If your domain name is attacked or abused for data transmission, high bandwidth consumption or traffic spikes occur. In this case, you receive bills that are higher than expected. High bills that are generated by malicious attacks or data transmission abuse cannot be waived or refunded. This topic describes how to prevent high bills.
Potential risks: high bills caused by attacks or attack-like activities
If an attack occurs, you are charged for the bandwidth resources and data transfer.
If your domain name is abused for data transmission, high bandwidth consumption or traffic spikes occur in a similar way to attacks. You are charged for bandwidth resources and data transfer in those cases.
Potential consequences: bills that are higher than expected
If your domain name is under attack or abused for data transmission, the bills may be higher than expected and your account balance may be exhausted.
Alibaba Cloud CDN charges you based on the resources that you use. In some cases, the service may not be suspended when the account balance drops to 0 due to reasons such as the billing cycle (by hour, by day, or by month) or billing delays. Bills for Alibaba Cloud CDN are generated three to four hours after each billing cycle ends. Therefore, overdue payments may occur or the amount due in a single bill may exceed the overdraft limit.
Alibaba Cloud provides service suspension protection. If you enable service suspension protection, the service is not suspended before the grace period ends. The grace period or overdraft limit is determined based on your account tier and purchase history. The overdraft limit is reset every month.
Solutions
By default, Alibaba Cloud CDN does not provide access control or security protection capabilities. Alibaba Cloud CDN detects bandwidth usage spikes. If abnormal traffic is detected, Alibaba Cloud evaluates whether to throttle traffic, add the domain name to a sandbox, or take other measures based on the normal service traffic and the overall abnormal traffic. For more information, see Limits. This ensures service stability for other users. Alibaba Cloud is not responsible for availability issues caused in those situations.
To ensure that the system runs as expected and prevent unexpected high bills, we recommend that you enable security features or perform access control.
Enable access control
When traffic spikes occur, we recommend that you locate the cause by analyzing real-time logs. For more information, see Real-time log delivery. Then, enable the access control features for the domain name in the console based on the specific cause to avoid unnecessary traffic and bandwidth consumption.
Feature | Description |
Referer blacklist or whitelist | Referer whitelists and blacklists enable access control by validating the Referer header. Requests matching a whitelist are allowed, whereas those matching a blacklist are blocked. This prevents unauthorized access of resources. You can configure a Referer blacklist or whitelist as needed. |
URL signing | The URL signing feature allows points of presence (POPs) to work with your origin servers to protect origin resources from unauthorized use. This method is more secure and reliable. You can configure URL signing as needed. |
Remote authentication | After you enable the remote authentication feature, POPs redirect user requests to a specific authentication server. The authentication server verifies the user requests to prevent resources from being accessed by unauthorized users. You can configure remote authentication as needed. |
IP address blacklist or whitelist | After malicious attacks or traffic spikes occur, you can use the real-time log analysis feature to check whether an IP address frequently accesses the domain name. If a malicious IP address is identified, you can configure a blacklist or whitelist to block the IP address. For more information, see Configure an IP address blacklist or whitelist. |
User-Agent blacklist or whitelist | After malicious attacks or traffic spikes occur, you can use the real-time log analysis feature to check whether the User-Agent header of a malicious request is a specific value. If the User-Agent header of the malicious request is a specific value, you can configure a User-Agent blacklist or whitelist to block requests that contain the specific value in their User-Agent header. For more information, see Configure a User-Agent blacklist or whitelist. |
Manage traffic
We recommend that you use CloudMonitor to configure bandwidth alert rules by service or domain name to monitor the traffic and bandwidth usage, and send alerts. For more information, see Configure alert rules. In case of unexpected bandwidth surges, you can also configure policies, such as bandwidth throttling and traffic throttling for individual requests, for domain names.
Feature | Description |
Bandwidth cap | If you want to limit the amount of bandwidth resources that a domain name can consume, you can specify a bandwidth cap for the domain name. After the bandwidth of the domain name reaches the specified bandwidth cap, Alibaba Cloud CDN disables acceleration for the domain name and the domain name is resolved to an invalid address. This prevents unexpected high bills. For more information, see Configure bandwidth caps. |
Traffic throttling for individual requests | Traffic throttling for individual requests allows you to limit the downstream speed for all requests that are sent to POPs. Traffic throttling for individual requests can be used in website operations, such as game releases. This way, you can limit the overall peak bandwidth of accelerated domain names. For more information, see Configure traffic throttling for individual requests. |
Bandwidth throttling | If the daily peak bandwidth of your domain name is greater than 10 Gbit/s and you want to throttle Alibaba Cloud CDN bandwidth for the domain name, submit a ticket. Important
|
Real-time monitoring | If you want to monitor the peak bandwidth of domain names in real time, you can use CloudMonitor. After the bandwidth of a domain name reaches the specified threshold, you are notified of the potential risks by text message, email, or DingTalk message. For more information, visit the product page of CloudMonitor. |
Spending management and alerts | You can use the following features to monitor and limit the expenses. To configure the features, move your pointer over Expenses in the top navigation bar of the console and select Expenses and Costs.
Note To ensure the integrity of the statistics and the accuracy of bills, Alibaba Cloud CDN issues the bill approximately three hours after a billing cycle ends. The point in time to deduct relevant fees from your account balance may be later than the point in time at which the resources are consumed within the billing cycle. Alibaba Cloud CDN is a distributed service. Therefore, Alibaba Cloud does not provide the consumption details of Alibaba Cloud CDN resources in bills. Other CDN providers use a similar approach. |
Security
If you want more than the access control and traffic management features, try Edge Security Acceleration (ESA). ESA provides advanced security features with native DDoS protection and web application firewalls. It uses Alibaba Cloud's machine learning algorithms to analyze each request for threats, ensuring business security.
Attack type | Background information | ESA capability |
DDoS attack | An HTTP/HTTPS DDoS attack, often referred to as a Challenge Collapsar (CC) attack, targets web application layers. The attacks mimic legitimate user requests similar to search engines and web crawlers, making them hard to distinguish from normal activities. In web services, transactions and pages that use a lot of resources, such as paging and partitioning, can become CC attack targets when large parameters lead to excessive page flipping, especially during high concurrency. CC attacks may blend various approaches, with frequent user-like operations, such as ticket grabbing bots. These attacks causes denial of service and affects performance, such as web response time, database services, and disk I/O. | ESA provides DDoS protection by default to defend your website against volumetric DDoS attacks and HTTP flood attacks. Based on different plans, ESA offers DDoS protection services with varying protection capabilities which can be fine-tuned to your needs. ESA aims to minimize any downtime to ensure your website resumes operations as quickly as possible. |
Traffic theft | Traffic theft is a threat that involves manipulating and stealing web traffic. These attacks can be mitigated by controlling request frequency from a single IP address, validating redirects, and distinguishing between human and machine activities. To address attacks involving numerous slow requests, security systems analyze response codes and URL request patterns and identify anomalies in Referer and User-Agent headers. |
|
References
For more information about security protection issues and solutions, see FAQ.