Anti-DDoS Proxy uses port forwarding rules to route non-website service traffic through its exclusive IP address for scrubbing. Once configured, your instance defends against transport-layer attacks (SYN Flood, UDP Flood) and application-layer attacks that do not use HTTP or HTTPS.
Prerequisites
Before you begin, make sure that you have:
An Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland) instance. For more information, see Purchase an Anti-DDoS Proxy instance.
Step 1: Create port forwarding rules
A port forwarding rule tells your instance which port to listen on and where to forward traffic. Create at least one rule before switching your service traffic.
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance:
Anti-DDoS Proxy (Chinese Mainland): Select Chinese Mainland.
Anti-DDoS Proxy (Outside Chinese Mainland): Select Outside Chinese Mainland.
In the left-side navigation pane, choose Provisioning > Port Config.
On the Port Config page, select your instance and create a port forwarding rule using the following parameters.
If the icon appears next to a protocol in the Forwarding Protocol column, the rule was auto-generated when you added a website. Auto-generated rules cannot be modified or deleted. They are removed automatically when you remove the associated website. For details, see Add one or more websites. Auto-generated rules are created in these cases: - You added a domain name with origin server port 80: a TCP rule forwarding traffic on port 80 is created. - You added a domain name with origin server port 443: a TCP rule forwarding traffic on port 443 is created.
Parameter Description Forwarding Protocol The protocol for forwarding traffic. Valid values: TCP and UDP. Redirection Port The port on which the instance listens for incoming traffic. Keep this value the same as Origin Server Port when possible. Note that port 53 is not supported (to prevent custom DNS servers), and each protocol requires unique forwarding ports within an instance. Origin Server Port The port of your origin server. Back-to-origin scheduling algorithm Always uses polling mode. Cannot be changed. Application-layer Protection Available only for instances with the Enhanced function plan and TCP-based non-website services. Protects against non-HTTP/HTTPS application-layer attacks by enforcing connection timeouts: Back-to-origin new connection timeout (1-3 seconds): If a new backend connection cannot be established within this time, the connection is considered timed out. This blocks attackers from creating TCP connections using fake HTTP requests (such as CC attacks) without sending valid data. Back-to-origin read/write timeout (60-600 seconds): Read timeout — how long the instance waits for a backend response. Write timeout — how long the instance allows for sending data to the backend server. These limits prevent attackers from draining backend resources by maintaining valid connections at very low data rates. For details on applicable attack types, see Scenario-specific anti-DDoS solutions. Origin IP Address The IP address of your origin server. You can enter up to 20 IP addresses separated by commas (,) to enable load balancing. The origin server can be an Alibaba Cloud service or a third-party service. If it is an Alibaba Cloud service, it must belong to your current account. If it is linked to another account, contact your account manager before adding it.
Step 2: Route your service traffic to the instance
After creating port forwarding rules, replace your service IP address with the exclusive IP address of your Anti-DDoS Proxy instance. All inbound traffic then passes through the instance for scrubbing before being forwarded to your origin server.
When an attack occurs, the instance detects and scrubs attack traffic at the network edge — without waiting for traffic to reach your origin. Only clean traffic is forwarded, keeping your service available even under heavy attack.
Follow these steps in order to avoid service interruptions:
Allow the back-to-origin IP addresses of your instance on your origin server, so that traffic forwarded by the instance is not blocked by security software. For more information, see Allow back-to-origin IP addresses to access the origin server.
Verify that the port forwarding rules are working correctly on a local machine before switching live traffic. For more information, see Verify traffic forwarding settings on a local machine.
WarningIf you switch your service traffic to your instance before the port forwarding rules take effect, your services may be interrupted.
Switch your service traffic to the instance. In most cases, replace the service IP address with the exclusive IP address of your instance. The exact method depends on your platform:
- If your service is accessed via a domain name (for example, a game server where the domain is hard-coded in the client), update the A record at your DNS provider to point to the exclusive IP address of your instance. For more information, see Change the DNS record. - To add a Layer 4 service to multiple Anti-DDoS Proxy instances and enable automatic traffic failover between them, add the domain name to Anti-DDoS Proxy and update the CNAME record. For more information, see Modify CNAME records to protect transport-layer services.
Step 3: Configure port forwarding and DDoS mitigation policies
After routing traffic to your instance, it immediately applies default DDoS mitigation to scrub and forward traffic — no additional configuration is required. You can optionally tune the following settings to match your service requirements.
On the Port Config page, select your instance, locate the port forwarding rule to manage, and configure the parameters below.
| Parameter | Default state | Description |
|---|---|---|
| Session Persistence | Off — enable as needed | If clients experience logon timeouts or disconnections after onboarding, enable session persistence. This ensures that requests from the same client are always forwarded to the same backend server during the configured timeout period. To enable: click Configure in the Session Persistence column, set the Timeout Period, and click Set Timeout Period and Enable. To disable: click Disable Session Persistence. |
| Health Check | Off — enable as needed | For services with multiple origin servers, enable health checks to detect unhealthy servers and stop forwarding requests to them. To enable: click Configure in the Health Check column, turn on Enable Health Check, configure the parameters, and click OK. For parameter details, see Configure health checks. |
| DDoS Mitigation Policies | Default policy active | Create custom mitigation policies to limit connection speeds and packet lengths, protecting your services against low-bandwidth connection-oriented DDoS attacks. To customize: click DDoS Mitigation Policies in the Configure column, then configure policies on the Protection for Non-website Services tab. For more information, see Configure a DDoS mitigation policy. |
Step 4: View protection data
After onboarding your non-website service, monitor traffic and protection events on the Security Overview page.
In the left-side navigation pane, click Security Overview.
Click the Instances tab, select your instance, and specify a time range.
The page displays the following data:
| Section | Description |
|---|---|
| Bandwidth | Anti-DDoS Proxy (Chinese Mainland): A trend chart showing inbound, outbound, attack, and rate-limited traffic in bps or pps. Anti-DDoS Proxy (Outside Chinese Mainland): An Overview tab for bandwidth trends, an Inbound Traffic Distribution tab, and an Outbound Traffic Distribution tab. |
| Connections | Concurrent Connections: The total number of TCP connections between clients and the instance. Active connections are in the Established state; inactive connections are in all other states. New Connections: The number of new TCP connections established per second. |
| Network Layer Attack Events, Alert on Exceeded Upper Limits, and Destination Rate Limit Events | Network Layer Attack Events: Hover over an IP address or port to view attack details including Attack Target, Attack Type, Peak Attack Traffic, and Protection Effect. Alerts on Exceeded Upper Limits: Alerts are generated when clean bandwidth, new connections, or concurrent connections exceed your purchased specifications. Your service is not affected, but upgrading your instance is recommended. Alerts are refreshed every Monday at 10:00 (UTC+8) and reflect events from the previous day. If you have configured notifications (internal messages, SMS, or email), you receive a summary at the same time. Click Details in the Status column to view the full alert in System Logs. Destination Rate Limit Events: Rate limiting is triggered when new connections, concurrent connections, or service bandwidth exceeds your instance specifications. Your service is affected. If triggered by service traffic, upgrade your instance as soon as possible. If triggered by a DDoS attack, adjust your mitigation policies as soon as possible. Click Details to view the event in System Logs. |
| Service Distribution by Location and Service Distribution by ISP | Service Distribution by Location: Geographic distribution of source traffic. Service Distribution by ISP: Distribution of traffic by Internet service provider (ISP). |