When your Object Storage Service (OSS) bucket is under attack or is used to distribute illegal content, OSS automatically moves the bucket to the sandbox. The buckets that are in the sandbox can still respond to requests, but service degradation may occur. In this case, network availability may be affected, and a request timeout error is returned. After OSS automatically moves the bucket to the sandbox, your application may be aware of the operation.
Usage notes
If your bucket is under attack, OSS automatically moves the bucket to the sandbox. In this case, you must bear the costs that result from the attack.
If your user uses your bucket to distribute illegal content that involves pornography and terrorism, OSS also moves the bucket to the sandbox. Users are held liable for violations of the law.
Preventive measures against attacks
To prevent your bucket from being moved to the sandbox due to attacks such as DDoS attacks and Challenge Collapsar (CC) attacks, you can configure OSS DDoS protection for the bucket. You can also configure a reverse proxy by using an Elastic Compute Service (ECS) instance to access the bucket and configure an Anti-DDoS Pro instance for the ECS instance. The following table describes the advantages and disadvantages of the two solutions.
Solution | Description | Advantage | Disadvantage |
Solution 1: Configure OSS DDoS protection | OSS DDoS protection is a proxy-based attack mitigation service that integrates OSS with Anti-DDoS. When a bucket for which OSS DDoS protection is enabled suffers a DDoS attack, OSS DDoS protection diverts incoming traffic to an Anti-DDoS instance for scrubbing and then redirects normal traffic to the bucket. This ensures the continuity of your business in the event of DDoS attacks. |
| Limited number of protected buckets: You can create only one OSS DDoS protection instance within a region. You can attach each instance to up to 10 buckets that are located in the same region. |
Solution 2: Configure a reverse proxy by using an ECS instance to access the bucket and configure an Anti-DDoS Pro instance for the ECS instance | To ensure data security, the default domain name of a bucket is resolved to a random IP address each time the bucket is accessed. If you want to use a static IP address to access the bucket, you can configure a reverse proxy by using an ECS instance to access the bucket. You can associate the elastic IP address (EIP) of the ECS instance with an Anti-DDoS Pro instance to prevent the bucket from DDoS attacks and CC attacks. | You can use this solution to protect your bucket when you use a static IP address to access OSS. |
|
Procedure
Solution 1: Configure OSS DDoS protection
Perform the following steps:
Creates an Anti-DDoS instance.
Attach the bucket that you want to protect to the Anti-DDoS instance.
After that, the Anti-DDoS instance starts to protect access to the bucket by using the public endpoint of the bucket.
OSS DDoS protection can protect access by using only the public endpoints of the buckets, such as
oss-cn-hangzhou.aliyuncs.com
. OSS DDoS Protection cannot protect access by using the following endpoints:Acceleration endpoints include the global acceleration endpoint (
oss-accelerate.aliyuncs.com
) and the acceleration endpoint of regions outside the Chinese mainland (oss-accelerate-overseas.aliyuncs.com
).Access point endpoints, such as
ap-01-3b00521f653d2b3223680ec39dbbe2****-ossalias.oss-cn-hangzhou.aliyuncs.com
.Object FC Access Point endpoints, such as
fc-ap-01-3b00521f653d2b3223680ec39dbbe2****-opapalias.oss-cn-hangzhou.aliyuncs.com
).Endpoints accessed over IPv6, such as
cn-hangzhou.oss.aliyuncs.com
.Amazon Simple Storage Service (S3) endpoints, such as
s3.oss-cn-hongkong.aliyuncs.com
.
For more information, see OSS DDoS protection.
Solution 2: Configure a reverse proxy by using an ECS instance to access the bucket and configure an Anti-DDoS Pro instance for the ECS instance
Perform the following steps:
Configure a reverse proxy by using an ECS instance to access your bucket.
Create an ECS instance that runs CentOS or Ubuntu. For more information, see Create an instance on the Custom Launch tab.
ImportantIf the bucket encounters bursts of network traffic or spikes in access requests, you need to upgrade the hardware configurations of ECS or create ECS clusters.
Configure a reverse proxy by using an ECS instance to access the bucket. For more information, see Use an ECS instance that runs CentOS to configure a reverse proxy for access to OSS.
Configure an Anti-DDoS Pro instance.
Purchase an Anti-DDoS Pro instance based on your business requirements. For more information, visit the buy page of Anti-DDoS Pro.
Configure an Anti-DDoS Pro instance. Enter the endpoint of the bucket that you want to protect by using the ECS reverse proxy in Domain. Select Origin Server IP for Server IP and enter the public IP address of the ECS instance in the field. For more information about how to configure other parameters, see Add one or more websites.