- Release Notes and Announcements
- Product Introduction
- Comparison of Anti-DDoS Solutions
- Purchase Guide
- Getting Started
- Operation Guide
- Practical Tutorial
- Remote Protection Scheme with Anti-DDoS Pro
- Using Anti-DDoS Pro Together with WFA
- Suggestions on Stress Tests
- Solutions to Real Server IP Exposure
- Creating an Anti-DDoS EIP
- Configuration Directions and Notes on CC Protection Policies
- Syncing Forwarding Rules to New Anti-DDoS Advanced Instances
- Smart Scheduling of CTCC/CUCC/CMCC Traffic
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Anti-DDoS Advanced Instance APIs
- Resource List APIs
- Protection Configuration APIs
- CreateBlackWhiteIpList
- CreateCcBlackWhiteIpList
- CreateCcGeoIPBlockConfig
- CreateDDoSAI
- CreateDDoSGeoIPBlockConfig
- CreateDDoSSpeedLimitConfig
- CreatePacketFilterConfig
- CreateProtocolBlockConfig
- CreateWaterPrintConfig
- CreateWaterPrintKey
- DeleteCcBlackWhiteIpList
- DeleteCcGeoIPBlockConfig
- DeleteDDoSGeoIPBlockConfig
- DeleteDDoSSpeedLimitConfig
- DeletePacketFilterConfig
- DeleteWaterPrintConfig
- DeleteWaterPrintKey
- DescribeCcBlackWhiteIpList
- DescribeCcGeoIPBlockConfigList
- DescribeListBlackWhiteIpList
- DescribeListDDoSAI
- DescribeListDDoSGeoIPBlockConfig
- DescribeListDDoSSpeedLimitConfig
- DescribeListPacketFilterConfig
- DescribeListProtocolBlockConfig
- DescribeListWaterPrintConfig
- ModifyCcBlackWhiteIpList
- ModifyDDoSGeoIPBlockConfig
- ModifyDDoSSpeedLimitConfig
- ModifyPacketFilterConfig
- SwitchWaterPrintConfig
- Other APIs
- Alarm Notification APIs
- Connection Configuration APIs
- Intelligent Scheduling APIs
- Black hole unblocking APIs
- Statistical Report APIs
- Data Types
- Error Codes
- FAQs
- Service Level Agreement
- Product Policy
- Glossary
- Release Notes and Announcements
- Product Introduction
- Comparison of Anti-DDoS Solutions
- Purchase Guide
- Getting Started
- Operation Guide
- Practical Tutorial
- Remote Protection Scheme with Anti-DDoS Pro
- Using Anti-DDoS Pro Together with WFA
- Suggestions on Stress Tests
- Solutions to Real Server IP Exposure
- Creating an Anti-DDoS EIP
- Configuration Directions and Notes on CC Protection Policies
- Syncing Forwarding Rules to New Anti-DDoS Advanced Instances
- Smart Scheduling of CTCC/CUCC/CMCC Traffic
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Anti-DDoS Advanced Instance APIs
- Resource List APIs
- Protection Configuration APIs
- CreateBlackWhiteIpList
- CreateCcBlackWhiteIpList
- CreateCcGeoIPBlockConfig
- CreateDDoSAI
- CreateDDoSGeoIPBlockConfig
- CreateDDoSSpeedLimitConfig
- CreatePacketFilterConfig
- CreateProtocolBlockConfig
- CreateWaterPrintConfig
- CreateWaterPrintKey
- DeleteCcBlackWhiteIpList
- DeleteCcGeoIPBlockConfig
- DeleteDDoSGeoIPBlockConfig
- DeleteDDoSSpeedLimitConfig
- DeletePacketFilterConfig
- DeleteWaterPrintConfig
- DeleteWaterPrintKey
- DescribeCcBlackWhiteIpList
- DescribeCcGeoIPBlockConfigList
- DescribeListBlackWhiteIpList
- DescribeListDDoSAI
- DescribeListDDoSGeoIPBlockConfig
- DescribeListDDoSSpeedLimitConfig
- DescribeListPacketFilterConfig
- DescribeListProtocolBlockConfig
- DescribeListWaterPrintConfig
- ModifyCcBlackWhiteIpList
- ModifyDDoSGeoIPBlockConfig
- ModifyDDoSSpeedLimitConfig
- ModifyPacketFilterConfig
- SwitchWaterPrintConfig
- Other APIs
- Alarm Notification APIs
- Connection Configuration APIs
- Intelligent Scheduling APIs
- Black hole unblocking APIs
- Statistical Report APIs
- Data Types
- Error Codes
- FAQs
- Service Level Agreement
- Product Policy
- Glossary
DDoS attack
A Distributed Denial of Service (DDoS) attack is a malicious attempt to make a targeted server unavailable by blocking its network bandwidth or overwhelming its system with a flood of internet traffic.
