Anti-DDoS Origin Basic is enabled for CLB instances by default and at no charge, providing up to 5 Gbps of basic protection. All internet traffic is first scrubbed by Anti-DDoS Origin Basic before it reaches the load balancer. This service protects against common DDoS attacks such as SYN flood, UDP flood, ACK flood, ICMP flood, and DNS flood.
Anti-DDoS Origin Basic uses a combination of passive scrubbing and active suppression to ensure service availability during an attack. The following figure shows the network topology.
Anti-DDoS Origin Basic sets scrubbing and blackhole filtering thresholds based on the bandwidth of your public-facing CLB instance. When inbound traffic exceeds a threshold, it triggers scrubbing or blackhole filtering:
Scrubbing: When attack traffic is heavy or matches specific attack patterns, Alibaba Cloud Security automatically scrubs the malicious traffic.
Blackhole filtering: When attack traffic volume is extremely high, the service drops all incoming traffic to protect the entire cluster.
The thresholds are calculated based on the following two principles:
The bandwidth you purchase for the CLB instance determines the thresholds.
Your security credit score determines the blackhole filtering threshold.
NoteThe security credit score affects only the blackhole filtering threshold, not the scrubbing threshold.
Calculate thresholds
Follow these steps to calculate the thresholds.
The CLB backend provides threshold recommendations based on the bandwidth you purchase.
NoteIf you purchase a pay-by-data-transfer instance, the outbound bandwidth is the peak bandwidth supported by the instance's region. Currently, the peak bandwidth for regions in the Chinese mainland is 5 Gbps. For more information, see Bandwidth limits.
Relationship between CLB bandwidth and the BPS scrubbing threshold
If CLB bandwidth < 100 Mbps, the default BPS scrubbing threshold = 120 Mbps.
If CLB bandwidth > 100 Mbps, the default BPS scrubbing threshold = bandwidth × 1.2.
Relationship between CLB bandwidth and the PPS scrubbing threshold
PPS scrubbing threshold = (CLB bandwidth in Mbps / 500) × 150,000.
Relationship between CLB bandwidth and the BPS blackhole filtering threshold
If CLB bandwidth < 1 Gbps, the default blackhole filtering threshold = 2 Gbps.
If CLB bandwidth > 1 Gbps, the default blackhole filtering threshold = MAX(bandwidth × 1.5, 2 Gbps).
Alibaba Cloud Security calculates the final thresholds based on the recommendations from CLB, your security credit score, and resource availability in each region.
Rules for evaluating BPS and PPS thresholds
The minimum BPS value is 1,000 Mbps, and the minimum PPS value is 300,000.
If the reference threshold from CLB is lower than the minimum, the system uses the minimum value.
If the reference threshold from CLB is higher than the minimum, the system uses the reference threshold.
Alibaba Cloud Security determines the blackhole filtering threshold based on your security credit score.
Grant permissions
Follow these steps to grant a RAM user permissions for Anti-DDoS Origin Basic.
You must use your Alibaba Cloud account to grant permissions.
Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, click .
On the Users page, find the target RAM user, and in the Actions column, click Attach Policy.
In the Attach Policy panel, add permissions for the RAM user.
Select a Resource Scope.
Account: The permissions apply within the current Alibaba Cloud account.
Resource Group: The permissions apply within a specified Resource Group.
NoteTo use this scope, the service and its resources must support Resource Groups. For more information, see Services that work with Resource Group.
Select a policy.
In the Policy Name column, select AliyunYundunDDosFullAccess, add it to the list of selected policies, and then click OK.
Click Close.
View protection thresholds
Log on to the CLB console.
In the top navigation bar, select the region of your CLB instance.
On the Instances page, find the target CLB instance. Hover over the Alibaba Cloud Security icon to view the BPS scrubbing threshold, PPS scrubbing threshold, and blackhole filtering threshold. For more information, see the Anti-DDoS console.
BPS scrubbing threshold: Scrubbing is triggered when inbound traffic exceeds this threshold.
PPS scrubbing threshold: Scrubbing is triggered when the number of inbound packets exceeds this threshold.
Blackhole filtering threshold: Blackhole filtering is triggered when inbound traffic exceeds this threshold.