After you add a service to an Anti-DDoS Pro or Anti-DDoS Premium instance, traffic that is destined for the service is redirected to the Anti-DDoS Pro or Anti-DDoS Premium instance to ensure the stability and reliability of the origin server. This prevents service unavailability when volumetric DDoS attacks occur. This topic describes the best practices for adding a service to an Anti-DDoS Pro or Anti-DDoS Premium instance and configuring mitigation policies in various scenarios.

Scenarios

Scenario Configuration process
Configuration in normal scenarios
  1. Analyze the service
  2. Make preparations
  3. Add the service to an Anti-DDoS Pro or Anti-DDoS Premium instance and configure mitigation policies
Configuration in emergency scenarios in which the service is under attack Read Precautions in emergency scenarios and then add the service based on the configuration process for normal scenarios.

Step 1: Analyze the service

Before you add a service to an Anti-DDoS Pro or Anti-DDoS Premium instance, we recommend that you analyze the service status and data.
Item Description Suggestion
Website and service information
Daily peak traffic of the website or application, including the bandwidth in Mbit/s and queries per second (QPS) Determine the point in time at which risks may occur. This information is required to configure the clean bandwidth and QPS of the Anti-DDoS Pro or Anti-DDoS Premium instance.
Information about major user groups such as the geographical locations of users Determine the source of attacks. This information is required to configure the location blacklist. For more information, see Configure a location blacklist for a domain name.
Whether your service is deployed in the C/S architecture If the C/S architecture is used, determine whether app clients, Windows clients, Linux clients, clients used for callbacks, and clients of other environments are deployed. None.
Whether the origin server is deployed in a region outside the Chinese mainland Determine whether the Anti-DDoS Pro or Anti-DDoS Premium instance is suitable for your network architecture. If the origin server is deployed outside the Chinese mainland, we recommend that you use Anti-DDoS Premium. For more information, see What are Anti-DDoS Pro and Anti-DDoS Premium?.
Operating system of the origin server, such as Linux or Windows, and web service middleware, such as Apache, NGINX, or IIS Determine whether access control policies are configured for the origin server. The policies may block traffic from the back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium. If access control policies are configured, you must allow the back-to-origin IP addresses to access the origin server. For more information, see Allow back-to-origin IP addresses to access the origin server.
Whether the service needs to support IPv6 None. If the service needs to support IPv6, we recommend that you use Anti-DDoS Origin. For more information, see What is Anti-DDoS Origin?.
Protocol that is used by the service None. This information is required to select a protocol when you add a website to the Anti-DDoS Pro or Anti-DDoS Premium instance.
Service ports None. Determine whether the service ports of the origin server are supported by Anti-DDoS Pro or Anti-DDoS Premium. For more information, see Specify custom ports.
Whether the HTTP request header contains custom fields and whether the origin server provides a verification mechanism Determine whether Anti-DDoS Pro or Anti-DDoS Premium affects custom fields and causes verification failures on the origin server. None.
Whether the origin server has a mechanism to obtain and verify the originating IP address of the client After you add the service to Anti-DDoS Pro or Anti-DDoS Premium, the originating source IP addresses of requests are changed. Determine whether to adjust the mechanism that is used by the origin server to obtain the originating IP address to prevent service interruptions. For more information, see Obtain the actual source IP addresses of requests.
Whether the service uses TLS 1.0 or a weak cipher suite Determine whether the cipher suite of your service is supported. After the service is added, you must configure TLS policies. For more information, see Configure a custom TLS security policy.
(HTTPS services) Whether the origin server uses mutual authentication None. Anti-DDoS Pro and Anti-DDoS Premium do not support mutual authentication. You must change the authentication method.
(HTTPS services) Whether the clients support SNI None. After you add a domain name of an HTTPS website to Anti-DDoS Pro or Anti-DDoS Premium, both the clients and servers need to be configured to support SNI.
(HTTPS services) Whether session persistence is enabled The default connection timeout period for HTTP and HTTPS is 120 seconds. If the service requires persistent sessions in scenarios such as file uploading and user logon, we recommend that you use cookies to implement session persistence at Layer 7.
Whether the service requires transmission of empty data packets For example, the server sends empty packets to prevent session interruption. After you add the service to the Anti-DDoS Pro or Anti-DDoS Premium instance, the service may be affected. None.
Service interaction process Determine the service interaction process and processing logic based on which mitigation policies are configured. None.
Number of active users Determine the severity of emergent attack events and take low-risk countermeasures. None.
Service and attack information
The type and characteristics of the service (for example, whether the service is a gaming, website, or app service) Analyze attack characteristics. Then, take countermeasures. None.
The volume of inbound service traffic Determine whether malicious traffic exists. For example, the average volume of daily access traffic is 100 Mbit/s. If the traffic volume exceeds 100 Mbit/s, an attack may have occurred. None.
The volume of outbound service traffic Determine whether attacks occur and whether to increase the clean bandwidth. None.
The volume and connections of inbound traffic by user or by IP address Determine whether rate limiting policies can be configured for individual IP addresses. For more information, see Configure frequency control.
Users For example, users may access your service from household LANs, Internet cafes, and proxy servers. This information is required to determine whether concurrent requests are sent from a single egress IP address and prevent Anti-DDoS Pro or Anti-DDoS Premium from blocking service traffic.
Whether your service suffered volumetric attacks and the types of the attacks Configure DDoS mitigation policies based on the types of historical attacks. None.
Peak volume of attacks that the service experienced Select the specifications of the Anti-DDoS Pro or Anti-DDoS Premium instance based on the peak attack traffic. For more information, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance.
Whether the service suffered HTTP flood attacks Analyze the characteristics of historical attacks and configure preventive policies. None.
Peak QPS of HTTP flood attacks that the service experienced Analyze the characteristics of historical attacks and configure preventive policies. None.
Whether the service supports API operations None. If API operations are supported, we recommend that you do not use the frequency control feature of Anti-DDoS Pro or Anti-DDoS Premium. You can analyze the characteristics of API access and configure HTTP flood mitigation policies based on the characteristics. This prevents normal API requests from being blocked.
Whether a stress test is performed on the service Evaluate the request processing performance of the origin server and determine whether service exceptions are caused by attacks. None.

