All Products
Search
Document Center

Anti-DDoS:Protect website services

Last Updated:Feb 22, 2024

Anti-DDoS Pro or Anti-DDoS Premium protects a website service by resolving the domain name of the website service to Anti-DDoS Pro or Anti-DDoS Premium. The traffic destined for the website service is redirected to Anti-DDoS Pro or Anti-DDoS Premium. Then, Anti-DDoS Pro or Anti-DDoS Premium forwards the service traffic to the origin server. This topic describes how to configure and use Anti-DDoS Pro or Anti-DDoS Premium to protect your website service.

Prerequisites

An Anti-DDoS Pro or Anti-DDoS Premium instance is purchased. For more information, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance.

Step 1: Add your website service

To use Anti-DDoS Pro or Anti-DDoS Premium to protect your website service, you must first add the domain name of the website service that you want to protect and then configure a traffic forwarding rule in the Anti-DDoS Pro or Anti-DDoS Premium console.

  1. Log on to the Anti-DDoS Pro console.

  2. In the top navigation bar, select the region of your asset.

    • Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.

    • Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.

    You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.

  3. In the left-side navigation pane, choose Provisioning > Website Config.

  4. On the Website Config page, add one or more websites.

    • Add a website to Anti-DDoS Pro or Anti-DDoS Premium

      Click Add Website, follow the instructions on the page to complete the Enter Website Information step, and then click Add.

      Parameter

      Description

      Function Plan

      The function plan of the Anti-DDoS Pro or Anti-DDoS Premium instance that you want to use. Valid values: Standard and Enhanced.

      Note

      You can move the pointer over the 功能套餐说明 icon next to Function Plan to view the differences between the Standard and Enhanced function plans. For more information, see Function plans.

      Instance

      The Anti-DDoS Pro or Anti-DDoS Premium instance that you want to use.

      You can associate a maximum of eight instances with a domain name. The instances associated with the domain name must use the same Function Plan.

      Websites

      The domain name of the website that you want to protect. The domain name must meet the following requirements:

      • The domain name can contain letters, digits, and hyphens (-). The domain name must start with a letter or a digit.

      • Wildcard domain names such as *.aliyundoc.com are supported. If you enter a wildcard domain name, Anti-DDoS Pro or Anti-DDoS Premium automatically matches all subdomains of the wildcard domain name.

      • If you configure a wildcard domain name and an exact-match domain name, the forwarding rules and protection policies of the exact-match domain name take precedence. For example, if you configure *.aliyundoc.com and www.aliyundoc.com, the forwarding rules and protection policies of www.aliyundoc.com take precedence.

      Note

      If you configure a second-level domain name, Anti-DDoS Pro or Anti-DDoS Premium protects only the second-level domain name. Anti-DDoS Pro or Anti-DDoS Premium does not protect subdomains of the second-level domain name. If you want to protect a subdomain, configure the subdomain or a wildcard domain name.

      Protocol Type

      The type of the protocol that the website uses. Valid values:

      • HTTP

      • HTTPS: If the website uses HTTPS, select HTTPS. You must upload an SSL certificate file after you save the website. For more information, see Upload an HTTPS certificate. You can also customize a Transport Layer Security (TLS) policy for the website. For more information, see Customize TLS security policies.

        If you select HTTPS, you can click Advanced Settings to configure the following options.

        • Enable HTTPS Redirection: If the website supports both HTTP and HTTPS, this feature is available. If you enable this feature, all HTTP requests to access the website are redirected to HTTPS requests on the standard port 443.

          Important
          • This feature is available only when both HTTP and HTTPS are selected and Websocket is cleared.

          • If you access the website over HTTP on a non-standard port and enable this feature, all HTTP requests are redirected to HTTPS requests on the standard port 443.

        • Enable HTTP Redirection of Back-to-origin Requests: If the website does not support HTTPS, you must turn on Enable HTTP. If this feature is enabled, all HTTPS requests are redirected to HTTP requests and forwarded to origin servers, and all WebSockets requests are redirected to WebSocket requests and forwarded to origin servers. By default, the requests are redirected over the standard port 80.

          Important

          If you access the website over HTTPS on a non-standard port and enable this feature, all HTTPS requests are redirected to HTTP requests on the standard port 80.

        • Enable HTTP/2: After you turn on Enable HTTP/2, clients that use HTTP/2 can be added to Anti-DDoS Pro or Anti-DDoS Premium. In this case, Anti-DDoS Pro or Anti-DDoS Premium forwards all client requests to origin servers over HTTP/1.1.

          Description of the HTTP/2 feature:

          • Timeout period for idle connections (http2_idle_timeout): 120s

          • Maximum number of requests per connection (http2_max_requests): 1000

          • Maximum number of concurrent streams per connection (http2_max_concurrent_streams): 4

          • Maximum size of the entire request header list after HPACK decompression (http2_max_header_size): 256K

          • Maximum size of an HPACK-compressed request header field (http2_max_field_size): 64K

      • Websocket: If you select Websocket, HTTP is automatically selected. You cannot select only Websocket for the Protocol parameter.

