Object Storage Service (OSS) DDoS protection is a proxy-based attack mitigation service that integrates OSS with Anti-DDoS Pro and Anti-DDoS Premium. When a bucket for which OSS DDoS protection is enabled suffers a DDoS attack, OSS DDoS protection diverts incoming traffic to an Anti-DDoS Pro or Anti-DDoS Premium instance for scrubbing and then redirects normal traffic to the bucket. This ensures the continuity of your business in the event of DDoS attacks.
DDoS attacks have been one of the most harmful attacks against enterprise business in recent years. When an enterprise suffers a DDoS attack, its business may be interrupted within seconds. This affects business operations, causes damage to corporate identity and financial interests, and leads to customer attrition.
To mitigate these problems, OSS is integrated with Anti-DDoS Pro to provide Tbit/s-level DDoS attack mitigation, millions of queries per second (QPS), and switchovers from Anti-DDoS Origin to Anti-DDoS Pro within a few seconds. These capabilities can protect your business from attacks such as Tbit/s-level DDoS attacks, volumetric Challenge Collapsar (CC) attacks, SYN flood, ACK flood, Internet Control Message Protocol (ICMP) flood, UDP flood, NTP flood, Simple Service Discovery Protocol (SSDP) flood, Domain Name System (DNS) flood, and HTTP flood. This ensures business continuity. For more information about Anti-DDoS Pro, see What are Anti-DDoS Pro and Anti-DDoS Premium?
OSS DDoS protection does not handle small-volume fraudulent traffic in the form of normal requests, such as hundreds of MB of fraudulent traffic. We recommend that you configure permission control such as policies and access control lists (ACLs) or configure Web Application Firewall (WAF) protection policies to prevent the issue. For more information, see How do I prevent unauthorized access to OSS?
How does OSS DDoS protection work
The following figure shows how OSS DDoS protection works.
By default, OSS uses Anti-DDoS Origin to protect your bucket. For more information, see What is Anti-DDoS Origin? However, if the attack frequency exceeds the protection threshold of Anti-DDoS Origin, Anti-DDoS Origin cannot provide effective attack mitigation and your bucket may become inaccessible.
After you enable OSS DDoS protection, when the attack frequency exceeds the protection threshold of Anti-DDoS Origin, OSS diverts all incoming traffic to an Anti-DDoS Pro or Anti-DDoS Premium instance. Malicious traffic is scrubbed in the scrubbing center of Anti-DDoS Pro or Anti-DDoS Premium. Only legitimate traffic is forwarded to the requested bucket by using forwarding ports. This ensures normal access to the bucket regardless of whether the bucket is under attack.
After the attacks stop, OSS switches back to using Anti-DDoS Origin for bucket protection.
OSS DDoS protection is supported in the following regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), and China (Hong Kong).
An Anti-DDoS instance must be retained for at least 7 days after the instance is created. If the instance is deleted within 7 days (168 hours), you are charged basic resource fees for the minimum usage duration of 7 days, including the remaining duration: 7 (days) × 24 (hours) - Actual usage duration. For more information, see OSS DDoS protection fees.
You can create only one Anti-DDoS instance in a region. You can attach up to 10 buckets to each instance in the same region.
After you attach a bucket to the instance, you cannot preview the resources in the bucket by using browsers. In addition, OSS does not protect the custom domain names mapped to the bucket by default. Therefore, when the bucket is under attack, you cannot access the bucket by using the custom domain names. If you want to access a bucket by using a custom domain name when the bucket is under attack, add the custom domain name in the OSS console. You can add up to five custom domain names for each bucket.
If a custom domain name (such as
www.example.com) of the bucket that you want to protect matches an accurate domain name (such as
www.example.com) or a wildcard domain name (such as
*.example.com) that is specified in a forwarding rule of the instance, you must go to the Anti-DDoS Pro console to unbind the accurate domain name or the wildcard domain name. Otherwise, when the bucket is under attack, you cannot access the bucket by using the custom domain name.
For more information about forwarding rules, see Add a website.
Use the OSS console
Create an Anti-DDoS instance.
Log on to the OSS console.
In the left-side navigation pane, choose .
Optional: If you use Anti-DDoS Pro for the first time, click Activate Now on the Anti-DDoS Pro page.
On the Anti-DDoS Pro page, click Create Anti-DDoS Instance. Then, select a region in the Create Anti-DDoS Instance dialog box.
Attach a bucket to the Anti-DDoS instance.
On the Anti-DDoS Pro page, click View and Attach Buckets in the Actions column of the instance to which you want to attach a bucket.
In the View and Attach Buckets panel, click Attach Buckets.
In the Attach Buckets dialog box, select a bucket that you want to attach from the Bucket drop-down list.
Buckets to which OSS DDoS protection instances are attached are not displayed in the Bucket drop-down list.
After you attach the bucket to the instance, the bucket is in the Initializing state. When the bucket enters the Defending state, the Anti-DDoS instance starts to protect the bucket.
If you want to protect a custom domain name, add the custom domain name to the protection list of the Anti-DDoS instance.Important
By default, OSS does not protect custom domain names that are mapped to a bucket. When the bucket is under attack, you cannot access the bucket by using the custom domain names. If you want to access a bucket by using the custom domain names that are mapped to the bucket when the bucket is under attack, add the custom domain names to the protection lists of Anti-DDoS instances in the OSS console. You can add up to five custom domain names for each bucket to the protection list of an Anti-DDoS instance.
If no custom domain names are mapped to a bucket, you must map a custom domain name to the bucket. For more information, see Map custom domain names.
If a custom domain name is mapped to the bucket, add the custom domain name by performing the following steps:
On the right side of the bucket attached to the instance, click Modify Custom Domain Name in the Operations column.
Select the custom domain name that you want to add.
Then, you can access the bucket by using the custom domain name when the bucket is under attack.