Configure diversion from the origin server - Anti-DDoS - Alibaba Cloud Documentation Center

This topic describes how to configure the Diversion from Origin Server policy to block network traffic transmitted from regions outside the Chinese mainland through China Telecom or China Unicom lines. Each Alibaba Cloud account can enable this policy up to 10 times and disable it at any time.

Prerequisites

An Anti-DDoS Pro instance is available.

Note The Diversion from Origin Server policy is available only for Anti-DDoS Pro.

Background information

Notice In the top navigation bar of the Anti-DDoS Pro or Anti-DDoS Premium console, you can select the Chinese Mainland or Outside Chinese Mainland region to switch between the Anti-DDoS Pro and Anti-DDoS Premium consoles. Then, you can configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances based on your business requirements. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.

We recommend that you enable this policy if your Anti-DDoS Pro instance is under volumetric attacks that are about to exceed the protection capability. For example, if 30% of the attacks are launched from regions outside the Chinese mainland, you can use this policy to block these attacks in order to reduce the stress on your Anti-DDoS Pro instance.

After the Diversion from Origin Server policy is enabled, the specified network traffic is dropped at the data center. This minimizes the possibility of triggering a black hole. This way, you can protect your China Telecom or China Unicom lines. A black hole is triggered based on the same rules as Diversion from Origin Server, such as the volume of attack traffic and attack source. Therefore, the Diversion from Origin Server policy can minimize the possibility of triggering a black hole.

Procedure

Log on to the Anti-DDoS Pro console.
In the top navigation bar, select Chinese Mainland.
In the left-side navigation pane, choose Mitigation Settings > General Policies.
On the Protection for Infrastructure tab, select the target instance from the list on the left side.

Note You can also search for instances by instance ID or description.
In the Diversion from Origin Server section, perform the following operations as required.
- Block network traffic transmitted from regions outside the Chinese mainland through China Telecom lines: Click Blocked next to Blocked Regions:China Telecom (International). In the Block Flow dialog box, set Blocking Period and click Confirm.
  
  Note The minimum blocking period is 15 minutes, and the maximum is 23 hours and 59 minutes.
- Block network traffic transmitted from regions outside the Chinese mainland through China Unicom lines: Click Blocked next to Blocked Regions:China Unicom (International). In the Block Flow dialog box, set Blocking Period and click Confirm.
  
  Note The minimum blocking period is 15 minutes, and the maximum is 23 hours and 59 minutes.
Note
- We recommend that you block network traffic transmitted from regions outside the Chinese mainland through China Telecom lines. You also need to monitor the changes in the volume of attack traffic. If the volume of attack traffic is about to exceed the protection capability of your instance, block the network traffic transmitted from regions outside the Chinese mainland through China Unicom lines.
- Each Alibaba Cloud account can enable this policy up to 10 times. Each time you enable this policy, the remaining quota is reduced by one.
If you fail to enable this policy, an error message appears. Follow the instructions to troubleshoot the error and try again. If no message appears, this policy is enabled.
Optional:In the Diversion from Origin Server section, click View Blocked Region. In the Flow Blocking for Source pane, you can view the blocked regions and the blocking periods.
Optional:Unblock network traffic.
To unblock the network traffic that you have blocked before the blocking period expires, click Deactivate Blackhole.