Anti-DDoS: Access configuration best practices

Updated at:
Copy as MD

Integrating your service with Anti-DDoS Pro / Anti-DDoS Premium redirects attack traffic to the Anti-DDoS instance. This approach prevents service disruptions during large-scale DDoS attacks and ensures your origin server remains stable and reliable. To better protect your service in various scenarios, refer to the best practices for access configuration and protection policies in this topic.

Onboarding and configuration

Scenario

Steps

Normal onboarding

  1. Service analysis

  2. Preparations

  3. Onboard and configure Anti-DDoS Pro/Anti-DDoS Premium

Emergency onboarding during an attack

Before you follow the steps for normal onboarding, you must read and understand the information in Emergency onboarding scenarios.

Step 1: Service analysis

Before you begin, conduct a comprehensive analysis of the services that you want to protect with Anti-DDoS Pro/Anti-DDoS Premium. This helps you understand your current service status and key metrics, guiding your selection of instance specifications and protection features.

Item

Description

Actions

Website and service information

Daily peak traffic of your website or application, including bandwidth in Mbit/s and queries per second (QPS)

Identifies high-risk periods.

Use this information as a basis for selecting the clean bandwidth and clean QPS specifications for your Anti-DDoS Pro/Anti-DDoS Premium instance.

Primary user groups (for example, the main geographical locations of your users)

Differentiates legitimate users from malicious attackers.

This information helps you configure a location blacklist in Anti-DDoS Pro/Anti-DDoS Premium after onboarding. For more information, see Configure a location blacklist for a domain name.

Whether the service uses a client/server (C/S) architecture

If a C/S architecture is used, identify whether you have app clients, Windows clients, Linux clients, code callbacks, or clients for other environments.

None.

Whether the origin server is deployed in a region outside the Chinese mainland

Determines whether the configured instance fits the optimal network architecture.

If your origin server is deployed outside the Chinese mainland, we recommend that you purchase an Anti-DDoS Pro/Anti-DDoS Premium instance that is deployed outside the Chinese mainland. For more information, see What is Anti-DDoS Pro and Anti-DDoS Premium?

The operating system (Linux or Windows) and web service middleware (such as Apache, NGINX, or IIS) of the origin server

Determines whether an access control policy is configured on the origin server that may incorrectly block traffic forwarded from the back-to-origin IPs of Anti-DDoS Pro/Anti-DDoS Premium.

If a policy is configured, you must add the back-to-origin IPs of Anti-DDoS Pro/Anti-DDoS Premium to a whitelist on the origin server. For more information, see Add the back-to-origin IPs to a whitelist.

Whether the service requires IPv6 support

None.

If your service requires IPv6 support, use Anti-DDoS Origin. For more information, see What is Anti-DDoS Origin?

Protocol type used by the service

None.

This information is required when you configure website information during onboarding to Anti-DDoS Pro/Anti-DDoS Premium.

Service ports

None.

Determines whether the service ports of your origin server are supported by Anti-DDoS Pro/Anti-DDoS Premium. For more information, see Custom server ports.

Whether HTTP request headers (HTTP Header) contain custom fields and whether the server has a corresponding verification mechanism

Determines whether Anti-DDoS Pro/Anti-DDoS Premium may affect custom fields and cause server-side verification to fail.

None.

Whether the service has a mechanism to obtain and verify the originating IP

Because adding your service changes the originating IP, determine if the origin server's configuration needs adjustment to prevent service interruptions.

If required, see Obtain the originating IPs of requests.

Whether the service uses TLS 1.0 or a weak cipher suite

Determines whether the cipher suite used by the service is supported.

After you add your service, configure the TLS security policy as needed. For more information, see Customize the TLS security policy.

(HTTPS services) Whether the server uses mutual authentication

None.

If you require mutual authentication, see Deploy HTTPS mutual authentication.

(HTTPS services) Whether the client supports Server Name Indication (SNI)

None.

For domain names that support HTTPS, both the client and the server must support SNI after you add the service to Anti-DDoS Pro/Anti-DDoS Premium.

