The origin sites protection can prevent your origin against light-traffic HTTP flood and Web attacks, but cannot defend against heavy traffic DDoS attacks. In addition, it does not prevent DDoS attacks directly targeting the origin through traffic that bypasses Anti-DDoS Pro, which may even throw the origin IP address into the black hole.
Anti-DDoS Pro > ECS or origins outside Alibaba Cloud
Under this architecture, visitors’ source IP addresses that send requests to ECS and non-Alibaba cloud origins are converted to Anti-DDoS Pro back-to-source IP addresses.
You can use the origin’s security software (such as iptables and firewall), to only allow Anti-DDoS Pro back-to-source IP addresses, and block all other IP addresses.
Anti-DDoS Pro > SLB > ECS
Under this architecture, the IP address that sends requests to ECS becomes SLB’s IP address.
We recommend that you use SLB’s whitelist to only allow Anti-DDoS Pro to access SLB. For more information about whitelist settings, see Configure a whitelist.
Anti-DDoS Pro > WAF/CDN > ECS
Under this architecture, the IP address that sends requests to ECS becomes WAF or Alibaba Cloud CDN’s IP address.
Whenever possible, we recommend that you configure relevant policies on WAF and Alibaba Cloud CDN, and configure origin policies based on the back-to-source IP addresses of WAF or Alibaba Cloud CDN.
Related Blog Posts
In this article, you will get some information on the black hole policy of Alibaba Cloud Security.
DDoS attacks severely impair not only victims, but also the entire cloud network. Besides, DDoS defense costs a lot, the biggest among which is the bandwidth cost.
Alibaba Cloud purchases bandwidth from ISPs. ISPs will not clean out DDoS attack traffic when calculating the bandwidth cost, but will directly charge Alibaba Cloud on the consumed bandwidth.
In this article, you will get some information on some ddos attacks analysis and how to protect your server from ddos attacks.
- the best practices for provisioning your Ubuntu 16.04 server hosted on an Alibaba Cloud Elastic Compute Service (ECS) instance
- the importance of IoT device security by looking at CERT’s interpretation of the infamous 2016 DDoS attack
- the analysis of scanning and intrusion script for DockerKiller Threat
Alibaba Cloud WAF and Anti-DDoS Pro and are fully compatible. You can use the following architecture to deploy WAF and Anti-DDoS Pro together: Anti-DDoS Pro (entry layer, DDoS attack protection) > WAF (intermediate layer, web attack protection) > Origin.
This topic describes methods and principles for different scenarios to protect your origin sites under Anti-DDoS Pro. And you can find the step by step guide for configuring your ECS security group to protect the origin.
Anti-DDoS Pro is a value-added service used to protect servers, including external servers hosted in Mainland China, against volumetric DDoS attacks. You can redirect attack traffic to Anti-DDoS Pro to ensure the stability and availability of origin sites.
Web Application Firewall (WAF) protects your website servers against intrusions. Our service detects and blocks malicious traffic directed to your websites and applications. WAF secures your core business data and prevents server malfunctions caused by malicious activities and attacks.