Anti-DDoS Origin Basic is a free service that throttles or scrubs inbound traffic to ECS instances when DDoS attacks or traffic anomalies are detected.
Anti-DDoS Origin Basic provides up to 5 Gbit/s of free DDoS mitigation. The actual mitigation capacity varies by instance type. Check your ECS instance's capacity in the Traffic Security console. See What is Security Center and View the thresholds that trigger blackhole filtering in Anti-DDoS Origin Basic.
How Anti-DDoS Origin Basic works
DDoS traffic scrubbing
After Anti-DDoS Origin Basic is activated, inbound traffic to ECS instances is monitored in real time. When suspicious traffic such as DDoS attack traffic is detected, Anti-DDoS Origin Basic redirects traffic to a scrubbing device. The scrubbing device removes malicious traffic and forwards legitimate traffic back to the ECS instances. This process is called traffic scrubbing. See What is Anti-DDoS Origin.
When inbound Internet traffic to an ECS instance exceeds 5 Gbit/s, Anti-DDoS Origin Basic triggers blackhole filtering. All traffic to the instance is dropped and all Internet access is blocked to protect cluster-wide security. See Alibaba Cloud blackhole policy.
Conditions for triggering traffic scrubbing
Traffic scrubbing is triggered when either of the following conditions is met:
-
Traffic pattern: Inbound traffic matches a known attack pattern.
-
Traffic volume: Inbound traffic to an ECS instance exceeds a configured threshold.
Methods of traffic scrubbing
Traffic scrubbing methods include filtering attack packets, throttling bandwidth, and throttling the packet forwarding rate. You can configure traffic scrubbing thresholds for the following metrics:
-
BPS-based scrubbing threshold: Triggers scrubbing when inbound traffic exceeds this value.
-
PPS-based scrubbing threshold: Triggers scrubbing when the inbound packet forwarding rate exceeds this value.
Scrubbing thresholds for ECS instances
Supported regions: China (Heyuan), China (Guangzhou), China (Chengdu), China (Hohhot), China (Ulanqab), China (Hong Kong), UAE (Dubai), UK (London), Germany (Frankfurt), Philippines (Manila), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Japan (Tokyo), US (Virginia), US (Silicon Valley), and Singapore.
The scrubbing threshold of an ECS instance depends on the purchased public bandwidth and instance type.
|
Purchased public bandwidth (Mbit/s) |
Maximum BPS-based scrubbing threshold (Mbit/s) |
Maximum PPS-based scrubbing threshold (pps) |
|
≤ 300 |
Lower of: maximum bandwidth of the instance type, or 450. |
Lower of: maximum packet forwarding rate of the instance type, or 100,000. |
|
> 300 |
Lower of: maximum bandwidth of the instance type, or purchased bandwidth × 1.5. |
Lower of: maximum packet forwarding rate of the instance type, or purchased bandwidth × 1,000. |
-
For bandwidth and packet forwarding rate values, see the Network bandwidth and Packet forwarding rate rows in Instance family overview.
-
If no bandwidth metrics are available for an instance family, the scrubbing threshold displayed in the Traffic Security console prevails.
-
The blackhole filtering threshold displayed in the Traffic Security console prevails. See View the thresholds that trigger blackhole filtering in Anti-DDoS Basic.
Example: For an ecs.g5.16xlarge instance with 100 Mbit/s purchased public bandwidth, the maximum bandwidth is 20,000 Mbit/s and the maximum packet forwarding rate is 4,000,000. The scrubbing thresholds are calculated as follows:
|
Purchased public bandwidth (Mbit/s) |
Maximum BPS-based scrubbing threshold (Mbit/s) |
Maximum PPS-based scrubbing threshold (pps) |
|
100 < 300 |
20,000 or 450, whichever is smaller. The result is 450. |
4,000,000 or 100,000, whichever is smaller. The result is 100,000. |
The actual scrubbing threshold displayed in the Traffic Security console prevails. See View the Assets page.
References
Anti-DDoS Origin Basic is enabled by default for ECS instances. After you create an ECS instance, you can:
-
Configure traffic scrubbing thresholds. By default, the maximum thresholds for the instance type are used. Adjust thresholds based on your business requirements.
-
(Not recommended) Cancel traffic scrubbing. Scrubbing may affect normal traffic. You can disable it manually, but this is not recommended.
WarningAfter traffic scrubbing is disabled for an ECS instance, all traffic to the instance is routed to a blackhole when inbound traffic to the instance exceeds 5 Gbit/s. Proceed with caution.
-
For enhanced DDoS protection with BGP network quality, AI-based defense, and higher mitigation capacity, see What is Anti-DDoS Proxy?