Handle exposure of the origin IP address

After you add your service to Anti-DDoS IP, if attack traffic is not scrubbed and directly targets the origin server, the IP address of the origin server may have been exposed. In this case, you must change the IP address of the origin server.

Check for risks that cause IP address exposure

Before you change the IP address of the origin server, make sure that you eliminate all risks to prevent the IP address from being exposed again. You can check for the following exposure risks:

• Check whether the origin server contains security risks, such as trojans and backdoors.
• Check whether the origin server runs services that are not added to Anti-DDoS IP. For example, you have added MX records to configure an email server or other DNS records to configure a BBS website for the origin server.
  Notice: Make sure that no DNS records map a domain name to the IP address of the origin server.
• Check whether the source code of the website is exposed. For example, the phpinfo() function may contain the IP address of the origin server.
• Check whether the origin server encounters malicious scanning. You can allow inbound traffic only from the back-to-origin IP addresses of Anti-DDoS IP to access the origin server.

Change the IP address of the origin server

After you eliminate all risks that may cause the exposure, you can change the IP address of the origin server.
If you do not want to change the IP address or the new IP address is also exposed, we recommend that you deploy an ELB instance to connect the ECC instance. You can adopt the following network architecture: Client > Anti-DDoS IP> ELB instance > ECC instance.