ApsaraDB RDS provides built-in protection against network-level attacks and application-layer threats, including DDoS attacks and SQL injection.
How it works
RDS provides two independent layers of protection:
| Layer | Protection type | Mechanism |
|---|---|---|
| Network layer | DDoS attack mitigation | Traffic scrubbing and blackhole filtering defend against volumetric attacks targeting your instance over the Internet. |
| Application layer | SQL injection detection | Monitors database activity for malicious query patterns. |
We recommend that you access RDS instances over an internal network to prevent DDoS attacks.
DDoS attack mitigation
When RDS detects a DDoS attack, it responds in two escalating stages — both triggered and terminated automatically by the RDS security system:
Traffic scrubbing — Filters malicious inbound traffic from the Internet while keeping your instance accessible. Normal operations are not affected.
Blackhole filtering — Activated if traffic scrubbing cannot stop the attack, or if inbound traffic exceeds the blackhole threshold. Blackhole filtering only targets traffic from the Internet. While active, the instance is unreachable from the Internet and connected applications become unavailable. Blackhole filtering guarantees availability of RDS instances. Blackhole filtering is automatically deactivated after 2.5 hours.
Traffic scrubbing thresholds
Traffic scrubbing activates when any of the following thresholds are exceeded:
| Metric | Threshold |
|---|---|
| Packets per second (PPS) | 30,000 |
| Bits per second (BPS) | 180 Mbit/s |
| New concurrent connections per second | 10,000 |
| Active concurrent connections | 10,000 |
| Inactive concurrent connections | 100,000 |
Blackhole filtering thresholds
Blackhole filtering activates when either of the following conditions is met:
| Condition | Details |
|---|---|
| BPS threshold exceeded | Inbound BPS reaches 2 Gbit/s |
| Traffic scrubbing ineffective | Scrubbing fails to stop the attack |
SQL injection detection
ApsaraDB RDS detects SQL injection attempts. This protection complements the network-level DDoS defenses described above.