Network layer DDoS attack
A network layer DDoS attack attempts to make a targeted server unavailable to its intended users by blocking its network bandwidth and exhausting its system layer resources with a flood of internet traffic.
Common attacks include SYN flood, ACK flood, UDP flood, ICMP flood, and DNS/NTP/SSDP/Memcached reflection attacks.
CC attack
A CC attack is a malicious attempt to make a targeted server unavailable by occupying its application layer resources and exhausting its processing capacity.
Common attacks include HTTP/HTTPS-based GET/POST flood, layer-4 CC, and connection flood attacks.
Protection capability
Protection capability refers to the ability to defend against DDoS attacks. The Anti-DDoS service promises to provide all-out protection subject to the maximum DDoS protection capability of Tencent Cloud in the current region.
Cleansing
If the public network traffic of the target IP exceeds the preset protection threshold, Tencent Cloud Anti-DDoS service will automatically cleanse the inbound public network traffic of the target IP. With the BGP routing protocol, the traffic will be redirected to the DDoS cleansing devices which will analyze the traffic, discard the attack traffic, and forward the clean traffic back to the target IP.
In general, cleansing does not affect access except on special occasions or when the cleansing policy is configured improperly. If no exception is found (which is dynamically determined based on the attack) in the traffic for a period of time, the cleansing system will determine that the attack has stopped and then stop cleansing.
Blocking
Once the attack traffic exceeds the blocking threshold of the target IP, Tencent Cloud will block the IP from all public network access through ISP service to protect other Tencent Cloud users. In short, once the traffic attacking your IP goes over the maximum protection capacity of Tencent Cloud in the current region, Tencent Cloud will block the IP from all public network access. If your protected IP address is blocked, you can log in to the console to unblock it.
Blocking threshold
The blocking threshold of a protected IP of an Anti-DDoS instance is equal to the maximum protection capability in the current region.
Blocking duration
An attacked IP is blocked for two hours by default. The actual duration can be up to 24 hours depending on how many times the IP is blocked and how high the peak attack bandwidth is. The blocking duration is mainly affected by the following factors:
Continuity of the attack: The blocking duration will extend if an attack continues. Once the duration extends, a new blocking cycle will start.
Frequency of the attack: Users who are frequently attacked are more likely to be attacked continuously. In such a case, the blocking duration extends automatically.
Traffic volume of the attack: The blocking duration extends automatically in case of an ultra-large volume of attack traffic.
Note:
For IPs that are blocked extra frequently, Tencent Cloud reserves the right to extend the duration and lower the threshold.
Why is blocking necessary?
Tencent Cloud reduces the costs of cloud services by sharing the infrastructure, with one public IP shared by many users. When a high-traffic attack occurs, the entire Tencent Cloud network may be affected, not only the target servers. To protect other users and ensure network stability, the target server IP needs to be blocked.
Protection bandwidth
There are two types of protection bandwidth: base protection bandwidth and elastic protection bandwidth.
Base protection bandwidth: refers to the base protection capability of an Anti-DDoS Advanced instance. Base protection bandwidth is a prepaid monthly subscription feature.
Elastic protection bandwidth: refers to the largest possible protection capability of an Anti-DDoS Advanced instance. The part that exceeds the base protection bandwidth is billed on a daily pay-as-you-go basis.
If elastic protection is not enabled, the maximum protection capability of an Anti-DDoS Advanced instance will be the base protection bandwidth. If elastic protection is enabled, the maximum protection capability will be the elastic protection bandwidth. Once the attack traffic exceeds the maximum protection capability, IP blocking will be triggered.
Note:
Elastic protection is disabled by default. If you need this feature, please check the pricing and billing information and enable it yourself. You can adjust the elastic protection bandwidth as required at any time.
Protection bandwidth is only available for Anti-DDoS Advanced and Anti-DDoS Advanced Global Enterprise.
Benefits of elastic protection bandwidth
With elastic protection enabled, when the attack traffic is higher than the base protection bandwidth but lower than the elastic protection bandwidth, Tencent Cloud Anti-DDoS Advanced will continue to protect your IPs to ensure the continuity of your business.
Elastic protection billing
When enabled, elastic protection will be triggered and incur fees once the attack traffic goes over the base protection bandwidth. You will be billed on the following day based on the peak attack bandwidth of the current day.
For example, assume that you have purchased 20 Gbps of base protection bandwidth and set the elastic protection bandwidth to 50 Gbps. If the actual peak attack bandwidth of the current day is 35 Gbps, you will need to pay for the elastic protection according to the price of the 10-20 Gbps tier.
Yes
No
Was this page helpful?