(HTTPS services) Whether a session persistence mechanism is used

The default connection timeout period for HTTP and HTTPS in Anti-DDoS Pro/Anti-DDoS Premium is 120 seconds.

If your service requires long sessions, such as for uploads or logins, use Layer 7 cookie-based session persistence.

Whether the service has empty connections

For example, if the server proactively sends packets to prevent session interruption, adding the service to Anti-DDoS Pro/Anti-DDoS Premium may affect normal service operations.

None.

Service interaction process

Helps you understand the service interaction process and business logic to configure targeted protection policies.

None.

Number of active users

Helps you assess the severity of an emergency attack and take low-risk emergency response measures.

None.

Service and attack information

Service type and features (for example, gaming, card games, websites, or apps)

Helps you analyze attack patterns during an attack.

None.

Inbound traffic

Helps identify malicious traffic. For example, if the average daily traffic is 100 Mbit/s, traffic exceeding this rate may indicate an attack.

None.

Outbound traffic

Helps determine whether an attack has occurred and serves as a reference for whether additional clean bandwidth is required.

None.

Inbound traffic range and connection status for a single user or single IP address

Helps determine whether a rate limiting policy can be created for a single IP address.

For more information, see Set frequency control.

User group properties

For example, individual users, internet cafe users, or users who access the service through a proxy.

Helps determine the risk of false positives caused by concentrated concurrent access from a single egress IP address.

Whether the service has experienced high-volume attacks and the attack types

Helps you configure targeted DDoS mitigation policies based on historical attack types.

None.

The peak traffic of the largest attack experienced by the service

Helps you determine the specifications for your Anti-DDoS Pro/Anti-DDoS Premium instance based on peak attack traffic.

For more information, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance.

Whether the service has experienced CC attacks (HTTP floods)

Helps you configure preventive policies by analyzing historical attack patterns.

None.

The peak QPS of the largest CC attack experienced by the service

Helps you configure preventive policies by analyzing historical attack patterns.

None.

Whether the service provides a web API

None.

If you provide web API services, do not use the Emergency protection mode of frequency control. Analyze API access patterns and configure custom CC attack protection policies to prevent legitimate API requests from being blocked.

Whether a stress test has been completed for the service

Helps you evaluate the request processing performance of your origin server and determine whether service exceptions are caused by attacks.

None.

Step 2: Preparations

Important

Test the onboarding process in a non-production environment. After all tests pass, onboard your service to Anti-DDoS Pro/Anti-DDoS Premium for production use.

Before you add your service to Anti-DDoS Pro/Anti-DDoS Premium, complete the preparations described in the following table.

Service type

Preparations

Website services

  • Prepare a list of website domain names that you want to add, including the IP addresses of the origin servers (only public IP addresses can be protected) and port information.

  • The domain names that you add must have a valid ICP filing.

  • If your website supports HTTPS, you must prepare the required certificate and private key information. This typically includes a public key file in .crt format or a certificate file in .pem format, and a private key file in .key format.

  • Obtain an administrator account for the DNS service of your website. This account is used to modify DNS records when you switch traffic to Anti-DDoS Pro/Anti-DDoS Premium.

  • Run a stress test before you add your website service.

  • Check whether your website service has trusted clients, such as monitoring systems, API interfaces that are called from internal fixed IP addresses or IP address ranges, or dedicated client programs. After you add the service, you must add the IP addresses of these trusted clients to the whitelist.

Non-website services

  • Prepare the external service ports and protocol types.

  • If your service is accessed by a domain name, obtain a DNS administrator account. This account is used to modify DNS records when you switch traffic to Anti-DDoS Pro/Anti-DDoS Premium.

  • Run a stress test before you add your service.

Step 3: Onboard and configure

  1. Onboard your service.

    Note

    If your service is already under attack before onboarding, change the IP address of the origin server. Before you change the IP address, check whether the client or app code hard-codes the origin IP address. If it does, update the code first and then change the origin server IP address to prevent service interruptions. For more information, see Change the public IP address of an origin ECS instance.

