You can use Anti-DDoS Origin Enterprise in combination with Anti-DDoS Proxy (Chinese Mainland) to protect your cloud service. Then, you can create a scheduling rule for Sec-Traffic Manager of Anti-DDoS Proxy (Chinese Mainland) to enable tiered protection. This way, your services are protected from DDoS attacks without negative impacts on service continuity. This topic describes how to use Anti-DDoS Origin Enterprise in combination with Anti-DDoS Proxy (Chinese Mainland) to protect your cloud service.
Background information
You can purchase an Anti-DDoS Origin Enterprise instance and an Anti-DDoS Proxy (Chinese Mainland) instance to protect your cloud service. If the volume of DDoS attacks that occur on your cloud service does not exceed the mitigation capability of the Anti-DDoS Origin Enterprise instance, your service traffic is forwarded to the cloud service without additional latency. Anti-DDoS Origin Enterprise provides a mitigation capability that ranges from 100 Gbit/s to 300 Gbit/s and varies based on regions. If the volume of DDoS attacks that occur on your cloud service exceeds the mitigation capability of the Anti-DDoS Origin Enterprise instance and blackhole filtering is triggered, Sec-Traffic Manager switches the traffic from the Anti-DDoS Origin Enterprise instance to the Anti-DDoS Proxy (Chinese Mainland) instance to defend against volumetric DDoS attacks. In this case, a latency of approximately 20 ms occurs. After the attack stops, Sec-Traffic Manager switches the service traffic back to the cloud service based on the specified interval at which Sec-Traffic Manager performs switchovers.
When blackhole filtering is triggered, Sec-Traffic Manager automatically performs a switchover from Anti-DDoS Origin Enterprise to Anti-DDoS Proxy (Chinese Mainland) based on DNS records. If the local DNS servers are deployed in the Chinese mainland, the switchover requires 5 to 10 minutes. If the local DNS servers are deployed outside the Chinese mainland, the switchover requires 1 to 3 minutes.
If the traffic is switched over to Anti-DDoS Proxy (Chinese Mainland), the blackhole filtering threshold is limited to the maximum mitigation capability of Anti-DDoS Proxy (Chinese Mainland). Anti-DDoS Proxy (Chinese Mainland) provides basic protection of up to 30 Gbit/s and burstable protection of up to 300 Gbit/s. You can also submit a ticket to contact technical support to upgrade the protection bandwidth to 1 Tbit/s or higher.
After the attack stops, the traffic is not immediately switched back from Anti-DDoS Proxy (Chinese Mainland) to Anti-DDoS Origin Enterprise. This avoids frequent switchovers due to continuous attacks and ensures service continuity. You can configure the interval at which Sec-Traffic Manager performs switchovers. The default interval is 120 minutes (2 hours).
If you use Anti-DDoS Origin Enterprise in combination with Anti-DDoS Proxy (Chinese Mainland) to protect your cloud service, you can experience the benefits of both Anti-DDoS Origin Enterprise and Anti-DDoS Proxy (Chinese Mainland). For example, Anti-DDoS Origin Enterprise is cost-effective and supports protection for all assets and transparent deployment without additional latency. Anti-DDoS Proxy (Chinese Mainland) supports protection against volumetric DDoS attacks.
Procedure
Purchase an Anti-DDoS Origin Enterprise instance.
For more information, see Purchase an Anti-DDoS Origin instance.
Add the origin IP address of your cloud service to the Anti-DDoS Origin Enterprise instance for protection.
For more information, see Add an object for protection.
Purchase an Anti-DDoS Proxy (Chinese Mainland) instance of the Profession mitigation plan.
For more information, see Purchase an Anti-DDoS Proxy instance.
Add a website to the Anti-DDoS Proxy (Chinese Mainland) instance.
For more information, see Add one or more websites.
NoteAfter you add the forwarding rule for a website, you do not need to modify the DNS record.
Create a scheduling rule for Sec-Traffic Manager to enable tiered protection. This way, traffic is forwarded to the address pointed by the CNAME of Sec-Traffic Manager.
For more information, see Create a tiered protection rule.
NoteAfter you create the scheduling rule, you can obtain the CNAME of Sec-Traffic Manager in the General Interaction rule list.
Visit the website of your DNS provider and change the DNS record to allow traffic to be forwarded to the CNAME of Sec-Traffic Manager.
For more information, see Change the CNAME record to redirect traffic to Sec-Traffic Manager.