OSS distributed denial of service attack (DDoS) protection is a proxy-based mitigation service that integrates OSS with DDoS protection. When your protected OSS bucket suffers DDoS attacks, OSS DDoS protection diverts malicious traffic to an Anti-DDoS Pro or Anti-DDoS Premium instance for scrubbing and then redirects normal traffic to the bucket. This way, your business can continue to function normally even after DDoS attacks.

Note OSS DDoS protection is in public preview in the China (Shanghai), China (Qingdao), and China (Shenzhen) regions.Contact technical support to apply for a trial.


DDoS attacks are one of the most harmful attack methods against enterprise business in recent years. When an enterprise suffers DDoS attacks, its business may be interrupted. Consequently, the normal operating of business is affected due to damage to corporate identities, customer attrition, and loss of profits.

To mitigate these problems, OSS is integrated with DDoS protection to provide the highest DDoS attack mitigation capability at the Tbit/s level, millions of queries per second (QPS), and switchovers between Anti-DDoS Pro and Anti-DDoS Origin within a few seconds. These capabilities can prevent attacks such as SYN flood, ACK flood, Internet Control Message Protocol (ICMP) flood, UDP flood, NTP flood, Simple Service Discovery Protocol (SSDP) flood, DNS flood, and HTTP flood attacks. OSS DDoS protection is suitable for scenarios where business is subject to attacks, ransom-driven attacks, click farming, and fraudulent traffic.

How does OSS DDoS protection work

By default, OSS uses Anti-DDoS Origin to protect your bucket. However, when the attack frequency exceeds the protection threshold of Anti-DDoS Origin, Anti-DDoS Origin fails to provide effective mitigation. Consequently, your bucket may not be able to be accessed.

After you enable OSS DDoS protection, when the attack frequency exceeds the protection threshold of Anti-DDoS Origin, OSS diverts all traffic to access the bucket to an Anti-DDoS Pro or Anti-DDoS Premium instance. Malicious traffic is scrubbed in the scrubbing center of Anti-DDoS Pro or Anti-DDoS Premium. Only legitimate traffic is forwarded to the requested bucket by using the port protocol. This way, normal access to the bucket is ensured when the bucket suffers attacks.

After the attacks stop, the attacked bucket is protected by Anti-DDoS Origin.


  • OSS DDoS protection instances must be retained for at least seven days after the instances are created. If the instances are deleted within seven days, OSS charges basic resource fees for the instances for a period of seven days.
  • You can create only one OSS DDoS protection instance in each region. Each instance can be attached to up to 10 buckets within the same region.

Configuration methods

To enable OSS DDoS protection for a bucket, you need only to perform simple configurations in the OSS console. For more information about configuration methods, see Configure OSS DDoS protection.