    To add your service, use the guide that matches your business scenario and product edition:

  2. Configure origin server protection.

    To prevent attackers from bypassing Anti-DDoS Pro/Anti-DDoS Premium and directly targeting the origin server, configure origin server protection. For more information, see Configure origin server protection.

  3. Configure protection policies.

    • Website services

      • CC attack protection

        • During normal operations: After you add your website service to Anti-DDoS Pro/Anti-DDoS Premium, let the service run for a period of time, such as two to three days. Then, analyze application log data, including URLs and average QPS from a single source IP address, to assess the normal request QPS from a single source IP address. Based on your assessment, configure custom frequency control rules to proactively mitigate attacks rather than reacting after an attack begins.

        • During an active CC attack: On the Anti-DDoS Pro and Anti-DDoS Premium console, check the Security Overview report (for more information, see Security Overview) for metrics such as top URLs by request, source IP addresses, and User-Agent strings. Create a targeted custom frequency control rule based on this information and observe the effect. For more information, see Custom frequency control rules.

      • Intelligent protection

        The Strict mode of the intelligent protection policy may cause false positives. In addition, website services have inherent protection against common Layer 4 attacks after being added. Therefore, do not use the Strict mode for website services. Use the default Normal mode. For more information, see Set intelligent protection.

      • Enable full logs

        Enable the full log analysis service. For more information, see Quickly use full log analysis. When your service is under a Layer 7 attack, you can use the full logs feature to analyze attack behavior and create targeted protection policies.

        Note

        Enabling the full log analysis service may incur additional fees. Confirm the pricing before you enable the service.

    • Non-website services

      In most cases, the default protection configuration is sufficient after you add your non-website service to Anti-DDoS Pro/Anti-DDoS Premium. After the service has run for a period of time, such as two to three days, you can adjust the Layer 4 intelligent protection mode based on your traffic patterns to improve protection against Layer 4 CC attacks. For more information, see Set Layer 4 intelligent protection.

      Note

      If your service is an API or has concentrated single-IP access, such as office network egress IP addresses, single server IP addresses, or high-frequency API callers, do not enable the Strict mode of the intelligent protection policy for non-website services. If you must use the Strict protection mode, contact Alibaba Cloud technical support to confirm the configuration before you enable it. This prevents service interruptions that are caused by false positives.

      If you discover that attack traffic is penetrating to your origin server, enable the source and destination connection rate limiting policies in your DDoS mitigation policy. For more information, see Configure a single DDoS mitigation policy. If you are unsure about your service's traffic patterns, set both the source new connection rate limit and the source concurrent connection rate limit to 5. If you observe false positives, you can increase the values to relax the limits. In the Source New Connection Rate Limit section, select a rate limiting mode: Automatic, Manual, or Disabled. If you select Manual, set the per-second threshold for new connections from a single source IP address (range: 1 to 50,000), and you can select the If the source new connection rate exceeds the limit 5 times in 60 seconds, add the source IP to the blacklist option. In the Source Concurrent Connection Rate Limit section, enable the switch, set the per-second threshold for concurrent connections from a single source IP address (range: 1 to 50,000), and you can select the If the source concurrent connection rate exceeds the limit 5 times in 60 seconds, add the source IP to the blacklist option.

      If your service has scenarios where the server proactively sends data packets, you must disable the Empty Connection protection policy to prevent legitimate traffic from being blocked. For more information, see Configure a single DDoS mitigation policy. In the DDoS mitigation policy, enable the Spoofed Source switch to validate and filter DDoS attacks that are initiated from spoofed IP addresses. The Empty Connection switch must be disabled in this scenario.

  4. Run local tests.

    After you complete the configuration, verify your configuration and test service availability.

    Note

    You can modify your local system hosts file to perform local tests.

    Table 1. Configuration accuracy checklist

    #

    Check item

    Website service checklist (Required)

    1

    The domain name in the onboarding configuration is correct.

    2

    The domain name has an ICP filing.

