Object Storage Service:OSS DDoS protection

Scenarios

DDoS attacks have been one of the most harmful attacks against enterprise business in recent years. When an enterprise suffers a DDoS attack, its business may be interrupted within seconds. This affects business operations, causes damage to the corporate identity and financial interests, and leads to customer attrition.

To mitigate these problems, OSS is integrated with Anti-DDoS Pro and Anti-DDoS Premium to provide Tbit/s-level DDoS attack mitigation, millions of queries per second (QPS), and switchovers from Anti-DDoS Origin to Anti-DDoS Pro or Anti-DDoS Premium within a few seconds. These capabilities can protect your business from attacks such as SYN flood, ACK flood, Internet Control Message Protocol (ICMP) flood, UDP flood, NTP flood, Simple Service Discovery Protocol (SSDP) flood, Domain Name System (DNS) flood, and HTTP flood. For more information about Anti-DDoS Pro and Anti-DDoS Premium, see What are Anti-DDoS Pro and Anti-DDoS Premium? OSS DDoS protection is suitable for scenarios in which your business is prone to attacks, ransomware attacks, click farming, and fraudulent traffic.

How does OSS DDoS protection work

The following figure shows how OSS DDoS protection works.

By default, OSS uses Anti-DDoS Origin to protect your bucket. For more information, see What are Anti-DDoS Pro and Anti-DDoS Premium? However, if the attack frequency exceeds the protection threshold of Anti-DDoS Origin, Anti-DDoS Origin cannot provide effective attack mitigation and your bucket may become inaccessible.

After you enable OSS DDoS protection, when the attack frequency exceeds the protection threshold of Anti-DDoS Origin, OSS diverts all incoming traffic to an Anti-DDoS Pro or Anti-DDoS Premium instance. Malicious traffic is scrubbed in the scrubbing center of Anti-DDoS Pro or Anti-DDoS Premium. Only legitimate traffic is forwarded to the requested bucket by using the port protocol. This ensures normal access to the bucket even while the bucket is under attack.

After the attacks stop, OSS switches back to using Anti-DDoS Origin for bucket protection.

Limits

• You can configure OSS DDoS protection only in the following regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), and China (Hong Kong).
• An Anti-DDoS Pro or Anti-DDoS Premium instance must be retained for at least 7 days after the instance is created. If the instance is deleted within seven days (168 hours), you are charged basic resource fees for the minimum usage duration of seven days, including the remaining duration: 7 (days) × 24 (hours) - Actual usage duration. For more information about traffic fees, see OSS DDoS protection fees.
• You can create only one Anti-DDoS Pro or Anti-DDoS Premium instance in a region. Each instance can be attached to up to 10 buckets in the same region.
• After you attach a bucket to the instance, the resources in the bucket cannot be previewed by using browsers. In addition, OSS does not protect the custom domain names mapped to the bucket by default. Therefore, while a bucket is under attack, the bucket cannot be accessed by using the custom domain names. If you want to access a bucket by using a custom domain name while the bucket is under attack, add the custom domain name in the OSS console. You can add up to five custom domain names for each bucket.

  If the custom domain name of the bucket (such as www.example.com) that you want to protect matches an accurate domain name (www.example.com) or a wildcard domain name (*.example.com) that is specified in a forwarding rule of the instance, you must go to the Anti-DDoS Pro console to unbind the accurate domain name or the wildcard domain name. Otherwise, while the bucket is under attack, it cannot be accessed by using the custom domain name.

  For more information about the forwarding rules, see Add a website.

Use the OSS console

1. Create an OSS DDoS protection instance.
   1. Log on to the OSS console.
   2. In the left-side navigation pane, choose Data Service > Anti-DDoS Pro.
   3. Optional:If you use Anti-DDoS Pro for the first time, click Activate Now on the Anti-DDoS Pro page.
   4. On the Anti-DDoS Pro page, click Create Anti-DDoS Instance. Then, select a region in the Create Anti-DDoS Instance dialog box.
   5. Click OK.
2. Attach the OSS DDoS protection instance to a bucket.
   1. Click View and Attach Buckets next to the instance that you want to attach.
   2. In the View and Attach Buckets panel, click Attach Buckets.
   3. In the Attach Buckets dialog box, select a bucket you want to attach from the Bucket drop-down list.
      Buckets to which OSS DDoS protection instances are attached are not displayed in the Bucket drop-down list.
   4. Click OK.
      After the instance is attached to the bucket, the bucket is in the Initializing state. When the status becomes Defending, the OSS DDoS protection instance has started to protect the bucket.
3. If you want to protect the custom domain name that is mapped to the bucket, add the custom domain name to the protection list of the Anti-DDoS instance.
   Important By default, OSS does not protect custom domain names mapped to the bucket. Therefore, when the bucket is under attack, the bucket cannot be accessed by using the custom domain names. If you want to access a bucket by using custom domain names mapped to the bucket when the bucket is under attack, add the custom domain names in the OSS console. You can add up to five custom domain names for each bucket to the protection list of an Anti-DDoS instance.

   • If no custom domain names are mapped to the bucket, you must map a custom domain name to the bucket. For more information, see Map custom domain names.
   • If a custom domain name is mapped to the bucket, add the custom domain name by performing the following steps:
     1. On the right side of the bucket attached to the instance, choose More > Modify Custom Domain Name.
     2. Select the custom domain name that you want to add.
     3. Click OK.

        Then, you can access the bucket by using the custom domain name when the bucket is under attack.