All Products
Search
Document Center

Anti-DDoS:FAQ about Anti-DDoS Proxy

Last Updated:Mar 28, 2024

This topic provides answers to some frequently asked questions about Anti-DDoS Proxy (Chinese Mainland) and Anti-DDoS Proxy (Outside Chinese Mainland).

What happens if an Anti-DDoS Proxy instance expires?

An expired instance can no longer protect your services.

  • After the instance expires, the instance continues to forward your traffic for seven days. If the traffic volume exceeds the clean bandwidth of the instance, throttling is triggered, and random packet loss may occur.

  • After the instance expires seven days, the instance stops forwarding traffic. If the IP addresses of your services are mapped to the instance, your services become inaccessible.

For more information, see Billing of Anti-DDoS Proxy (Chinese Mainland).

What is the clean bandwidth of an Anti-DDoS Proxy instance?

The clean bandwidth of an instance is equal to the peak inbound or outbound traffic of the protected services, whichever is greater. Unit: Mbit/s.

You can increase the clean bandwidth of an instance on the Instances page in the Anti-DDoS Proxy (Chinese Mainland) console. For more information, see Upgrade an instance.

What happens if the traffic volume exceeds the clean bandwidth of an Anti-DDoS Proxy instance?

If the traffic volume exceeds the clean bandwidth of the instance, throttling is triggered, and random packet loss may occur.

Can I manually deactivate blackhole filtering?

The answer to this question varies based on the instance that you use.

  • If you use an Anti-DDoS Proxy (Chinese Mainland) instance, you can manually deactivate blackhole filtering.

    Each Alibaba Cloud account can deactivate blackhole filtering up to five times a day. The limit is reset at 00:00 the next day. For more information, see Deactivate blackhole filtering.

  • If you use an Anti-DDoS Proxy (Outside Chinese Mainland), you cannot manually deactivate blackhole filtering.

    Unlike an Anti-DDoS Proxy (Chinese Mainland) instance, which has a fixed protection bandwidth, an Anti-DDoS Proxy (Outside Chinese Mainland) instance mitigates DDoS attacks with all the capabilities that are available. You do not need to manually deactivate blackhole filtering for an Anti-DDoS Proxy (Outside Chinese Mainland) instance.

    Note

    If you use an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance mitigation plan, and the quota for advanced mitigation sessions in the current month is exhausted, blackhole filtering is triggered after your service is attacked. In this case, we recommend that you upgrade your instance to the Unlimited mitigation plan, which provides unlimited protection capabilities. After you upgrade your instance to the Unlimited mitigation plan, blackhole filtering is automatically deactivated.

What are the back-to-origin CIDR blocks of an Anti-DDoS Proxy instance?

You can view the back-to-origin CIDR blocks on the Website Config page in the Anti-DDoS Proxy console. For more information, see Allow back-to-origin IP addresses to access the origin server.

Are the back-to-origin CIDR blocks of an Anti-DDoS Proxy instance automatically added to a whitelist?

No, the back-to-origin IP addresses are not automatically added to a whitelist. If you deploy a firewall or third-party security software on your origin server, you must add the back-to-origin IP addresses of your Anti-DDoS Proxy instance to the whitelist of the firewall or security software. For more information, see Allow back-to-origin IP addresses to access the origin server.

Can I use an internal IP address as the IP address of the origin server for an Anti-DDoS Proxy instance?

No, you cannot use an internal IP address as the IP address of the origin server. you cannot use an internal IP address as the IP address of the origin server. This is because Anti-DDoS Proxy forwards traffic to origin servers only over the Internet.

I have changed the IP address of the origin server for an Anti-DDoS Proxy instance. Does the change immediately take effect?

No, the change takes effect about 5 minutes later. We recommend that you perform this operation during off-peak hours. For more information, see Change the public IP address of an ECS origin server.

Does Anti-DDoS Proxy support the health check feature?

Yes, Anti-DDoS Proxy supports the health check feature. The health check feature is enabled for website services by default. You can enable the health check feature for non-website services in the Anti-DDoS Proxy console. For more information, see Configure a health check.

For more information about the health check feature, see Health check overview.

How is traffic distributed to multiple origin servers that are protected by an Anti-DDoS Proxy instance?

Traffic that is destined for website services is distributed to origin servers by using the IP hash policy. Traffic that is destined for non-website services is distributed to origin servers by using the weighted round-robin policy.

Can I configure session persistence in the Anti-DDoS Proxy console?

Yes, you can configure session persistence for non-website services in the Anti-DDoS Proxy console. For more information, see Configure session persistence.

How does session persistence work for an Anti-DDoS Proxy instance?

