ApsaraDB RDS:Intrusion prevention

How it works

When an RDS instance is reachable from the Internet, it is exposed to DDoS attacks. ApsaraDB RDS defends against these attacks in two sequential layers:

1. Traffic scrubbing — the first line of defense. When attack traffic reaches the triggering thresholds, the security system scrubs inbound traffic to filter out malicious packets while keeping the instance operational.

2. Blackhole filtering — activated when traffic scrubbing cannot contain the attack, or when the blackhole triggering threshold is reached. Blackhole filtering blocks all Internet traffic to the instance and is automatically lifted after 2.5 hours.

Traffic scrubbing

Traffic scrubbing targets only Internet traffic and does not affect normal database operations.

Traffic scrubbing is triggered when any of the following thresholds are reached:

Blackhole filtering

Blackhole filtering targets only Internet traffic. When triggered, the RDS instance cannot be accessed from the Internet and connected applications become unavailable. Blackhole filtering guarantees availability of RDS instances.

Blackhole filtering is triggered when either of the following conditions is met:

• BPS reaches 2 Gbit/s.

• Traffic scrubbing is ineffective.

Blackhole filtering is automatically deactivated after 2.5 hours.

Recommendations

To minimize the risk of DDoS attacks and reduce the impact of blackhole filtering on your applications:

• Use an internal network connection. Connecting to RDS instances over a Virtual Private Cloud (VPC) or internal network eliminates exposure to Internet-facing DDoS attacks entirely.

• Plan for blackhole filtering downtime. When blackhole filtering is triggered, Internet-facing connections are unavailable for 2.5 hours. Design your application to handle this gracefully, for example by implementing retry logic or routing traffic through an internal endpoint as a fallback.