Alibaba Cloud Dynamic Route for CDN (DCDN) integrates Anti-DDoS to protect accelerated domain names from distributed denial of service (DDoS) attacks. This topic describes how to enable DDoS mitigation in the DCDN console.

Overview

  • Attackers use multiple compromised or controlled machines to generate and send a large number of packets or requests to overwhelm the victim, which causes the victim to stop responding. DDoS mitigation can help you prevent potential DDoS attacks, reduce potential business losses, and ensure service stability and availability.
  • After DDoS mitigation is enabled, when DCDN detects a DDoS attack, DCDN automatically routes the traffic from DCDN to the Anti-DDoS system. After the attack, the Anti-DDoS system automatically switches the traffic back to DCDN.

Scenarios

DDoS mitigation is in invitational preview and available to enterprise users in the finance, retail, transportation, media, and public service sectors. DDoS mitigation is applicable to the following scenarios:
  • Finance

    Ensures the availability of services and improves user experience of cross-border content delivery. Protects user information, transactions, and data assets to minimize losses caused by attacks.

  • Retail

    Accelerates content delivery for enterprise websites, e-commerce and ticketing platforms, and collaborative software. Mitigates attacks to ensure service availability.

  • Media

    Accelerates the delivery of media content. Provides protection to prevent service interruption caused by traffic spikes or attacks.

Benefits and limits

The DDoS mitigation feature has the following benefits and limits:
  • Provides a DDoS mitigation bandwidth of over 1 Tbit/s, which is sufficient to protect customers against DDoS attacks that may be launched from anywhere in the world.
  • You can protect a domain name from DDoS attacks by configuring Anti-DDoS Pro or Anti-DDoS Premium instances or by enabling the DDoS mitigation feature in the DCDN console.
  • The feature supports only Alibaba Cloud security certificates and custom certificates. The feature does not support free Secure Sockets Layer (SSL) certificates.
  • The feature does not support IPv6 network services.
  • The DDoS mitigation feature is available only to customers whose bandwidth usage is less than 10 Gbit/s. If the bandwidth usage is higher than 10 Gbit/s, do not enable DDoS mitigation because this feature does not take effect. The bandwidth usage is calculated based on the peak bandwidth of the previous 12 hours before the queries per second (QPS) threshold that you specify is triggered.
  • By default, the basic edition is enabled. If you need a higher specification, submit a ticket to apply for the official edition. For more information about the specifications, see Specifications.
  • DCDN determines whether to perform DDoS mitigation based on the following logic:
    • Determines whether DDoS attacks occur.
    • Determines whether to perform DDoS mitigation based on the QPS threshold that you specify. If the threshold is reached, DDoS mitigation is performed. The default QPS threshold is 20000. The value of the QPS threshold ranges from 2000 to 50000.
    • If the QPS threshold is reached, DDoS mitigation is performed for the path that passes health check.
  • The Anti-DDoS system determines when to switch the traffic back to DCDN based on the following logic:
    • Three days after a Layer 4 attack stops.
    • One day after a Layer 7 attack stops.
    • To switch the traffic back to DCDN, you can also submit a ticket.

Specifications

After the DDoS mitigation feature is enabled, the system creates Anti-DDoS Pro or Anti-DDoS Premium instances that run in the background and synchronizes the domain names with DDoS mitigation enabled to the two instances to protect the domain names against DDoS attacks that may be launched from anywhere in the world. By default, the basic edition is enabled. If you need a higher specification, Submit a ticket to apply for the official edition. For more information about the specifications, see Specifications.

Anti-DDoS Pro Basic edition Official edition
Basic protection 5 GB 600 GB
Burstable protection 5 GB 999 GB
Ports 10 100
Domain names 5 root domain names 50 root domain names
Bandwidth 10 Mbit/s 20 GB
QPS 100 100,000
Feature specifications default default
Anti-DDoS Premium Basic edition Official edition
Mitigation times Once per month Unlimited
Ports 10 100
Domain names 5 root domain names 50 root domain names
Bandwidth 10 Mbit/s 10 GB
QPS 100 100,000
Feature specifications default default

Apply to enable DDoS mitigation

Join the DingTalk group 32615821 to request technical support.

Configure mitigation rules

You can specify different QPS thresholds for each domain name based on your business requirements to trigger DDoS mitigation.

  1. Log on to the DCDN console.
  2. In the left-side navigation pane, choose DDoS Mitigation > Configurations.
  3. On the Configurations page, click DDoS Mitigation Disabled tab, select the domain name for which you want to enable DDoS mitigation, and click Activate Now.
  4. Configure the QPS Threshold and Health Check URL parameters. QPS threshold
    Note DDoS mitigation is performed only if QPS Threshold is reached and the path passes health check.
    Parameter Description Default value
    QPS Threshold If the threshold is reached and the peak bandwidth of the domain name does not exceed 10 Gbit/s in the previous 12 hours, traffic is switched to Anti-DDoS. 20000
    Health Check URL Specify the path of the domain name that needs health check.
    • Healthy: Traffic is switched to Anti-DDoS.
    • Unhealthy: Traffic is not switched to Anti-DDoS.
    Note
    • Only one path can be checked at a time.
    • The path must be in English.
    The path that starts with a forward slash (/) is the default root directory of the domain name.
    Note Example: /*/examplefile.txt
  5. Click OK.

Modify DDoS mitigation settings or disable DDoS mitigation

  1. Log on to the DCDN console.
  2. In the left-side navigation pane, choose DDoS Mitigation > Configurations.
  3. On the Configurations page, click the DDoS Mitigation Enabled tab.
  4. On the DDoS Mitigation Enabled tab, you can modify DDoS mitigation settings or disable DDoS mitigation.
  5. Click OK.