When your Object Storage Service (OSS) bucket is under attack or is used to distribute illegal content, OSS automatically moves the bucket to the sandbox. The buckets that are in the sandbox can still respond to requests, but service degradation may occur. In this case, network availability may be affected, and a request timeout error is returned. After OSS automatically moves the bucket to the sandbox, your application may be aware of it.

Usage notes

  • If your bucket is under attack, OSS automatically moves the bucket to the sandbox. In this case, you must bear the cost incurred by the attack.
  • If your user uses your bucket to distribute illegal content such as pornography and terrorism, OSS also moves the bucket to the sandbox. Users will be held liable for violations of the law.

Preventive measures against attacks

To prevent your bucket from being moved to the sandbox due to attacks such as DDoS attacks and Challenge Collapsar (CC) attacks, you can configure OSS DDoS protection for the bucket. You can also set up a reverse proxy by using an Elastic Computing Service (ECS) instance to access the bucket and configure Anti-DDoS Pro for the ECS instance. The following table compares the two solutions.
SolutionDescriptionAdvantageDisadvantage
Solution 1: Configure OSS DDoS protectionOSS DDoS protection is a proxy-based mitigation service that integrates OSS with Anti-DDoS Pro and Anti-DDoS Premium. When a bucket for which OSS DDoS protection is enabled suffers a DDoS attack, OSS DDoS protection diverts malicious traffic to an Anti-DDoS instance for scrubbing and then redirects normal traffic to the bucket. This way, your business can continue to function normally after a DDoS attack.
  • Wide application scope: You can use this solution to protect bucket domain names and custom domain names that are mapped to the bucket.
  • Low costs: You are charged fees for OSS DDoS protection based on the number of Anti-DDoS instances that you configure for your bucket, the traffic generated by these instances, and the number of requests sent to your bucket. For more information, see OSS DDoS protection fees.
  • Simple configurations: You can configure OSS DDoS in the graphical console.
Limited number of protected buckets: You can create only one Anti-DDoS instance within each region. Each instance can be attached to at most 10 buckets that are located in the same region.
Solution 2: Configure a reverse proxy by using an ECS instance to access the bucket and configure an Anti-DDoS Pro instance for the ECS instanceFor security reasons, the default domain name of a bucket is resolved to a random IP address each time when the bucket is accessed. If you want to use a static IP address to access the bucket, you can set up a reverse proxy by using an ECS instance to access the bucket. You can associate the Elastic IP address (EIP) of the ECS instance with Anti-DDoS Pro to protect the bucket against DDoS attacks and CC attacks. You can use this solution to protect your bucket when you use a static IP address to access OSS.
  • Complex configurations: You must set up an NGINX reverse proxy on your own.
  • High costs: You must purchase an ECS instance to set up an NGINX reverse proxy.

Implementation procedure

  • Solution 1: Configure OSS DDoS protection
    Perform the following steps to configure OSS DDoS protection for a bucket in the OSS console:
    1. Step 1: Create an Anti-DDoS instance.
    2. Step 2: Attach the bucket that you want to protect to the Anti-DDoS instance.
    3. Step 3: If you want to use a custom domain name to access the bucket when the bucket suffers attacks, add the custom domain name in the OSS console.

    For more information about OSS DDoS protection, see Configure OSS DDoS protection.

  • Solution 2: Set up a reverse proxy by using an ECS instance to access the bucket and configure Anti-DDoS Pro for the ECS instance

    Perform the following steps to set up a reverse proxy by using an ECS instance to access the bucket and configure Anti-DDoS Pro for the ECS instance:

    1. Step 1: Set up a reverse proxy by using an ECS instance to access your bucket.
      1. Create an ECS instance that runs CentOS or Ubuntu. For more information about how to create an ECS instance, see Create an instance by using the wizard.
        Important If the bucket encounters sporadic bursts of network traffic or access requests, upgrade hardware configurations of ECS or set up ECS clusters.
      2. Set up a reverse proxy by using an ECS instance to access the bucket. For more information, see Use an ECS instance that runs CentOS to configure a reverse proxy for access to OSS.
    2. Step 2: Configure Anti-DDoS Pro for the ECS instance.
      1. Purchase Anti-DDoS Pro based on your requirements. For more information, visit the buy page of Anti-DDoS Pro.
      2. Configure an Anti-DDoS Pro instance. Enter the endpoint of the bucket that you want to protect by using the ECS reverse proxy in Domain. Select Origin Server IP for Server IP and enter the public IP address of the ECS instance in the field. For more information about how to configure other parameters, see Add a website.