Step 2: Make preparations

Important We recommend that you add a service to the Anti-DDoS Pro or Anti-DDoS Premium instance in a test environment. After you verify that the service runs as expected, add the service to the Anti-DDoS Pro or Anti-DDoS Premium instance in the production environment.
Before you add a service to the Anti-DDoS Pro or Anti-DDoS Premium instance, make the preparations that are described in the following table.
Service type Preparation
Website service
  • Prepare information about the website that you want to add, including the domain names, public IP address of the origin server, and service ports.
  • Complete Internet Content Provider (ICP) filing for the domain names.
  • If the website supports HTTPS, prepare the certificate and private key, including a public key file in the .crt format or certificate file in the .pem format and a private key in the .key format.
  • Obtain an administrator account of the DNS service. This account is used to modify DNS records to redirect traffic to Anti-DDoS Pro or Anti-DDoS Premium.
  • Perform a stress test before you add the website to the Anti-DDoS Pro or Anti-DDoS Premium instance.
  • List trusted clients of the website, such as the monitoring system, APIs that are called by using a fixed IP address or CIDR block, and specific client programs. After you add the website to the Anti-DDoS Pro or Anti-DDoS Premium instance, you must add the IP addresses of the clients to a whitelist.
Non-website service
  • Obtain the service port and protocol.
  • If the service is provided by using a domain name, obtain an administrator account that can change DNS records to redirect service traffic to Anti-DDoS Pro or Anti-DDoS Premium.
  • Perform a stress test before you add the service to the Anti-DDoS Pro or Anti-DDoS Premium instance.