      • Websockets: If you select Websockets, HTTPS is automatically selected. You cannot select only Websockets for the Protocol parameter.

      Enable OCSP

      Specifies whether to enable the Online Certificate Status Protocol (OCSP) feature.

      Important

      This feature is available only for a website that supports HTTPS. If HTTPS is selected for Protocol Type, we recommend that you enable this feature.

      OCSP is an Internet protocol that is used by a Certificate Authority (CA) to check the revocation status of a certificate. When a client initiates a TLS handshake with a server, the client must obtain the certificate and an OCSP response.

      • The OCSP feature is disabled by default. In this case, OCSP queries are sent from a browser of the client to a CA. Before the client obtains an OCSP response, subsequent events are blocked. If transient connections or network disconnections occur, a blank page is displayed for a long period of time, and the performance of the website that supports HTTPS is compromised.

      • If the OCSP feature is enabled, Anti-DDoS Pro or Anti-DDoS Premium executes OCSP queries and caches the query results for 300 seconds. When a client initiates a TLS handshake with the server, Anti-DDoS Pro or Anti-DDoS Premium returns the OCSP details and the certificate chain to the client. This prevents blocking issues caused by OCSP queries from the client. OCSP does not cause security risks because OCSP responses cannot be forged.

      Server Address

      The address type of the origin server. You must enter the address of the origin server. Valid values:

      • Origin IP Address: the IP address of the origin server. You can enter a maximum of 20 IP addresses. If you enter more than one IP address, separate them with commas (,).

        • If the origin server is hosted on an Elastic Compute Service (ECS) instance, enter the public IP address of the ECS instance. If the ECS instance is associated with a Server Load Balancer (SLB) instance, enter the public IP address of the SLB instance.

        • If the origin server is deployed in data centers or on other clouds, you can run the ping Domain name command to query the public IP address to which the domain name is resolved and enter the public IP address.

      • Origin Domain Name: the domain name of the origin server. Select this option when you deploy a proxy service, such as Web Application Firewall (WAF), between the origin server and Anti-DDoS Pro or Anti-DDoS Premium. You must also enter the address of the proxy. You can enter a maximum of 10 domain names. If you enter more than one domain name, separate them with line breaks.

        If you want to use Anti-DDoS Pro or Anti-DDoS Premium together with WAF, select Origin Domain Name and enter the CNAME that WAF assigns. This provides enhanced protection for the website. For more information, see Protect a website service by using both Anti-DDoS Pro or Anti-DDoS Premium and WAF.

        Important

        If you enter the default public endpoint of an Object Storage Service (OSS) bucket for Origin Domain Name, a custom domain name must be mapped to the bucket. For more information, see Regions and endpoints and For more information, see Map custom domain names.

      If you enter more than one IP address or domain name, Anti-DDoS Pro or Anti-DDoS Premium uses IP hash to forward website traffic to the origin servers. After you save the website configurations, you can change the load balancing algorithm. For more information, see Modify the back-to-origin settings for a website.

      Server Port

      The server port that you specify based on the value of Protocol Type.

      • If you select HTTP or Websocket, the default port 80 is used.

      • If you select HTTPS, HTTP/2, or Websockets, the default port 443 is used.

      You can click Custom to the right of the Server Port parameter to specify one or more custom ports. If you specify multiple custom ports, separate the ports with commas (,). Take note of the following limits when you specify custom ports:

      • The custom ports that you want to specify must be supported by Anti-DDoS Pro or Anti-DDoS Premium.

        • Anti-DDoS Pro or Anti-DDoS Premium instance of the Standard:

          • HTTP ports: ports 80 and 8080

          • HTTPS ports: ports 443 and 8443

        • Anti-DDoS Pro or Anti-DDoS Premium instance of the Enhanced:

          • HTTP ports: ports that range from 80 to 65535

          • HTTPS ports: ports that range from 80 to 65535

      • You can specify up to 10 custom ports for all websites that are added to your Anti-DDoS Pro or Anti-DDoS Premium instance. The custom ports include HTTP ports and HTTPS ports.

        For example, you want to add Website A and Website B to your Anti-DDoS Pro or Anti-DDoS Premium instance, Website A provides HTTP services, and Website B provides HTTPS services. If you specify HTTP ports 80 and 8080 for Website A, you can specify up to eight HTTPS ports for Website B.

      CNAME Reuse

      This parameter is available only for an Anti-DDoS Premium instance. Specifies whether to enable CNAME reuse. This parameter is available only for Anti-DDoS Premium.

      If more than one website is hosted on the same server, this feature is available. After CNAME reuse is enabled, you need only to map the domain names hosted on the same server to the CNAME that is assigned by Anti-DDoS Premium. For more information, see Use the CNAME reuse feature.

