Anti-DDoS overview
This topic describes the Anti-DDoS capabilities supported by ApsaraDB for OceanBase.
Background
When you access ApsaraDB for OceanBase over the Internet, the data is vulnerable to DDoS attacks. The Internet service provider (ISP) offers traffic scrubbing and blackhole filtering features for ApsaraDB for OceanBase, which are automatically triggered and executed by the OceanBase database security monitoring system. When a DDoS attack is detected, the system first scrubs inbound traffic. If traffic scrubbing is insufficient or if the blackhole triggering threshold is reached, blackhole filtering is triggered.
We recommend that you access instances in ApsaraDB for OceanBase over an internal network to prevent DDoS attacks. If you do need to access an instance over the Internet, we recommend that you configure an access control list (ACL) to mitigate DDoS attacks.
Traffic scrubbing
When the OceanBase Database security monitoring system detects a large volume of attack traffic from the Internet, it automatically enables DDoS mitigation to scrub the attack traffic.
Traffic scrubbing is triggered for an instance in ApsaraDB for OceanBase if any of the following conditions is met:
Public bandwidth reaches 6,144 Mbit/s.
The number of packets that are sent per second reaches 1,536,000.
Maximum connections: the maximum number of connections that can be established to a Classic Load Balancer (CLB) instance. If the number of existing concurrent connections reaches the upper limit, new connection requests are dropped.
Number of new connections per second (CPS): the number of new connections that can be established per second. If CPS reaches the upper limit, new connection requests are dropped.
Queries per second (QPS): the number of HTTP or HTTPS queries (requests) that can be processed per second. This metric is specific to Layer 7 listeners. If QPS reaches the upper limit, new connection requests are dropped.
Blackhole filtering
When the system receives a large volume of attack traffic that exceeds the threshold, all requests are dropped to ensure security.
Blackhole filtering is triggered for an instance in ApsaraDB for OceanBase if any of the following conditions is met:
The bit rate reaches 2 Gbit/s.
Traffic scrubbing is ineffective.
Blackhole filtering is terminated if the following condition is met:
By default, Alibaba Cloud automatically deactivates blackhole filtering 2.5 hours after a DDoS attack stops. However, the actual duration can range from 30 minutes to 24 hours depending on the frequency at which your asset is attacked.
The blackhole filtering duration is influenced by the following factors:
The attack duration. If the attack persists, the blackhole filtering duration is extended, restarting the deactivation timer.
The attack frequency. For a first-time attack on an asset, the blackhole filtering duration is automatically shortened. Conversely, if an asset experiences frequent attacks, the likelihood of sustained attacks increases, and the blackhole filtering duration is extended.