After you configure session persistence for an instance, the instance forwards requests from the same IP address to the same origin server within a specific period. If the network of a client is changed from a wired network or 4G network to a wireless network, session persistence fails because the IP address of the client changes.

What is the default TCP timeout period for an Anti-DDoS Proxy instance?

The default timeout period is 900 seconds.

What are the default HTTP and HTTPS timeout periods for an Anti-DDoS Proxy instance?

The default timeout periods are 120 seconds.

Does Anti-DDoS Proxy support IPv6?

The answer to this question varies based on the instance that you use. If you use an Anti-DDoS Proxy (Chinese Mainland) instance, IPv6 is supported. If you use an Anti-DDoS Proxy (Outside Chinese Mainland) instance, IPv6 is not supported.

Note

An Anti-DDoS Proxy (Chinese Mainland) instance can use IPv4 addresses and IPv6 addresses to forward access requests. If you use an instance to forward access requests from clients that use IPv6 addresses, the supported destination varies based on the methods that are used to add your services to Anti-DDoS Proxy. If you add your services by using domains, the access requests are forwarded only to origin servers that use IPv4 addresses. If you add your services by using ports, the access requests can be forwarded to origin servers that use IPv4 addresses or IPv6 addresses.

Does Anti-DDoS Proxy support WebSocket?

Yes, Anti-DDoS Proxy supports WebSocket. For more information, see How do I enable WebSocket?.

Does Anti-DDoS Proxy support mutual HTTPS authentication?

Website services that are added to Anti-DDoS Proxy do not support mutual HTTPS authentication. Non-website services that are added to Anti-DDoS Proxy and use TCP port forwarding support mutual HTTPS authentication.

Why am I unable to access HTTPS websites by using a browser of an earlier version or from an Android mobile client?

You are unable to access HTTPS websites because the browser or client may not support Server Name Indication (SNI). Make sure that the browser or client supports SNI. For more information, see How do I handle HTTPS access exceptions that occur when clients do not support SNI?

Which SSL protocols and cipher suites are supported by Anti-DDoS Proxy?

The following SSL protocols are supported: TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3.

The following cipher suites are supported:

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-RSA-AES256-SHA384

  • AES128-GCM-SHA256

  • AES256-GCM-SHA384

  • AES128-SHA256

  • AES256-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-SHA

  • AES256-SHA

  • DES-CBC3-SHA

For more information, see Customize TLS security policies.

How do Anti-DDoS Proxy ensure the security of an uploaded certificate and its private key? Does Anti-DDoS Proxy decrypt HTTPS traffic and record the content of HTTPS requests?

If you use Anti-DDoS Proxy to protect HTTPS services, you must upload the required HTTPS certificate and its private key. This way, Anti-DDoS Proxy can decrypt HTTPS traffic to detect attacks and analyze the characteristics of attacks. Alibaba Cloud uses a dedicated key server to store and manage private keys. The key server is based on Alibaba Cloud Key Management Service (KMS) and can ensure the data security, integrity, and availability of both certificates and private keys. This helps meet the requirements for regulation, classified protection, and compliance. For more information about KMS, see What is Key Management Service?

Anti-DDoS Proxy uses an uploaded certificate and its private key to decrypt HTTPS traffic only when they detect attacks in real time. Anti-DDoS Proxy records only specific content of request payloads. The content is determined based on attack characteristics. Then, Anti-DDoS Proxy can provide attack reports and data statistics based on the content. Anti-DDoS Proxy can record the full content of requests or responses only when they are authorized.

Anti-DDoS Proxy has been accredited against authoritative standards, including ISO 9001, ISO 20000, ISO 27001, ISO 27017, ISO 27018, ISO 22301, ISO 27701, ISO 29151, BS 10012, CSA STAR, MLPS level 3, Service Organization Control (SOC) 1, SOC 2, SOC 3, Cloud Computing Compliance Criteria Catalogue (C5), Outsourced Service Providers Audit Report (OSPAR), ISO 27001 (Indonesia), and Payment Card Industry Data Security Standard (PCI DSS). The standards also include those that prove the effectiveness of Anti-DDoS Proxy across financial sectors in Hong Kong (China) and the Philippines. In addition, Anti-DDoS Proxy provides the same security and compliance qualifications as Alibaba Cloud. For more information, visit Alibaba Cloud Trust Center.

Note

If you use Anti-DDoS Proxy to protect HTTPS services, you can use a dual-certificate method. This method allows you to independently use a set of certificate and private key on both your Anti-DDoS Proxy instance and the origin server. The two sets of certificates and private keys must be valid. This way, the key server can separately manage the certificates and private keys.

What are the limits on the numbers of ports and domain names that can be protected by an Anti-DDoS Proxy instance?