    • Import multiple websites at a time

      1. Click Batch Import in the lower part of the Website Config page. In the Batch Create panel, enter the information about the websites that you want to add and click Next.

        Note

        Make sure that you save the information about the websites as an XML file. If the information in the XML file is valid, the information is parsed and imported. For more information about file formats, see Website configurations in an XML file.

      2. In the Import Rule panel, select the websites that you want to import and click OK.

Step 2: Switch the traffic of your website service to Anti-DDoS Pro or Anti-DDoS Premium

The instance scrubs the traffic and then forwards the service traffic to the origin server, which protects your website service against DDoS attacks

  1. Optional. Allow back-to-origin IP addresses to access the origin server.

    If security software, such as a firewall, is installed on the origin server, you must add the back-to-origin IP addresses of the Anti-DDoS Pro or Anti-DDoS Premium instance to the whitelist of the origin server. This ensures that the traffic from Anti-DDoS Pro or Anti-DDoS Premium is not blocked by the security software on your origin server. For more information, see Allow back-to-origin IP addresses to access the origin server.

  2. Check whether the forwarding settings take effect on your computer. For more information, see Verify traffic forwarding settings on a local machine.

    Warning

    If you switch your service traffic to Anti-DDoS Pro or Anti-DDoS Premium before the forwarding settings take effect, your service may be interrupted.

  3. Change DNS records to switch service traffic to Anti-DDoS Pro or Anti-DDoS Premium.

    Anti-DDoS Pro or Anti-DDoS Premium assigns a CNAME to the website that you added. You must change the DNS record to map the domain name to the CNAME. This way, service traffic can be switched to Anti-DDoS Pro or Anti-DDoS Premium for protection. For more information, see Change DNS records to protect website services.

Step 3: Configure mitigation policies

After you add your website service, Anti-DDoS Global Mitigation Policy, Intelligent Protection, and Frequency Control are enabled by default. You can enable more features or modify protection rules for the website service on the Protection for Website Services tab.

  1. In the left-side navigation pane, choose Provisioning > Website Config.

  2. On the Website Config page, find the domain name that you want to manage and click Mitigation Settings in the Actions column.

  3. On the Protection for Website Services tab, create a mitigation policy for the domain name.

    Parameter

    Description

    Intelligent Protection

    Intelligent Protection is enabled by default. Intelligent Protection enables the intelligent and big data-based analysis engine to learn the traffic patterns of workloads, detect and block new types of HTTP flood attacks, and dynamically adjust policies to block malicious requests. You can manually change the protection mode and level. For more information, see Use the intelligent protection feature.

    Anti-DDoS Global Mitigation Policy

    Anti-DDoS Global Mitigation Policy is enabled by default. Anti-DDoS Pro or Anti-DDoS Premium provides the built-in global mitigation policy for website services that are added to Anti-DDoS Pro or Anti-DDoS Premium. The global mitigation policy supports three modes that are classified based on the intensity of traffic scrubbing. The policy helps you respond to volumetric attacks at the earliest opportunity. For more information, see Configure the global mitigation policy.

    Blacklist/Whitelist (Domain Names)

    After this policy is enabled, requests from the IP addresses or CIDR blocks in the blacklist are blocked and requests from the IP addresses or CIDR blocks in the whitelist are allowed. For more information, see Configure blacklists and whitelists for domain names.

    Location Blacklist (Domain Names)

    This policy helps you configure a location blacklist to block requests initiated from IP addresses in the blocked locations. For more information, see Configure a location blacklist for a domain name.

    Accurate Access Control

    This policy helps you configure custom access control rules. These rules allow you to filter requests based on commonly used HTTP fields, such as IP, URI, Referer, User-Agent, and Params. These rules can also be used to allow, block, or verify requests that match the rules. For more information, see Configure accurate access control rules.

    Frequency Control

    Frequency Control is enabled by default. You can restrict the frequency of access from a source IP address to your website service. Frequency Control takes effect immediately after it is enabled. By default, the Normal mode is used to protect your website service against common HTTP flood attacks. You can manually change the protection mode and create custom rules to reinforce protection. For more information, see Configure frequency control.

Step 4: View the protection data of your website service

After you add your website service to the Anti-DDoS Pro or Anti-DDoS Premium instance, you can use the security reports feature and log-related features to view the protection data in the Anti-DDoS Pro or Anti-DDoS Premium console.

  1. On the Security Overview page, view the statistics of the instance and domain name, and the details of DDoS attack. For more information, see Security Overview.

  2. On the Operation Logs page, view important operation records. For more information, see Query operation logs.

  3. On the Log Analysis page, view the logs of your website service. For more information, see Use the Log Analysis feature.

    Note

    The log analysis feature is a value-added service. To use this service, you must purchase and enable it. After the log analysis feature is enabled, the logs of access to your website service and HTTP flood attack logs are collected and maintained by Alibaba Cloud Log Service. You can search and analyze log data in real time, and view search results on dashboards. For more information, see What is Log Service?.

References