How to configure DDoS Protection for websites that use CDN or DCDN - Anti-DDoS

When your website needs both access acceleration and DDoS protection, you can integrate Anti-DDoS Proxy with an acceleration service like CDN or DCDN. During normal operations, the Traffic Scheduler bypasses Anti-DDoS scrubbing and directs traffic to the nearest acceleration nodes. When an attack is detected, traffic is automatically rerouted to Anti-DDoS Proxy for scrubbing. The service then forwards the clean traffic to your origin server, ensuring uninterrupted service. This topic explains how to configure this interaction.

Feature overview

When your service requires both access acceleration and DDoS protection, Alibaba Cloud provides the following two solutions:

Solution 1: DDoS Mitigation at the Edge for DCDN (Recommended)
After you add a domain name to DCDN, you can directly configure DDoS Mitigation at the Edge in the DCDN console. This allows you to enable DDoS protection with a single click, eliminating complex configurations. No configuration is required on the Anti-DDoS Proxy side. For detailed instructions, see Protection Configuration.
Note
Only DCDN supports DDoS Mitigation at the Edge; Content Delivery Network (CDN) does not. You can migrate your CDN domain name to DCDN and then use DDoS Mitigation at the Edge. For detailed instructions, see Upgrade a CDN domain name to DCDN.
Solution 2: Interaction between Anti-DDoS Proxy and CDN, or interaction between Anti-DDoS Proxy and DCDN
This is the solution detailed in this topic. Attack traffic is scrubbed by the Anti-DDoS service, and clean traffic is forwarded directly to the origin server. This approach requires you to configure your domain in both the acceleration service and Anti-DDoS Proxy before setting up the interaction in the Traffic Scheduler.

When the interaction feature is used, scrubbed traffic is forwarded to the origin server. For DCDN's DDoS Mitigation at the Edge, scrubbed traffic is forwarded to DCDN, which maintains acceleration during attacks. See the following figure for more details.

Precautions

If your service bandwidth exceeds 3 Gbps or your QPS exceeds 10,000, contact your account manager for an evaluation before you use the interaction feature.
For websites that are frequently attacked (for example, more than three times a week), we recommend using only Anti-DDoS Proxy to prevent service disruptions caused by frequent traffic switching between the acceleration service and Anti-DDoS Proxy.
The interaction feature supports both IPv4 and IPv6 Anti-DDoS IPs.
When an attack occurs and traffic is routed to Anti-DDoS Proxy, the protection's activation time may be affected by the DNS TTL.
Before you use the interaction feature, make sure that your domain is not in a sandbox state in the acceleration service. For more information about the sandbox, see Sandbox. If your domain is in a sandbox and you want to set up DDoS protection and remove the domain from the sandbox, contact your account manager.

Supported Anti-DDoS instance types

Anti-DDoS Proxy (Chinese Mainland) Professional Plan, Anti-DDoS Proxy (Chinese Mainland) Advanced Plan, Anti-DDoS Proxy (Outside Mainland China) Insurance Plan, and Anti-DDoS Proxy (Outside Mainland China) Unlimited Plan. All instances must be on an Enhanced Function plan.

Prerequisites

You have enabled CDN or DCDN acceleration for your website domain. For more information, see Add a domain name to CDN or Add a domain name to DCDN.
You have purchased an Anti-DDoS Proxy instance and added your website to it. For more information, see Purchase an Anti-DDoS Proxy instance and Add a website.
You have verified that the Anti-DDoS Proxy instance correctly forwards service traffic. For more information, see Locally verify the forwarding configuration.

Procedure

Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
- Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.
- Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.
In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager and click the CDN/DCDN Interaction tab.
Note
If you are using the interaction feature for the first time, click Authorize Now and follow the on-screen instructions to authorize Anti-DDoS Proxy to access the acceleration service.

Find the domain that you want to manage and click Actions in the Actions column. In the Create Interaction Rule panel, complete the configuration and click Next.

