Anti-DDoS Proxy handles your traffic in ways that affect your compliance posture. This page describes three behaviors — cross-border data transfer, centralized log management, and cookie insertion — including when each occurs and what it means for your data.
Cross-border data transfer
Applies to: Anti-DDoS Proxy (Outside Chinese Mainland)
Two scenarios can trigger cross-border data transfer:
Region-based routing: Traffic is forwarded to the region where your instance resides or the region you select. If that region differs from your users' home country, cross-border data transfer occurs.
Anycast failover: The anycast network architecture normally scrubs attack traffic near the attack source. If a network exception occurs, the system reschedules traffic to another node to maintain availability, which may route data across borders.
To control which region your traffic is routed to, select the instance region carefully when you purchase or configure your Anti-DDoS Proxy (Outside Chinese Mainland) instance.
Before using Anti-DDoS Proxy (Outside Chinese Mainland), confirm the following:
You have the authority to manage your service data and accept full responsibility for the transfer.
Your data transfer complies with all applicable laws, including providing adequate data protection technologies and policies, obtaining the required consent from individuals whose data is involved, and evaluating and reporting the security of cross-border data transfer.
Your service data does not include content that applicable laws restrict or prohibit from being transferred or disclosed.
You accept the legal consequences of non-compliance and agree to indemnify Alibaba Cloud and its affiliates against any loss or damages arising from a breach of the above.
Centralized management and control
Applies to: Anti-DDoS Proxy (Chinese Mainland) and Anti-DDoS Proxy (Outside Chinese Mainland)
Anti-DDoS Proxy uses two separate management platforms to store and process logs, based on instance type:
| Instance type | Management platform region | Log delivery region |
|---|---|---|
| Anti-DDoS Proxy (Chinese Mainland) | China (Hangzhou) | China (Hangzhou) |
| Anti-DDoS Proxy (Outside Chinese Mainland) | Singapore | Singapore or Indonesia (Jakarta), based on your configuration |
The Security Overview and Attack Analysis pages display traffic statistics and attack events for services protected by Anti-DDoS Proxy, based on the instances you have purchased across different regions.
Cookie insertion
Applies to: Anti-DDoS Proxy (Chinese Mainland) and Anti-DDoS Proxy (Outside Chinese Mainland)
When Anti-DDoS Proxy protects a website, it inserts cookies into client requests in specific scenarios. Cookies are used to distinguish individual clients from other clients and collect traffic statistics for HTTP flood detection.
HTTP flood mitigation is enabled
When the HTTP flood mitigation feature is enabled, Anti-DDoS Proxy inserts cookies into client browsers. These cookies are included in subsequent HTTP requests, allowing Anti-DDoS Proxy to build per-client traffic statistics. If the statistics indicate an HTTP flood attack, traffic scrubbing is triggered automatically.
To disable cookie insertion, go to Mitigation Settings > General Policies > Protection for Website Services and turn off the HTTP flood mitigation feature.
Disabling the HTTP flood mitigation feature prevents Anti-DDoS Proxy from proactively detecting and mitigating HTTP flood attacks.
A mitigation rule uses JavaScript Challenge
When a mitigation rule's Action is set to JavaScript Challenge, Anti-DDoS Proxy inserts cookies into HTTP request headers to collect a browser fingerprint. The fingerprint includes the host field and the browser's height and width. If traffic matches the rule, Anti-DDoS Proxy runs CAPTCHA verification and checks the traffic for HTTP flood attacks.
To disable cookie insertion, go to Mitigation Settings > General Policies > Protection for Website Services and turn off the HTTP flood mitigation feature.
Disabling the HTTP flood mitigation feature prevents Anti-DDoS Proxy from proactively detecting and mitigating HTTP flood attacks.