Step 3: Add the service to the Anti-DDoS Pro or Anti-DDoS Premium instance and configure mitigation policies

  1. Add the service to the Anti-DDoS Pro or Anti-DDoS Premium instance.
    Note If the service is under attack before you add it to the Anti-DDoS Pro or Anti-DDoS Premium instance, we recommend that you change the IP address of the origin server. Before you change the IP address, check whether the code of the client or app contains the IP address. If the code of the client or app contains the IP address, update the code before you change the IP address to avoid negative impacts on normal service access. For more information, see Change the public IP address of an ECS origin server.
  2. Configure protection for the origin server.

    To prevent attackers from bypassing Anti-DDoS Pro or Anti-DDoS Premium to attack the origin server, configure protection for the origin server. For more information, see Configure protection for an origin server.

  3. Configure mitigation policies.
    • Website service provided by using domain names
      • HTTP flood protection
        • The service runs as expected: Two or three days after you add the service to the Anti-DDoS Pro or Anti-DDoS Premium instance, analyze service application logs, including information about URLs and the average QPS of individual source IP addresses. Then, configure frequency control rules based on the analysis to protect the service from attacks.
        • The service is under an HTTP flood attack: Go to the Security Overview page in the Anti-DDoS Pro or Anti-DDoS Premium console to obtain information about your domain name, such as the most requested URLs and IP addresses, source IP addresses, and user agents. Then, configure frequency control rules based on the obtained information and observe the protection effect. For more information, see Check the security overview and Create a custom frequency control rule.
          Important The Emergency mode of Frequency Control may block traffic of specific service types. We recommend that you do not specify Emergency as the mode of Frequency Control. If your service is an app or web API service, do not use the Emergency mode.

          If you use the Normal mode of Frequency Control but service traffic is still blocked, add the service IP addresses to a whitelist.

      • Intelligent protection for a website service

        The Strict mode of intelligent protection may block service traffic. After you add the domain name of your website to the Anti-DDoS Pro or Anti-DDoS Premium instance, your service is protected against Layer 4 DDoS attacks. We recommend that you use the Normal mode instead of the Strict mode. For more information, see Use the intelligent protection feature.

      • Log analysis
        We recommend that you enable the log analysis feature. For more information, see Quick start. If the service encounters Layer 7 DDoS attacks, you can use the log analysis feature to analyze attack characteristics and configure mitigation policies.
        Note If you enable the log analysis feature, you are charged additional fees.
    • Non-website service provided by using ports

      In most cases, you can add a non-website service to an Anti-DDoS Pro or Anti-DDoS Premium instance and use the default protection settings. After the service runs for two or three days, you can adjust the mode of Layer 4 intelligent protection based on the service characteristics to optimize protection against Layer 4 HTTP flood attacks. For more information, see Configure intelligent protection.

      Note If the service provides frequently called APIs or is visited from a single IP address, such as an egress IP address of an enterprise network or a server IP address, do not use the Strict level for Intelligent Protection. If you want to use the Strict level, contact Alibaba Cloud technical support to analyze the service before you select this level to avoid service interruptions.
      If attack traffic is transparently transmitted to the origin server, you can enable Speed Limit for Source and Speed Limit for Destination. For more information, see Create an anti-DDoS protection policy. We recommend that you initially set Source New Connection Rate Limit and Source Concurrent Connection Rate Limit to 5. If service traffic is blocked, you can increase the limit values. Source rate limiting
      If the origin server of your service sends empty data packets, you must disable Empty Connection to avoid negative impacts on service traffic. For more information, see Create an anti-DDoS protection policy. Empty Connection
  4. Test the service.

    After you complete the configuration, test the accuracy of the configurations.

