Object Storage Service (OSS) DDoS protection is a proxy-based attack mitigation service that integrates OSS with Anti-DDoS Pro and Anti-DDoS Premium. When a bucket with OSS DDoS protection enabled becomes a victim of DDoS attacks, OSS DDoS protection diverts incoming traffic to an Anti-DDoS Pro or Anti-DDoS Premium instance for scrubbing and then redirects normal traffic to the bucket. This ensures the continuity of your business in the event of DDoS attacks.

Scenarios

DDoS attacks have been one of the most harmful attacks against enterprise business in recent years. When an enterprise becomes a victim of DDoS attacks, its business may be interrupted. This affects business operations, causes damage to the corporate identity and financial interests, and leads to customer attrition.

To mitigate these problems, OSS is integrated with Anti-DDoS Pro and Anti-DDoS Premium to provide up to Tbit/s-level DDoS attack mitigation, millions of queries per second (QPS), and switchovers from Anti-DDoS Origin to Anti-DDoS Pro or Anti-DDoS Premium within a few seconds. These capabilities can protect your business from attacks such as SYN flood, ACK flood, Internet Control Message Protocol (ICMP) flood, UDP flood, NTP flood, Simple Service Discovery Protocol (SSDP) flood, Domain Name System (DNS) flood, and HTTP flood. OSS DDoS protection is suitable for scenarios where your business is prone to attacks, ransomware attacks, click farming, and fraudulent traffic.

How does OSS DDoS protection work

The following figure shows how OSS DDoS protection works.OSS DDoS protection

By default, OSS uses Anti-DDoS Origin to protect your bucket. However, when the attack frequency exceeds the protection threshold of Anti-DDoS Origin, Anti-DDoS Origin cannot provide effective attack mitigation. This may cause your bucket to become inaccessible.

After you enable OSS DDoS protection, when the attack frequency exceeds the protection threshold of Anti-DDoS Origin, OSS diverts all incoming traffic to an Anti-DDoS Pro or Anti-DDoS Premium instance. Malicious traffic is scrubbed in the scrubbing center of Anti-DDoS Pro or Anti-DDoS Premium. Only legitimate traffic is forwarded to the requested bucket by using the port protocol. This way, normal access to the bucket is ensured when the bucket is under attack.

After the attacks stop, OSS switches back to using Anti-DDoS Origin for bucket protection.

Limits

  • You can configure OSS DDoS protection only in the following regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), and China (Hong Kong).
  • An Anti-DDoS Pro or Anti-DDoS Premium instance must be retained for at least seven days after the instance is created. If the instance is deleted within seven days (168 hours), you are charged basic resource fees for the instance as it is retained for seven days, including the remaining duration (168 hours - Actual service duration). For more information about billing, see.
  • You can create only one Anti-DDoS Pro or Anti-DDoS Premium instance in a region. Each instance can be attached to up to 10 buckets in the same region.
  • After you attach a bucket to the instance, you cannot preview the resources in the bucket by using browsers. In addition, OSS does not protect the custom domain names mapped to the bucket by default. Therefore, when the bucket is under attack, you cannot access the bucket by using the custom domain names. If you want to access a bucket by using a custom domain name when the bucket is under attack, add the custom domain names in the OSS console. You can add up to five custom domain names for each bucket.

    If the custom domain name of the bucket (such as www.example.com) that you want to protect matches an accurate domain name (www.example.com) or a wildcard domain name (*.example.com) that is specified in a forwarding rule of the instance, you must go to the Anti-DDoS Pro console to unbind the accurate domain name or the wildcard domain name. Otherwise, when the bucket is under attack, you cannot access the bucket by using the custom domain name.

    For more information about the forwarding rules, see Add a website.

Use the OSS console

  1. Step 1: Create an Anti-DDoS instance.
    1. Log on to the OSS console.
    2. In the left-side navigation pane, click Anti-DDoS Pro.
    3. On the page that appears, click Create Anti-DDoS Instance.
    4. In the Create Anti-DDoS Instance panel, select the required region.
    5. Click OK.
  2. Step 2: Attach a bucket to the Anti-DDoS instance.
    1. Click View and Attach Buckets to the right of the instance to which you want to attach a bucket.
    2. In the View and Attach Buckets panel, click Attach Buckets.
    3. In the Attach Buckets panel, select a bucket you want to attach from the Bucket drop-down list.
      Buckets that are attached to an Anti-DDoS instance are not displayed in the Bucket drop-down list.
    4. Click OK.
      After the bucket is attached to the instance, the bucket is in the Initializing status. When the status becomes Defending, the Anti-DDoS instance has started to protect the bucket.
  3. Step 3: If you want to access the bucket when it is under attack by using the custom domain name that is mapped to the bucket, add the custom domain name in the OSS console.
    Notice OSS does not protect the custom domain names mapped to the bucket by default. Therefore, when the bucket is under attack, you cannot access the bucket by using the custom domain names. If you want to access the bucket when it is under attack by using the custom domain names mapped to the bucket, add the custom domain names in the OSS console. You can add up to five custom domain names for each bucket.
    • If no custom domain names are mapped to the bucket, you need to map a custom domain name before you add the custom domain name. For more information, see Map custom domain names.
    • If a custom domain name is mapped to the bucket, add the custom domain name by performing the following steps:
      1. On the right side of the bucket attached to the instance, choose More > Modify Custom Domain Name.
      2. Select the custom domain name that you want to add.
      3. Click OK.

        Then, you can access the bucket by using the custom domain name when the bucket suffers attacks.