When your Object Storage Service (OSS) bucket is attacked or used to distribute illegal content, OSS automatically moves it into a sandbox. A sandboxed bucket still responds to requests, but with degraded quality of service. This can affect network availability, cause request timeouts, and noticeably impact your applications.
Important notes
-
You are responsible for all costs incurred from the attack.
-
If a bucket is used to distribute illegal content, such as pornographic, political, or terrorist content, OSS moves the bucket to the sandbox. Severe violations may result in legal consequences.
Preventive measures against attacks
To prevent your bucket from being sandboxed due to DDoS, CC, or other attacks, you can either configure OSS DDoS protection or set up an ECS reverse proxy and bind it to an Anti-DDoS Proxy instance. The following table compares these two solutions.
|
Solution |
Description |
Advantages |
Disadvantages |
|
Solution 1: Configure OSS DDoS protection |
OSS DDoS protection is a proxy-based DDoS mitigation service that integrates OSS with Anti-DDoS Proxy. When a protected bucket experiences a high-volume attack, OSS DDoS protection redirects the attack traffic to a scrubbing cluster. Normal traffic is then forwarded to the target bucket to ensure business continuity. |
|
Limited number of protected buckets: You can create only one OSS DDoS protection instance per region, which can be bound to a maximum of 10 buckets. |
|
Solution 2: Configure an ECS reverse proxy and bind an Anti-DDoS Proxy instance |
For security, a bucket's default domain name resolves to a randomly changing IP address. If you need to access OSS through a fixed IP address, we recommend setting up a reverse proxy on an ECS instance. The elastic IP address (EIP) of the ECS instance can be bound to an Anti-DDoS Proxy instance to defend against DDoS and CC attacks. |
Ideal for scenarios that require accessing OSS through a fixed IP address. |
|
Follow these steps to implement the two solutions:
-
Solution 1: Configure OSS DDoS protection
Follow these steps to configure OSS DDoS protection for a bucket in the OSS console:
-
Create an OSS DDoS protection instance.
-
Bind the bucket.
After you bind the bucket, the OSS DDoS protection instance starts protecting the public endpoint of the bucket.
OSS DDoS protection supports only public bucket endpoints, such as
oss-cn-hangzhou.aliyuncs.com. It does not support the following endpoint types:-
Transfer acceleration endpoints (
oss-accelerate.aliyuncs.comandoss-accelerate-overseas.aliyuncs.com) -
Access points (for example,
ap-01-3b00521f653d2b3223680ec39dbbe2****-ossalias.oss-cn-hangzhou.aliyuncs.com) -
Object FC access points (for example,
fc-ap-01-3b00521f653d2b3223680ec39dbbe2****-opapalias.oss-cn-hangzhou.aliyuncs.com) -
Endpoints accessed over IPv6 (for example,
cn-hangzhou.oss.aliyuncs.com) -
Amazon S3-compatible endpoints (for example,
s3.oss-cn-hongkong.aliyuncs.com)
For more information, see OSS DDoS protection.
-
-
-
Solution 2: Configure an ECS reverse proxy and bind an Anti-DDoS Proxy instance
Follow these steps to configure an ECS reverse proxy and bind an Anti-DDoS Proxy instance:
-
Configure the ECS reverse proxy.
-
Create a CentOS or Ubuntu ECS instance. For more information, see Create an ECS instance.
ImportantIf the bucket is expected to handle high network traffic or a large number of requests, upgrade the ECS instance specifications or set up an ECS cluster.
-
Configure an ECS reverse proxy to access OSS. For more information, see Use an ECS instance as a reverse proxy to access OSS.
-
-
Bind the Anti-DDoS Proxy instance.
-
Purchase an Anti-DDoS Proxy instance based on your business requirements.
-
Add website configurations. In the Anti-DDoS Proxy console, add a website configuration. For Websites, select Standard Function or Enhanced Function. In the Website field, enter your domain name, such as
www.example.com. For Protocol Type, select HTTPS. For Server Address, select Origin IP and enter the origin IP address. The Server Port for HTTPS is443. Expand the advanced settings to configure options such as Force HTTPS Redirect, Enable HTTP to Origin, Enable HTTP/2, and Enable OCSP. After the configuration is complete, click Add.
-
-
Preventive measures against illegal content
To prevent your bucket from being sandboxed for distributing illegal content, we recommend using the OSS violation detection feature of Alibaba Cloud Content Moderation. This feature mitigates risks by periodically scanning selected buckets. For more information, see OSS violation detection.
Remediation for buckets sandboxed due to attacks
Alibaba Cloud does not directly remove buckets from the sandbox. If your bucket is sandboxed due to an attack, follow these steps.
You must configure OSS DDoS protection for your bucket in the following scenarios:
-
A bucket has been moved to the sandbox due to repeated attacks.
-
If multiple buckets in an account are repeatedly attacked, all existing and new buckets in that account are moved to the sandbox by default.
For detailed steps, see Configure OSS DDoS protection. After the configuration is complete, the service automatically removes the bucket from the sandbox and routes its traffic through the native endpoint or the Anti-DDoS protected IP address.
Remediation for sandboxing due to illegal content
Alibaba Cloud does not directly remove buckets from the sandbox. If your bucket is sandboxed for distributing illegal content, follow the steps below.
-
For a bucket that is already in the sandbox, perform the following steps:
-
Use the Alibaba Cloud Content Moderation service to regularly scan your bucket and ensure no more non-compliant content is distributed. For more information, see OSS violation detection.
-
Configure an ECS reverse proxy and access the bucket through the proxy server. For more information, see Solution 2: Configure an ECS reverse proxy and bind an Anti-DDoS Proxy instance.
ImportantSet up the ECS instance in the same region as the bucket and set proxy_pass to the internal endpoint of the bucket.
-
-
If multiple buckets in your account distribute illegal content, or if a single bucket does so repeatedly, all existing and new buckets in that account are sandboxed by default. In this case, perform the following steps:
-
Activate the Content Moderation service.
-
Submit a request to prevent new buckets from being sandboxed by default.
-
After the request is approved, configure content moderation to scan your new buckets regularly.
-