Advanced Anti-DDoS
Advanced Anti-DDoS (AAD) ensures the continuity of important enterprise services. AAD can protect your servers against large volumetric DDoS attacks so your services can be reliable and stable. AAD offers high-defense IP addresses to provide services in place of the original server IP addresses for external systems. The malicious attacks targeting the origin servers can be diverted for scrubbing to ensure the stable running of mission-critical workloads. This service can be used to protect HUAWEI CLOUD, non-HUAWEI CLOUD, and IDC hosts.
If an AAD instance has expired for more than 30 calendar days, AAD will stop forwarding service traffic and the instance will become invalid. If you do not need to use AAD anymore, switch your service traffic from AAD to the origin server 30 calendar days before the expiration date.
- AAD not deployed
Without AAD, the origin servers are exposed to the Internet and are prone to paralysis once Distributed Denial-of-Service (DDoS) attacks occur.
Figure 1 AAD not deployed
- AAD deployed
You can connect AAD with your services. The domain name of website service is resolved into high-defense IP address, and the service IP address of the non-web service is changed to the high-defense IP address. All public network traffic is diverted to the high-defense IP address, and therefore user services on the origin servers are protected against DDoS attacks.
Figure 2 AAD deployed
AAD Mechanism
The AAD service uses the high-defense IP address to proxy services for origin servers. All public network traffic is diverted to the high-defense IP address, and therefore user services on the origin servers are protected against DDoS attacks. The following figure illustrates the mechanism of AAD traffic diversion and forwarding.
- Customer
- Origin server IP address
A public IP address used by the origin server (also known as the IP address that is protected against exposures)
- High-defense IP address
An IP address used to provide services for customers in place of the origin server IP address
- Back-to-origin IP address
An IP address used to communicate with the origin server IP address in place of the customer IP address in the AAD data center
AAD provides defense against a wide range of network-, and application-layer DDoS attacks, including SYN flood, UDP flood, ACK flood, ICMP flood, DNS query flood, NTP reply flood, and CC attacks.
Service Architecture
Employing multi-layer filtering and protection technologies, such as layered defense and distributed scrubbing, the AAD service can effectively detect and filter out attack traffic. Figure 3 illustrates the network topology of the AAD service.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