  • The following list describes the maximum number of ports that can be protected:

    • An Anti-DDoS Proxy (Chinese Mainland) instance protects 50 ports by default. You can upgrade the instance to protect up to 400 ports.

    • An Anti-DDoS Proxy (Outside Chinese Mainland) instance protects 5 ports by default. You can upgrade the instance to protect up to 400 ports.

  • The following list describes the maximum number of domain names that can be protected:

    • An Anti-DDoS Proxy (Chinese Mainland) instance protects 50 domain names by default. You can upgrade the instance to protect up to 200 domain names.

    • An Anti-DDoS Proxy (Outside Chinese Mainland) instance protects 10 domain names by default. You can upgrade the instance to protect up to 200 domain names.

Why does the traffic chart show a traffic scrubbing event even though the volume of the traffic received by the server does not exceed the traffic scrubbing threshold?

An Anti-DDoS Proxy instance automatically filters out malformed packets. The packets include small SYN packets and packets that do not meet TCP requirements due to specific reasons, such as invalid SYN flags. In this case, your server does not allocate resources to manage these malformed packets. These malformed packets are counted in the scrubbed traffic statistics. Therefore, the traffic chart may show a traffic scrubbing event even though the volume of the traffic received by the server does not exceed the traffic scrubbing threshold.

Can Anti-DDoS Proxy protect websites that use NTLM authentication?

No, Anti-DDoS Proxy cannot protect websites that use New Technology LAN Manager (NTLM) authentication. The website requests forwarded by an Anti-DDoS Proxy instance cannot pass the NTLM authentication of the origin server. In this case, the clients receive repeated authentication requests. We recommend that you use Anti-DDoS Origin. For more information, see What is Anti-DDoS Origin?

Do the ports that are enabled in Anti-DDoS Proxy affect my service security?

No, the ports enabled in Anti-DDoS Proxy do not affect your service security.

Anti-DDoS Proxy provides traffic access and forwarding. Ports are predefined in a protection cluster. You can use the predefined ports to protect your services after you add your websites to an Anti-DDoS Proxy instance. The traffic destined for each domain name or port that is added to the instance is forwarded to the origin server only by using the specified ports. You can specify the ports when you add a domain name or port to the instance. Only the access requests over the ports that are specified in an Anti-DDoS Proxy instance are forwarded to the origin server. If you enable the ports that are not specified in an Anti-DDoS Proxy instance, no security risks or threats are imposed on your origin server.

Can Anti-DDoS Proxy block access from IP addresses in specific countries or from all IP addresses outside China?

Yes, Anti-DDoS Proxy can block access from IP addresses in specific countries or from all IP addresses outside China. Anti-DDoS Proxy supports the location blacklist feature. You can use the feature to block access from IP addresses outside China by country.

For more information about how to configure location blacklists for all services that are protected by an Anti-DDoS Proxy instance, see Configure the location blacklist feature. For more information about how to configure a location blacklist for a specific domain name, see Configure the location blacklist (domain names) feature.

Can I deploy CDN or DCDN together with Anti-DDoS Proxy?

No, we recommend that you do not deploy Alibaba Cloud CDN (CDN) or Dynamic Content Delivery Network (DCDN) together with Anti-DDoS Proxy.

  • Traffic that is destined for your website is first forwarded to CDN or DCDN, and then to Anti-DDoS Proxy:

    After traffic is forwarded to CDN or DCDN, the domain name of your website may be added to a sandbox and CDN or DCDN cannot forward traffic to Anti-DDoS Proxy. In this case, Anti-DDoS Proxy cannot protect your website against DDoS attacks.

  • Traffic that is destined for your website is first forwarded to Anti-DDoS Proxy, and then to CDN or DCDN:

    If traffic is first forwarded to Anti-DDoS Proxy, access acceleration provided by CDN or DCDN is affected.

For more information, see Use the CDN or DCDN interaction feature.

How do I configure DNS settings for a domain name if I want to use the CDN or DCDN interaction feature?

You must add the domain name to CDN or DCDN and Anti-DDoS Proxy. Then, you must configure an interaction rule in Sec-Traffic Manager of Anti-DDoS Proxy to resolve the domain name to the CNAME that is generated by Sec-Traffic Manager.

Note

The CDN or DCDN interaction feature is available only for Anti-DDoS Proxy instances that use the Enhanced function plan.

During normal service access, traffic is not scrubbed by Anti-DDoS Proxy and is directly forwarded to CDN for access acceleration. This reduces service latency and ensures high availability of service distribution. Traffic is scrubbed by Anti-DDoS Proxy only when the service is under attack to ensure service stability. For more information, see Use the CDN or DCDN interaction feature.