    Note You can modify the hosts file on an on-premises computer to perform the test.
    Table 1. Check items of configurations
    No. Check item
    Website service provided by using a domain name (required)
    1 Check whether the added domain name is correct.
    2 Check whether ICP filing is complete for the domain name.
    3 Check whether the configured protocol is correct.
    4 Check whether the configured port is correct.
    5 Check whether the IP address of the origin server is correct. Make sure that you do not enter the IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance or another service.
    6 Check whether the uploaded certificate is correct.
    7 Check whether the certificate is valid. For example, the encryption algorithm may be invalid or you uploaded the certificate of another domain name.
    8 Check whether the certificate chain is complete.
    9 Make sure that you know the billing method of burstable protection in Anti-DDoS Pro or Anti-DDoS Premium.
    10 Check whether WebSocket and WebSockets are enabled.
    11 Check whether the Emergency or Strict mode of Frequency Control is enabled.
    Non-website service provided by using a port (required)
    1 Check whether the service port can be accessed.
    2 Check whether the UDP or TCP protocol is correctly configured.
    3 Check whether the IP address of the origin server is correct. Make sure that you do not enter the IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance or another service.
    4 Make sure that you know the billing method of burstable protection in Anti-DDoS Pro or Anti-DDoS Premium.
    5 Check whether the Strict level of intelligent protection is selected.
    Table 2. Check items of service availability
    No. Check item
    1 (required) Test whether the service can be accessed as expected.
    2 (required) Test whether the session persistence feature for user logons works as expected.
    3 (required) (For website services that are provided by using domain names) Check the number of 4XX and 5XX status codes in the returned responses and make sure that the back-to-origin IP addresses are not blocked.
    4 (required) (For website services that are provided by using domain names) If your service is an app service, test whether HTTPS links are normal. Check whether SNI is configured as expected.
    5 (recommended) Check whether the origin server is configured to obtain the originating source IP addresses of requests.
    6 (recommended) (For website services that are provided by using domain names) Check whether mitigation policies are configured for the origin server. This prevents attackers from bypassing Anti-DDoS Pro or Anti-DDoS Premium to attack the origin server.
    7 (required) Test whether the TCP service port is accessible.
  5. Switch service traffic to Anti-DDoS Pro or Anti-DDoS Premium.

    After you verify all check items, we recommend that you separately change the DNS records to gradually switch service traffic to Anti-DDoS Pro or Anti-DDoS Premium. This prevents potential service exceptions. If an exception occurs after the service traffic is redirected to Anti-DDoS Pro or Anti-DDoS Premium, you must restore the DNS records.

    Note Changes to DNS records take effect in approximately 10 minutes.

    After you switch service traffic, verify the check items of service availability again to make sure that the service runs as expected.

  6. Configure monitoring and alerts.

    Use CloudMonitor to monitor availability and returned HTTP status codes (5XX and 4XX) for the domain names, forwarding ports, and origin server ports that are protected by Anti-DDoS Pro or Anti-DDoS Premium. This way, you can detect service exceptions at the earliest opportunity. For more information, see Configure an alert rule for Anti-DDoS Pro or Anti-DDoS Premium.

  7. Perform routine O&M.
    • Use burstable protection of Anti-DDoS Pro and advanced mitigation sessions of Anti-DDoS Premium of the Insurance mitigation plan.
      • The first time you purchase an Anti-DDoS Pro instance, you can obtain three Anti-DDoS plans free of charge. Each Anti-DDoS plan provides one mitigation session and can be used to offset the fee that is charged for up to 300 Gbit/s of protection bandwidth. For more information, see Apply for and use Anti-DDoS plans. Bind the plans to the Anti-DDoS Pro instance and set the burstable protection bandwidth to 300 Gbit/s. If DDoS attacks whose traffic volume does not exceed 300 Gbit/s occur within a calendar day, a plan can be used to offset burstable protection fees for the day.
        Note If you do not want to use burstable protection after the mitigation sessions of the plans are exhausted or the plans expire, change the burstable protection bandwidth to the basic protection bandwidth.
      • If you want to enable burstable protection of Anti-DDoS Pro, we recommend that you view the billing methods to determine the costs. For more information, see Billing of Anti-DDoS Pro.
      • If you purchase an Anti-DDoS Premium instance of the Insurance mitigation plan, you can obtain two advanced mitigation sessions each month free of charge. Select an edition and mitigation plan based on your business requirements.
    • Determine attack types.