Parameter	Description
Anti-DDoS Instance	Select the Anti-DDoS Proxy instance that you want to integrate with the acceleration service. Note If the message To enable CDN interaction, you must use an instance of the Enhanced function plan. appears, follow the instructions to upgrade your instance. If the message No instance is selected. appears, add your domain to an Anti-DDoS Proxy instance first. For more information, see Add a website.
Resource for Interaction	The associated resource is automatically selected. If the domain has not been added to an acceleration service, follow the on-screen instructions to add it, and then wait about 10 minutes before you configure the interaction. For more information, see Add a domain name to CDN or Add a domain name to DCDN.
Access QPS	Set the minimum queries per second (QPS) to trigger a switch to Anti-DDoS Proxy. For more information about traffic switching, see Traffic switching. Note When you set the QPS threshold, consider potential traffic spikes. We recommend setting the threshold to at least two to three times your historical peak QPS. Even if your website has low QPS, the threshold should not be lower than 500.

Verify that the traffic scheduling rule has taken effect by modifying the local hosts file. This helps prevent compatibility issues caused by inconsistent back-to-origin policies. For more information, see Locally verify the forwarding configuration.
For example, in a scenario where CDN interacts with Anti-DDoS and the origin server is an OSS bucket, CDN allows you to modify the back-to-origin HOST header, but Anti-DDoS does not. If an attack triggers an automatic switch to Anti-DDoS, valid traffic from Anti-DDoS to the OSS bucket may not be recognized, causing a service failure.
Go to your DNS provider to change the DNS record. Point the domain's DNS record to the CNAME address generated by the Traffic Scheduler. For more information, see Change the CNAME record to use the Traffic Scheduler.
Note
When you add a domain to an acceleration service and Anti-DDoS, and then configure an interaction rule, three CNAMEs are generated: one by the acceleration service, one by Anti-DDoS, and one by the Traffic Scheduler. You must point your domain's DNS record to the CNAME generated by the Traffic Scheduler.

Traffic switching

Traffic can be switched automatically or manually. When the conditions for automatic switching are met, traffic is automatically switched between the acceleration service and Anti-DDoS Proxy. You can also manually switch traffic to Anti-DDoS Proxy or back to the acceleration service based on your protection needs. We recommend that you use automatic switching.

Automatic switching

Switching Type

Switching Condition

From acceleration service to Anti-DDoS Proxy

The switch is triggered if either of the following conditions is met:

The QPS exceeds the threshold 3 times within 3 minutes or more than 6 times within 10 minutes, and the normal service traffic on the acceleration service does not exceed 10 Gbps.
Anti-DDoS detects that the domain has entered a sandbox state, and the normal service traffic on the acceleration service does not exceed 10 Gbps.

From Anti-DDoS Proxy back to acceleration service

The switch is triggered when all the following conditions are met:

For more than 12 consecutive hours, the domain's QPS is below 80% of the threshold, and attack requests account for less than 10% of the traffic.
The Anti-DDoS IP to switch back to is not undergoing scrubbing or in a blackhole, and no scrubbing or blackhole events have occurred in the last hour.
The domain is not in a sandbox state.

Important

The system performs switchback operations only between 08:00 and 23:00. Switchbacks are not triggered at other times.

Manual switching

Operation	Description
From acceleration service to Anti-DDoS Proxy	Manually switch service traffic to Anti-DDoS for scrubbing when an automatic switch has not been triggered. If your service traffic spikes but does not meet the automatic switching conditions, you can perform a manual switch to prevent attacks from affecting your services. Important You can switch to Anti-DDoS only if the Anti-DDoS IP is not in a blackhole. After you manually switch traffic to Anti-DDoS Proxy, it automatically switches back to the acceleration service when the automatic switchback conditions are met.
From Anti-DDoS Proxy back to acceleration service	If traffic was switched to Anti-DDoS due to a normal traffic spike, you can manually switch it back to the acceleration service to avoid service disruption. Important Before you perform a switchback, we recommend that you confirm the DDoS attack has ended and the domain is not in a sandbox state.

Related operations

Modify an interaction rule: On the CDN/DCDN Interaction tab, find the target domain, click Actions in the Actions column, and modify the Anti-DDoS Proxy Instance or Access QPS.
Delete an interaction rule: On the CDN/DCDN Interaction tab, find the target domain and click Actions in the Actions column.
Warning
Before you delete an interaction rule, make sure that your website's DNS record does not point to the Traffic Scheduler CNAME. Otherwise, your website will become inaccessible after the rule is deleted.

FAQ

FAQ for Anti-DDoS Pro and Anti-DDoS Premium

Anti-DDoS:Interaction between Anti-DDoS Proxy and CDN or DCDN