    3

    The configured protocol matches the actual protocol.

    4

    The configured port matches the actual service port.

    5

    The origin server IP address is the actual server IP address, not the IP address of the Anti-DDoS Pro/Anti-DDoS Premium instance or another service.

    6

    The certificate information is correctly uploaded.

    7

    The certificate is valid (for example, the encryption algorithm is compliant and the certificate is for the correct domain name).

    8

    The certificate chain is complete.

    9

    You understand the billing method for burstable protection of Anti-DDoS Pro/Anti-DDoS Premium instances in the Chinese mainland.

    10

    The WebSocket and WebSockets protocols are enabled for the protocol type if required.

    11

    The Emergency and Strict modes of frequency control are enabled.

    Non-website service checklist (Required)

    1

    The service port is accessible.

    2

    The configured protocol matches the actual protocol. Confirm that a UDP rule is not mistakenly configured for a TCP service.

    3

    The origin server IP address is the actual server IP address, not the IP address of the Anti-DDoS Pro/Anti-DDoS Premium instance or another service.

    4

    You understand the billing method for burstable protection of Anti-DDoS Pro/Anti-DDoS Premium instances in the Chinese mainland.

    5

    The Strict mode of Layer 4 intelligent protection is enabled.

    Table 2. Service availability checklist

    #

    Check item

    1 (Required)

    The service is accessible as expected.

    2 (Required)

    Session persistence for logins works as expected.

    3 (Required)

    (Website services) Observe the number of 4xx and 5xx response codes to ensure that the back-to-origin IP is not blocked.

    4 (Required)

    (Website services) For app services, test whether HTTPS access works as expected. Check for SNI issues.

    5 (Recommended)

    The backend server is configured to retrieve the originating IP.

    6 (Recommended)

    (Website services) Origin server protection is configured to prevent direct attacks that bypass Anti-DDoS Pro/Anti-DDoS Premium.

    7 (Required)

    The TCP service port is accessible as expected.

  5. Switch service traffic.

    After all required checks pass, use a phased approach to modify DNS records one by one. This switches traffic to Anti-DDoS Pro/Anti-DDoS Premium incrementally and avoids service disruptions that can be caused by batch changes. If an exception occurs during the switch, restore the DNS records immediately.

    Note

    After a DNS record is modified, the change takes approximately 10 minutes to take effect.

    After you switch live traffic, you must test the service again by using the service availability checklist to ensure that the service runs as expected.

  6. Set up monitoring and alerting.

    Use CloudMonitor to monitor the domain names, ports, and origin server ports that are protected by Anti-DDoS Pro/Anti-DDoS Premium. For more information, see Configure alert rules for Anti-DDoS Pro and Anti-DDoS Premium. Monitor metrics such as availability and HTTP response status codes (4xx and 5xx) in real time to detect service exceptions at the earliest opportunity.

  7. Perform routine O&M.

    • Using burstable protection and advanced mitigation with the Insurance Plan:

      • If you are a first-time buyer of an Anti-DDoS Pro/Anti-DDoS Premium instance in the Chinese mainland, you can receive a free Anti-DDoS Plan with a mitigation capacity of 300 Gbit/s. For more information, see Anti-DDoS plans. Bind the plan to your instance and set the burstable protection threshold to 300 Gbit/s as soon as possible. After the plan is bound, attacks with a peak throughput of less than 300 Gbit/s on that calendar day do not incur burstable protection fees.

        Note

        If you do not want to use burstable protection after the Anti-DDoS Plan is exhausted or expires, adjust the burstable protection threshold back to the instance's basic protection bandwidth in a timely manner.

      • If you want to enable burstable protection for an Anti-DDoS Pro/Anti-DDoS Premium instance in the Chinese mainland, you must review the billing method to prevent unexpected costs. For more information, see Billing of Anti-DDoS Pro and Anti-DDoS Premium (Chinese mainland).

      • Insurance Plan instances of Anti-DDoS Pro/Anti-DDoS Premium that are deployed outside the Chinese mainland receive two free advanced mitigation sessions per month. Select a plan edition based on your business requirements.

