You can use Anti-DDoS Origin Enterprise in combination with Anti-DDoS Pro to protect your cloud service. Then, you can create a scheduling rule for Sec-Traffic Manager of Anti-DDoS Pro to enable tiered protection. This way, your services are protected from DDoS attacks without negative impacts on service continuity. This topic describes how to use Anti-DDoS Origin Enterprise in combination with Anti-DDoS Pro to protect your cloud service.

Background information

You can purchase an Anti-DDoS Origin Enterprise instance and an Anti-DDoS Pro instance to protect your cloud service. If the volume of DDoS attacks that occur on your cloud service does not exceed the mitigation capability of the Anti-DDoS Origin Enterprise instance, your service traffic is forwarded to the cloud service without additional latency. Anti-DDoS Origin Enterprise provides a mitigation capability that ranges from 100 Gbit/s to 300 Gbit/s and varies based on regions. If the volume of DDoS attacks that occur on your cloud service exceeds the mitigation capability of the Anti-DDoS Origin Enterprise instance and blackhole filtering is triggered, Sec-Traffic Manager switches the traffic from the Anti-DDoS Origin Enterprise instance to the Anti-DDoS Pro instance to defend against volumetric DDoS attacks. In this case, a latency of approximately 20 ms occurs. After the attack stops, Sec-Traffic Manager switches the service traffic back to the cloud service based on the specified interval at which Sec-Traffic Manager performs switchovers.

Note
  • When blackhole filtering is triggered, Sec-Traffic Manager automatically performs a switchover from Anti-DDoS Origin Enterprise to Anti-DDoS Pro based on DNS records. If the local DNS servers are deployed in the Chinese mainland, the switchover requires 5 to 10 minutes. If the local DNS servers are deployed outside the Chinese mainland, the switchover requires 1 to 3 minutes.
  • If the traffic is switched over to Anti-DDoS Pro, the blackhole filtering threshold is limited to the maximum mitigation capability of Anti-DDoS Pro. Anti-DDoS Pro provides basic protection of up to 30 Gbit/s and burstable protection of up to 300 Gbit/s. You can also submit a ticket to upgrade the mitigation capability to 1 Tbit/s or higher.
  • After the attack stops, the traffic is not immediately switched back from Anti-DDoS Pro to Anti-DDoS Origin Enterprise. This avoids frequent switchovers due to continuous attacks and ensures service continuity. You can configure the interval at which Sec-Traffic Manager performs switchovers. The default interval is 120 minutes (2 hours).

If you use Anti-DDoS Origin Enterprise in combination with Anti-DDoS Pro to protect your cloud service, you can experience the benefits of both Anti-DDoS Origin Enterprise and Anti-DDoS Pro. For example, Anti-DDoS Origin Enterprise is cost-effective and supports protection for all assets and transparent deployment without additional latency. Anti-DDoS Pro supports protection against volumetric DDoS attacks.

Procedure

  1. Purchase an Anti-DDoS Origin Enterprise instance.
  2. Add the origin IP address of your cloud service to the Anti-DDoS Origin Enterprise instance for protection.
  3. Purchase an Anti-DDoS Pro instance of the Profession mitigation plan.
  4. Add a website to the Anti-DDoS Pro instance.
    For more information, see Add a website.
    Note After you add the forwarding rule for a website, you do not need to modify the DNS record.
  5. Create a scheduling rule for Sec-Traffic Manager to enable tiered protection. This way, traffic is forwarded to the address pointed by the CNAME of Sec-Traffic Manager.
    For more information, see Create a tiered protection rule.
    Note After you create the scheduling rule, you can obtain the CNAME of Sec-Traffic Manager in the General rule list.
  6. Visit the website of your DNS provider and change the DNS record to allow traffic to be forwarded to the CNAME of Sec-Traffic Manager.