Anti-DDoS Origin Basic is a service that protects Elastic Compute Service (ECS) instances from distributed denial-of-service (DDoS) attacks to help ensure system stability. If inbound traffic to an instance exceeds the maximum traffic rate allowed by the instance type, Alibaba Cloud Security throttles the traffic.

Anti-DDoS Origin Basic is a free service included in Alibaba Cloud Security. It offers up to 5 Gbit/s of mitigation capacity against common DDoS attacks free of charge. The instance type of an ECS instance determines the mitigation capacity that is provided in the free tier. You can log on to the Alibaba Cloud Security Anti-DDoS Origin Basic console to check the actual mitigation capacity threshold. For more information, see What is Security Center? and View the thresholds that trigger blackhole filtering in Anti-DDoS Origin Basic.

How Anti-DDoS Origin Basic works

After Anti-DDoS Origin Basic is enabled, Alibaba Cloud Security monitors inbound traffic to ECS instances in real time. When a large amount of traffic or suspicious traffic such as DDoS attack traffic is detected, Alibaba Cloud Security redirects the traffic from the destination network to a scrubbing device. The scrubbing device identifies and removes malicious traffic and then forwards legitimate traffic that directs to the destination network to the ECS instances. This process is called traffic scrubbing. For more information, see What is Anti-DDoS Origin?

Note If Anti-DDoS Origin Basic is enabled for an ECS instance, Alibaba Cloud Security triggers blackhole filtering when inbound traffic from the Internet exceeds 5 Gbit/s. All traffic to the instance is routed to a blackhole and all access requests from the Internet to the instance are blocked to ensure cluster-wide security. For more information, see Blackhole filtering policy of Alibaba Cloud in Anti-DDoS documentation.

Conditions for triggering traffic scrubbing

To trigger traffic scrubbing, the following conditions must be met:
  • Traffic pattern: When inbound traffic matches an attack traffic pattern, traffic scrubbing is triggered.
  • Traffic amounts: In most cases, DDoS attacks generate flood traffic on a magnitude of Gbit/s. When inbound traffic to an ECS instance reaches a specific threshold, traffic scrubbing is triggered regardless of whether the traffic is normal.

Methods of traffic scrubbing

Traffic scrubbing includes filtering attack packets, throttling bandwidth, and throttling the packet forwarding rate. When you use Anti-DDoS Origin Basic, you must configure the following thresholds:
  • BPS-based scrubbing threshold: When inbound traffic exceeds this threshold, traffic scrubbing is triggered.
  • PPS-based scrubbing threshold: When the inbound packet forwarding rate exceeds this threshold, traffic scrubbing is triggered.

Scrubbing thresholds of ECS instances

Note The traffic scrubbing feature is available in the following regions: China (Heyuan), China (Guangzhou), China (Chengdu), China (Hohhot), China (Ulanqab), China (Hong Kong), UAE (Dubai), UK (London), Germany (Frankfurt), Australia (Sydney), Philippines (Manila), Malaysia (Kuala Lumpur), Indonesia (Jakarta), India (Mumbai), Japan (Tokyo), US (Virginia), US (Silicon Valley), and Singapore.

The scrubbing threshold of an ECS instance is determined by the purchased public bandwidth and instance type. The following table describes the methods used to calculate the scrubbing threshold of an ECS instance.

Purchased bandwidth (Unit: Mbit/s) Maximum BPS-based scrubbing threshold (Unit: Mbit/s) Maximum PPS-based scrubbing threshold (Unit: pps)
≤ 300 The maximum bandwidth allowed by the ECS instance type or 450, whichever is smaller. The maximum packet forwarding rate allowed by the ECS instance type or 100,000, whichever is smaller.
> 300 The maximum bandwidth allowed by the ECS instance type or the product of the purchased bandwidth value multiplied by 1.5, whichever is smaller. The maximum packet forwarding rate allowed by the ECS instance type or product of the purchased bandwidth value multiplied by 1,000, whichever is smaller.
Note

For example, if you purchase an ECS instance of the ecs.g5.16xlarge instance type and the purchased bandwidth is 100 Mbit/s, the maximum bandwidth of the instance is 20,000 Mbit/s and the maximum packet forwarding rate is 4,000,000. The following table describes how to calculate the scrubbing threshold of the instance.

Purchased bandwidth (Unit: Mbit/s) Maximum BPS-based scrubbing threshold (Unit: Mbit/s) Maximum PPS-based scrubbing threshold (Unit: pps)
100 < 300 20,000 or 450, whichever is smaller.

The result is 450.

4,000,000 or 100,000, whichever is smaller.

The result is 100,000.

The final scrubbing threshold displayed in the Traffic Security console prevails. For more information, see View the Assets page. The following figure shows an example. Assets

What to do next

By default, Anti-DDoS Origin Basic is enabled for ECS instances. After you create an ECS instance, you can perform the following operations:

  • Specify scrubbing thresholds. After an ECS instance is created, the maximum thresholds of Anti-DDoS Origin Basic for the instance type are used. However, the maximum BPS-based scrubbing threshold for specific instance types may be high and not safe. You must set the threshold based on your business needs. For more information, see Configure a traffic scrubbing threshold.
  • (Not recommended) Disable traffic scrubbing. When traffic scrubbing is enabled and inbound traffic to an ECS instance reaches a specific threshold, traffic scrubbing is triggered regardless of whether the traffic is normal. This may affect or interrupt normal business. You can manually disable traffic scrubbing for ECS instances. For more information, see Cancel traffic cleaning.
    Warning After traffic scrubbing is disabled for an ECS instance, when inbound traffic to the instance exceeds 5 Gbit/s, all traffic to the instance is routed to a blackhole. Proceed with caution.