    • Identify attack types:

      When an Anti-DDoS Pro/Anti-DDoS Premium instance is under both a CC attack and a DDoS attack, you can open the Anti-DDoS Pro and Anti-DDoS Premium console and check the Security Overview report to identify the attack type based on traffic information. For more information, see Security Overview.

      • DDoS attack: The protection report for the Instances tab shows traffic fluctuations and indicates that traffic scrubbing has been triggered, but the protection report for the Domain Name tab shows no associated fluctuations.

      • CC attack: The protection report for the Instances tab shows traffic fluctuations and indicates that traffic scrubbing has been triggered. The protection report for the Domain Name tab also shows associated fluctuations.

      For more information, see How do I determine the type of attack on an Anti-DDoS Pro or Anti-DDoS Premium instance?

    • High latency or packet loss:

      If your origin server is outside the Chinese mainland and your primary users are in the Chinese mainland, users may experience high latency or packet loss due to cross-carrier network instability. Use an Anti-DDoS Pro/Anti-DDoS Premium instance that is deployed outside the Chinese mainland with an acceleration line.

    • Delete a domain name or port forwarding configuration:

      Before you delete a protected domain name or port forwarding configuration, confirm whether traffic has been switched to Anti-DDoS Pro/Anti-DDoS Premium.

      • If traffic has not yet been switched, you can directly delete the domain name or port forwarding configuration on the Anti-DDoS Pro and Anti-DDoS Premium console.

      • If traffic has already been switched, go to your DNS console and modify the DNS record to switch traffic back to the origin server before you delete the domain name or port forwarding configuration.

      Note
      • Before you delete a forwarding configuration, make sure that the DNS resolution or service access has been switched back to the origin server.

      • After you delete a domain name configuration, Anti-DDoS Pro/Anti-DDoS Premium will no longer protect your service.

Emergency onboarding

If your service is already under attack, take note of the following content when you onboard it to Anti-DDoS Pro/Anti-DDoS Premium:

  • Service is under a DDoS attack

    In most cases, the default protection configuration is sufficient after you add your service to Anti-DDoS Pro/Anti-DDoS Premium.

    If you find that Layer 4 CC attack traffic is penetrating to your origin server, enable the source and destination connection rate limiting policies in your DDoS mitigation policy. For more information, see Configure a single DDoS mitigation policy.

  • Origin IP address is under blackhole filtering

    If the origin server is attacked and blackhole filtering is triggered before you add the service to Anti-DDoS Pro/Anti-DDoS Premium, you must immediately change the public IP address of the origin ECS instance. If the origin server is an SLB instance, change the public IP address of the SLB instance. For more information, see Change the public IP address of an origin ECS instance. After you change the IP address, add the service to Anti-DDoS Pro/Anti-DDoS Premium immediately to prevent the new origin IP address from being exposed.

    If you cannot change the origin IP address, or if the origin IP address is still exposed after the change, deploy an SLB instance in front of the origin ECS server. Then, use the public IP address of the SLB instance as the origin IP address when you add the service to Anti-DDoS Pro/Anti-DDoS Premium.

    Note

    If your origin server is not deployed on Alibaba Cloud and is under attack, you must make sure that the domain name has an ICP filing from the Ministry of Industry and Information Technology (MIIT) before you can add the service to Anti-DDoS Pro/Anti-DDoS Premium for emergency protection. Before you add the service, contact Alibaba Cloud technical support for special processing. This prevents the service from becoming unavailable if Alibaba Cloud is not listed as a service provider in the ICP filing information.

  • Service is under a CC attack or crawler attack

    If your service is under a CC attack or crawler attack, add the service to Anti-DDoS Pro/Anti-DDoS Premium. Then, analyze HTTP access logs to identify attack patterns and configure protection policies accordingly. For example, analyze whether request fields such as the source IP address, URL, Referer, User-Agent, parameters, and headers show signs of illegitimate traffic.