Alibaba Cloud Dynamic Route for CDN (DCDN) integrates distributed denial of service (DDoS) mitigation capabilities to protect accelerated domain names from DDoS attacks. This topic describes how to enable DDoS mitigation in the DCDN console.

Overview

DDoS attacks are malicious attempts by a malicious party (attackers) to overwhelm a server (victim), with the ultimate goal of causing the victim to stop responding to normal traffic. Attackers often use multiple compromised or controlled machines to generate and send a large number of packets or requests to the victim. DDoS mitigation can help prevent potential DDoS attacks, reduce potential business losses, and ensure service stability and availability.

After DDoS mitigation is enabled, DCDN automatically routes the traffic from DCDN to the Anti-DDoS system when DDoS attacks are detected. After the attack ends, the Anti-DDoS system automatically switches the traffic back to DCDN.

Scenarios

DDoS mitigation is in invitational preview and available to enterprise users in the finance, retail, transportation, media, and public service sectors. The following list provides examples of common use cases in these industries:
  • Finance

    Ensures the availability of services and improves cross-border content delivery. Protects user information, transactions, and data assets to minimize losses caused by attacks.

  • Retail

    Accelerates content delivery for enterprise websites, e-commerce and ticketing platforms, and collaborative software. Mitigates attacks to ensure service availability.

  • Media

    Accelerates the delivery of media content. Provides protection to prevent service interruption caused by traffic spikes or attacks.

Benefits

Provides a DDoS mitigation capacity of over 1 Tbit/s, providing worldwide coverage against DDoS attacks.

Limits

  • You can protect a domain name from DDoS attacks by configuring Anti-DDoS Pro or Anti-DDoS Premium instances or by enabling the DDoS mitigation feature in the DCDN console.
  • The feature supports only Alibaba Cloud security certificates and custom certificates, but does not support free Secure Sockets Layer (SSL) certificates.
  • The feature does not support IPv6 network services.
  • The DDoS mitigation feature is available only to customers whose day-to-day bandwidth is within 10 Gbit/s. If day-to-day bandwidth exceeds 10 Gbit/s, DDoS mitigation does not take effect even if it is enabled. The bandwidth usage is calculated based on the peak bandwidth of the previous 12 hours before the queries per second (QPS) threshold that you specify is triggered.
  • DCDN determines whether to perform DDoS mitigation based on the following logic:
    • Determines whether your services are experiencing a DDoS attack.
    • Determines whether to perform DDoS mitigation.DDoS mitigation is performed when the QPS threshold is reached. The default QPS threshold is 20,000. The value of the QPS threshold ranges from 2,000 to 50,000.
    • If the QPS threshold is reached, DDoS mitigation is performed for the paths that are determined to be healthy. 47.97.249.17 and 47.244.34.181 are used to probe your origin server. If your origin server has an IP address whitelist configured, add the IP addresses to the whitelist to ensure that probing can work properly.
  • The Anti-DDoS system determines when to switch the traffic back to DCDN based on the following logic:
    • Three days after Layer 4 attacks stop.
    • One day after Layer 7 attacks stop.
    • To switch the traffic back to DCDN, you can also submit a ticket.

Purchase and pricing

When you enable DDoS mitigation, you are charged for Anti-DDoS instances that you purchase. The price varies with the instance edition. To purchase Anti-DDoS instances, go to the buy page.

For more information about billing, see Billing of DDoS mitigation.

Configure mitigation rules

You can specify different QPS thresholds for each domain name based on your business requirements.

  1. Log on to the DCDN console.
  2. In the left-side navigation pane, choose DDoS Mitigation > Manage Settings.
  3. On the Configure DDoS Mitigation page, click Add Domain Name.
  4. In the Configure DDoS Mitigation dialog box, configure the protection rules.
    Note
    • Anti-DDoS is performed only if QPS Threshold is reached and the path passes health checks.
    • If you are migrating a domain name from Alibaba Cloud Anti-DDoS to Alibaba Cloud DCDN, you must add the domain name to Alibaba Cloud DCDN and configure DDoS mitigation about 5 minutes after you remove the domain name from the Alibaba Cloud Anti-DDoS console. Otherwise, an error may occur.
    ParameterDescription
    Protected Domain NamesThe accelerated domain name to be protected.
    QPS ThresholdIf the threshold is reached and the peak bandwidth of the domain name did not exceed 10 Gbit/s in the last 12 hours, traffic is switched to Anti-DDoS.
    • Valid values: 2000 to 50000
    • Default value: 20000.
    Health CheckThe path of the domain name that needs health checks.
    • Healthy: Traffic is switched to Anti-DDoS.
    • Unhealthy: Traffic is not switched to Anti-DDoS.

    Default value: forward slash (/), which indicates the default root directory of the domain name. Example: /*/examplefile.txt.

    Note
    • Only one path can be checked at a time.
    • The path must be in English.
    Intelligent HTTP Flood ProtectionAfter this switch is turned on, HTTP flood attacks are blocked with AI.
  5. Click OK.

Modify DDoS mitigation settings or disable DDoS mitigation

  1. Log on to the DCDN console.
  2. In the left-side navigation pane, choose DDoS Mitigation > Manage Settings.
  3. On the Configure DDoS Mitigation page, find the domain name for which you want to configure or disable DDoS mitigation, and click Configure Protection or Disable Protection in the Actions column.
    Important If a domain name for which DDoS mitigation is disabled is attacked, the domain name may be added to the sandbox and no longer accelerated. For more information, see Introduction to sandboxes.