Dynamic Content Delivery Network (DCDN) secures your websites, APIs, and applications by detecting and blocking threats at points of presence (POPs). This topic provides answers to some commonly asked questions about DDoS and WAF protection of DCDN.
Does DCDN suspend its service if a DDoS attack occurs?
No, DCDN does not suspend its service if a DDoS attack occurs. However, the acceleration performance is undermined. If a DDoS attack occurs, all incoming traffic is routed to Anti-DDoS Proxy for scrubbing and only the clean traffic is routed back to DCDN.
Does Alibaba Cloud CDN provide DDoS protection?
No, Alibaba Cloud CDN does not provide DDoS protection. We recommend that you upgrade from Alibaba Cloud CDN to DCDN and enable DDoS mitigation for your domain in the DCDN console.
If you want to use DDoS mitigation together with Alibaba Cloud CDN, you can use the CDN interaction feature of Anti-DDoS Proxy. For more information, see Use the CDN or DCDN interaction feature.
A message appears indicating that the number of added domain names has reached the upper limit when I try to add only several domain names for DDoS mitigation. What do I do?
Refer to the following limits on the number of domain names that can be added for DDoS mitigation:
Number of allowed root domain names = Number of purchased protected domain names/10.
You can specify no more than 10 subdomains under a root domain name.
For example, if you purchase a mitigation plan that includes 10 domain names to protect, you can specify 1 root domain name, such as aliyundoc.com, and up to 10 subdomains, such as *.aliyundoc.com and *.*.aliyundoc.com.
How do I know that a DDoS mitigation session is consumed?
When a DDoS attack occurs, the system routes traffic to the traffic scrubbing centers of Alibaba Cloud and sends a notification to you. Each time you receive a notification, a DDoS mitigation session is consumed. The protection is valid for 24 hours, which indicates that all DDoS attacks that occurred within 24 hours consume only 1 mitigation session.
Am I charged for DDoS attack traffic?
No, you are not charged for attack traffic. If a DDoS attack is detected, all traffic is routed to the scrubbing centers of Alibaba Cloud Anti-DDoS Proxy. The traffic or bandwidth generated by malicious requests that are intercepted is not billed.
How is traffic on domain names for which DDoS mitigation is enabled billed?
All outbound traffic that is generated on domain names for which DDoS mitigation is enabled is billed based on the unit price of scrubbed traffic, regardless of whether the metering method is pay-by-data-transfer or pay-by-peak-bandwidth. For information about the pricing of scrubbed traffic, see Billing of DDoS mitigation.
Why am I still charged for outbound traffic in DDoS mitigation after I purchase an outbound data transfer plan?
Scrubbed traffic cannot be offset by DCDN resource plans. All outbound traffic that is generated on domain names for which DDoS mitigation is enabled is separately billed based on the unit price of scrubbed traffic.
Can I add a domain name for DDoS mitigation that is already protected by Anti-DDoS Proxy instances?
No. You can configure Anti-DDoS Proxy instances in the Anti-DDoS Proxy console or enable the DDoS mitigation feature in the DCDN console to protect a domain name from DDoS attacks.
When is traffic routed back to DCDN after it is forwarded to a scrubbing center of Alibaba Cloud Anti-DDoS Proxy if a DDoS attack occurs?
The system determines when to route traffic back to DCDN according to the attack type:
Route traffic back to DCDN 3 days after Layer 4 attacks stop.
Route traffic back to DCDN 1 day after Layer 7 attacks stop.
If you have special requirements, submit a ticket.
What do I do if the health check on the origin server does not work as expected?
The 47.97.249.17 and 47.244.34.181 IP addresses are used to probe your origin server. If an IP address whitelist is configured for your origin server, add the IP addresses to the whitelist to ensure that health checks can work as expected.
Check whether the file to which the configured health check URL points is accessible. If you specify only a single file in a health check, the system checks whether the file can be accessed over the secure route that is used in the case of a DDoS attack. If the access to the file is successful, the system considers the origin server as normal. Changing the file path or deleting the file will cause the system to regard the route as abnormal.
What happens if I disable DCDN DDoS mitigation?
If a domain name for which DDoS mitigation is disabled is attacked, the domain name may be added to a sandbox and no longer be accelerated. For more information, see Introduction to sandboxes.
When I enable DDoS mitigation for a domain name in the DCDN console, a message appears indicating that the domain name is already added to Alibaba Cloud Anti-DDoS Proxy. What do I do?
You can configure Anti-DDoS Proxy instances in the Anti-DDoS Proxy console or enable the DDoS mitigation feature in the DCDN console to protect a domain name from DDoS attacks.
If you want to add the domain name to DCDN for DDoS mitigation, delete the domain name in the Alibaba Cloud Anti-DDoS Proxy console. Wait about 5 minutes, and then add the domain name to DCDN and enable DDoS mitigation for the domain name.