How Tencent Cloud Defeats Massive DDoS Attacks in Seconds

This Is a Great Era and a Bad Era

Data shows rapid growth of internet users and the global cloud market from 2010‑2015, but also a surge in DDoS attacks and black‑market activities that threaten the internet.

In 2014 a foreign vendor suffered a 12‑hour DDoS outage; in the first half of this year China recorded 33 attacks exceeding 100 G each. In July 2015 Tencent Cloud mitigated a near‑300 G attack.

Understanding “outbound traffic” vs “inbound traffic”: network operators filter malicious traffic, so only a fraction reaches the victim. For example, buying 1 G of outbound traffic may result in only 100 M reaching the target.

Thus the 297 G inbound attack in July 2015 corresponded to an even larger outbound volume.

Hammer Technology’s DDoS Mitigation Process

Hammer’s website originally pointed directly to its IDC server with only a few gigabits of DDoS protection. When a launch event triggered traffic beyond the limit, the site became unreachable.

Tencent’s “Dayu” service was engaged by adding a CNAME record that points the domain to Dayu’s acceleration node.

Dayu can protect customers without moving their servers to Tencent Cloud.

Dayu routes incoming traffic to its cleaning node (OC point), filters malicious packets, and forwards the remaining clean traffic back to the original IDC. An attack of 10 G can be reduced to 500 M of legitimate traffic after cleaning.

13‑Minute Critical Window

After changing the DNS, propagation takes several minutes in China because local DNS caches differ; the whole process typically consumes about 13 minutes.

Understanding DDoS Protection

Tencent Cloud operates over 400 protection nodes nationwide, each offering ~10 G capacity, totaling several terabits of mitigation. The architecture scales horizontally, allowing rapid addition of nodes to increase capacity.

Bandwidth is a cost factor; Tencent leverages its extensive data‑center network to share idle bandwidth for protection.

Can a Regular IDC Serve as an OC Cleaning Point?

A standard IDC with 10 G bandwidth cannot handle a 10 G attack because CPU and connection limits are reached before bandwidth is saturated.

Dayu’s OC points include three centers—management, cleaning, and detection—that collaborate to filter attacks, including CC (Challenge Collapsar) attacks that exhaust server resources with low‑volume traffic.

CC attacks generate legitimate‑looking HTTP requests to overwhelm applications.

Traditional DDoS floods bandwidth; CC attacks exhaust CPU and connections, allowing attackers to bring down services with as little as 20 M of traffic.

Dayu’s system can detect, manage, and clean an attack within five seconds, even for massive traffic spikes.

Why Five‑Second Cleaning Is Possible

Attacks may appear as gradual waves or sudden peaks. Dayu’s unified protection can react within seconds to sudden peaks, preventing IDC bandwidth from being completely saturated.

That concludes the technical sharing.