This topic provides answers to some commonly asked questions about Anti-DDoS Basic.
Why does Anti-DDoS Basic not protect my ECS instance against an attack of 20 Mbit/s?
If the size of attack traffic is lower than 100 Mbit/s, Anti-DDoS Basic does not provide protection. Anti-DDoS Basic is provided free of charge. If the bandwidth of a cloud service is lower than the minimum scrubbing threshold of the system and the size of attack traffic is greater than the bandwidth but lower than the scrubbing threshold, the system may be attacked but traffic scrubbing is not triggered. We recommend that you optimize your server, install a host-based firewall, such as Yunsuo, or purchase an Anti-DDoS Proxy instance to protect against attacks whose bandwidth is lower than 100 Mbit/s. For more information, see Purchase an Anti-DDoS Proxy instance.
Why cannot I manually deactivate blackhole filtering for an Anti-DDoS Basic instance?
In most cases, DDoS attacks occur for a period of time and do not stop immediately after blackhole filtering is deactivated. The attack duration of DDoS attacks is different for different attacks. The Alibaba Cloud security team automatically determines the blackhole filtering duration based on the results that are obtained by using intelligent algorithms. In most cases, blackhole filtering lasts for 30 minutes to 24 hours. In rare cases, if DDoS attacks frequently occur, the duration of blackhole filtering is extended.
Blackhole filtering occurs on Internet Service Provider (ISP) networks and discards the traffic that is at the traffic source. This prevents the overall network and your services from being unavailable due to DDoS attacks. If you deactivate blackhole filtering before the attacks stop, another blackhole filtering is triggered. During the time period from the time when blackhole filtering is deactivated and the time when another blackhole filtering is triggered, the attacks affect services of other tenants in the cloud. ISPs have limits on the occurrences and frequency of deactivating blackhole filtering. Alibaba Cloud cannot immediately deactivate blackhole filtering that is triggered on your service.
Even if you deactivate blackhole filtering, DDoS attacks cannot be mitigated. Frequent flapping due to blackhole filtering affects network stability. You can purchase a service to increase mitigation capabilities to avoid the negative effects of blackhole filtering and service unavailability. For example, you can purchase Anti-DDoS Origin or Anti-DDoS Proxy instances that are provided by Alibaba Cloud, or a DDoS mitigation service that is provided by a third-party provider. For more information, see What is an Anti-DDoS Origin? and What is Anti-DDoS Proxy?
Can I use ACLs to mitigate DDoS attacks and prevent blackhole filtering from being triggered?
No, you cannot use access control lists (ACLs) to mitigate DDoS attacks and prevent blackhole filtering from being triggered. ACLs take effect only when attacks reach the edge of the Alibaba Cloud network in which your server resides. ACLs cannot mitigate DDoS attacks that are initiated from multiple botnets and destined for your server. When the DDoS attacks reach the edge of the Alibaba Cloud network in which your server resides, the volume of attacks far exceeds the mitigation capability of the ACLs. To mitigate the DDoS attacks, you must deploy mitigation policies at the edge of an Internet service provider (ISP) backbone network.
You can use traffic analysis and filtering methods together with sufficient network bandwidth to scrub attack traffic. If you want to expand the network bandwidth of your server to the bandwidth of the attack traffic and deploy a scrubbing center to scrub the attack traffic, the costs generated by bandwidth expansion and the servers used for traffic scrubbing can be excessively high. If each user deploys a scrubbing center, the overall mitigation costs significantly increase.
In this case, a cost-effective DDoS mitigation plan is provided. Cloud service providers offer large network bandwidths and deploy scrubbing centers at their ISP networks. DDoS attacks are scrubbed in the scrubbing center closest to the location where the attacks are initiated. The cloud service providers offer the Software-as-a-Service (SaaS)-based anti-DDoS services for users to purchase. This way, the scrubbing centers can be repeatedly used, and the costs for each user are reduced.
Why the traffic data in the Anti-DDoS Origin console differs from that in CloudMonitor and other cloud services?
In most cases, the traffic in the Anti-DDoS Origin console is higher than that in CloudMonitor and other cloud services.
Assume that your Elastic Compute Service (ECS) instance is under DDoS attacks, which triggers traffic scrubbing when the traffic reaches 2.5 Gbit/s. Alibaba Cloud notifies you that the traffic scrubbing provided by Anti-DDoS Basic instance is triggered. However, the CloudMonitor console shows that the inbound bandwidth of the elastic IP address (EIP) associated with your ECS instance is 1.2 Gbit/s during traffic scrubbing.
The reasons for this difference include:
Anti-DDoS Origin collects traffic data before traffic scrubbing is triggered, whereas CloudMonitor collects traffic data after traffic scrubbing is triggered.
Anti-DDoS Origin monitors all network traffic destined for your ECS instance, including malicious traffic, whereas CloudMonitor monitors only normal traffic.
Anti-DDoS Origin and CloudMonitor collect traffic data at different intervals. Anti-DDoS Origin collects traffic data at intervals of seconds so that DDoS attacks can be detected at the earliest opportunity. CloudMonitor collects the traffic data of EIPs at intervals of minutes and displays the data in charts in the CloudMonitor console.
Anti-DDoS Origin and CloudMonitor collect traffic data from different sources. Anti-DDoS Origin collects the traffic data of EIPs from the border gateway devices between Alibaba Cloud and the Internet, whereas CloudMonitor collects the traffic data of EIPs from the devices that forward traffic.
The difference in traffic data can happen to Alibaba Cloud services, such as ECS, Server Load Balancer (SLB), EIP, and NAT Gateway, that are Infrastructure as a Service (IaaS) and support Internet access.