      If HTTP flood attacks and DDoS attacks occur, you can view attack information on the Security Overview page in the Anti-DDoS Pro or Anti-DDoS Premium console to determine the types of specific attacks. For more information, see Check the security overview.

      • DDoS attack: On the Instances tab, the protection reports show attack traffic fluctuations, and traffic scrubbing is triggered. However, the protection reports on the Domains tab do not show fluctuations
      • HTTP flood attack: On the Instances tab, the protection reports show attack traffic fluctuations, and traffic scrubbing is triggered. On the Domains tab, the protection reports also show fluctuations.

      For more information, see How do I identify the types of attacks against an Anti-DDoS Pro or Anti-DDoS Premium instance?.

    • Handle service access latency and packet loss.

      If the origin server is deployed outside the Chinese mainland and the users of your service are from the Chinese mainland, the users may experience high latency and packet loss due to unstable links of cross-carrier network access. In this case, we recommend that you purchase an Anti-DDoS Premium instance of the Chinese Mainland Acceleration (CMA) mitigation plan.

    • Delete a domain name or a port forwarding rule.
      If you want to delete a domain name or a port forwarding rule, check whether your service traffic is switched to Anti-DDoS Pro or Anti-DDoS Premium.
      • If your service traffic is not switched, delete the domain name or port forwarding rule in the Anti-DDoS Pro or Anti-DDoS Premium console.
      • If your service traffic is switched, go to the Alibaba Cloud DNS console to modify the DNS records to switch the traffic back to the origin server. Then, delete the domain name or port forwarding rule.
      Note
      • Before you delete the domain name or port forwarding rule, make sure that the DNS records or service traffic of the domain name is switched back to the origin server.
      • After you delete the domain name or port forwarding rule, Anti-DDoS Pro or Anti-DDoS Premium no longer protects your service.

Precautions in emergency scenarios

If a service is under attack, add the service to your Anti-DDoS Pro or Anti-DDoS Premium instance based on the following scenarios:
  • The service is under a DDoS attack.

    In most cases, you can add the service to the Anti-DDoS Pro or Anti-DDoS Premium instance and use the default protection settings.

    If traffic of a Layer 4 HTTP flood attack is transparently transmitted to the origin server, you can enable Speed Limit for Source and Speed Limit for Destination. For more information, see Create an anti-DDoS protection policy.

  • Blackhole filtering is triggered for the IP address of the origin server.

    You can use an Elastic Compute Service (ECS) or Server Load Balancer (SLB) instance as the origin server. If you have not added the attacked service to the Anti-DDoS Pro or Anti-DDoS Premium instance but blackhole filtering is triggered, you must change the public IP address of the origin server. For more information, see Change the public IP address of an ECS origin server. After you change the IP address, add the service to the Anti-DDoS Pro or Anti-DDoS Premium instance at the earliest opportunity to prevent the new IP address from being exposed.

    If you do not want to change the IP address of the origin server or the new IP address is already exposed, we recommend that you deploy an SLB instance as the origin server to connect the ECS instance and add the public IP address of the SLB instance to Anti-DDoS Pro or Anti-DDoS Premium.
    Note If the service is under attack but the origin server is not deployed on Alibaba Cloud, make sure that the domain name of the service has completed ICP filing and contact technical support to add Alibaba Cloud as your service provider. Then, add the service to the Anti-DDoS Pro or Anti-DDoS Premium instance.
  • The service is under HTTP flood attacks or crawler attacks.

    If the service is under an HTTP flood or crawler attack, add the service to the Anti-DDoS Pro or Anti-DDoS Premium instance. Then, analyze HTTP access logs to identify attack characteristics and configure mitigation policies. For example, you can check whether request fields, such as the source IP address, URL, Referer, User-Agent, Params, and Header, are correct.