule is set to JavaScript Challenge.

      After you set the Action parameter of a mitigation rule to JavaScript Challenge, cookies are inserted into HTTP request headers to obtain the fingerprint of the browser on the client. The collected fingerprint includes the host field and the height and width of the browser. If access traffic hits the mitigation rule, Anti-DDoS Proxy performs CAPTCHA verification and checks whether HTTP flood attacks are launched from the client. To prohibit cookies from being inserted, go to the Mitigation Settings > General Policies > Protection for Website Services tab to disable the HTTP flood mitigation feature. If you disable the HTTP flood mitigation feature, Anti-DDoS Proxy cannot proactively identify and mitigate HTTP flood attacks.