All Products
Search
Document Center

Anti-DDoS:What is an Anti-DDoS Origin paid edition?

Last Updated:Jan 04, 2024

An Anti-DDoS Origin paid edition is a security service that enhances mitigation against DDoS attacks for Alibaba Cloud services. An Anti-DDoS Origin paid edition directly protects Alibaba Cloud resources. You do not need to change the IP addresses of the resources that you want to protect or consider the limits on the number of Layer 4 ports or Layer 7 domain names. You need to only add the IP address of an asset to an Anti-DDoS Origin paid edition for protection. This topic describes how an Anti-DDoS Origin paid edition works, the mitigation capabilities of an Anti-DDoS Origin paid edition, and the details of each Anti-DDoS Origin paid edition.

How an Anti-DDoS Origin paid edition works

An Anti-DDoS Origin paid edition protects your resources against Layer 3 and Layer 4 volumetric attacks. When the traffic exceeds the default traffic scrubbing threshold of an Anti-DDoS Origin paid edition, traffic scrubbing is automatically triggered to mitigate DDoS attacks.

An Anti-DDoS Origin paid edition adopts passive scrubbing as a major mitigation approach and active blocking as an auxiliary approach to mitigate DDoS attacks. An Anti-DDoS Origin paid edition uses conventional technologies such as reverse detection, blacklists, whitelists, and packet compliance. This way, your asset that is protected by an Anti-DDoS Origin paid edition can work as expected even when an attack is ongoing. An Anti-DDoS Origin paid edition deploys a DDoS attack detection and traffic scrubbing system at the egress of an Alibaba Cloud data center. This system is deployed in bypass mode.

Why choose an Anti-DDoS Origin paid edition?

  • An Anti-DDoS Origin paid edition starts to protect your service immediately after you purchase an instance. An Anti-DDoS Origin paid edition supports quick deployment within at least one minute. An Anti-DDoS Origin paid edition directly protects your cloud services. This eliminates the need to deploy mitigation plans and switch IP addresses.

  • An Anti-DDoS Origin paid edition provides burstable protection. When your assets experience volumetric DDoS attacks, An Anti-DDoS Origin paid edition uses all resources in a region to provide best-effort protection.

  • An Anti-DDoS Origin paid edition adopts Alibaba Cloud Border Gateway Protocol (BGP) bandwidth resources across different Internet service providers (ISPs). The ISPs include China Telecom, China Unicom, China Mobile, China Education and Research Network (CERNET), and Great Wall Broadband Network. You can obtain fast access to the networks of the ISPs by using only one IP address.

  • An Anti-DDoS Origin paid edition provides protection bandwidth as required. This can ensure service stability and security for big promotions, event releases, and important services.

  • An Anti-DDoS Origin paid edition supports protection capacity sharing among multiple IP addresses. This enhances protection for multiple IP addresses.

Editions

  • Anti-DDoS Origin 1.0: Anti-DDoS Origin 1.0 Enterprise. You must select a region when you purchase an Anti-DDoS Origin 1.0 Enterprise instance. The instance can protect only the assets that reside in the same region as the instance.

  • Anti-DDoS Origin 2.0 (Subscription): Anti-DDoS Origin 2.0 of Inclusive Edition for Small and Medium Enterprises and Anti-DDoS Origin 2.0 Enterprise.

    • Anti-DDoS Origin 2.0 of Inclusive Edition for Small and Medium Enterprises: You must select a region when you purchase an instance of Anti-DDoS Origin 2.0 of Inclusive Edition for Small and Medium Enterprises. The instance can protect only the assets that reside in the same region as the instance.

    • Anti-DDoS Origin 2.0 Enterprise: You need to only purchase an instance to protect assets in all regions within the current Alibaba Cloud account.

    Note

    We recommend that you purchase an Anti-DDoS Origin 2.0 Enterprise instance instead of an Anti-DDoS Origin 1.0 Enterprise instance.

  • Anti-DDoS Origin 2.0 (Pay-as-you-go): You can add a regular Alibaba Cloud service to an Anti-DDoS Origin 2.0 (Pay-as-you-go) instance for protection. You can also purchase an Anti-DDoS Origin (Pay-as-you-go) instance and then purchase an elastic IP address (EIP) with Anti-DDoS (Enhanced) enabled.

    Note
    • Regular Alibaba Cloud service: If you do not specify a DDoS mitigation capability when you purchase an Alibaba Cloud service, only the basic DDoS mitigation capability from 500 Mbit/s to 5 Gbit/s is provided.

    • EIP with Anti-DDoS (Enhanced) enabled: The EIPs for which Security Protection is set to Anti-DDoS (Enhanced) when you purchase the EIPs are supported.

Mitigation capabilities

Anti-DDoS Origin 1.0 provides best-effort protection. The following table describes the mitigation capabilities of Anti-DDoS Origin 2.0.

Note
  • Best-effort protection defends against DDoS attacks based on the overall network capacity of Alibaba Cloud. The best-effort protection capability increases with the increase of the overall network capacity of Alibaba Cloud.

  • If the peak attack traffic exceeds the maximum mitigation capability provided in the region in which your Anti-DDoS Origin instance of a paid edition resides, you can contact your account manager to unsubscribe from the Anti-DDoS Origin paid edition. If your instance is a subscription instance, Alibaba Cloud refunds you the remaining subscription fee of the instance. If your instance is a pay-as-you-go instance, Alibaba Cloud stops the instance in advance.

    We recommend that you purchase an Anti-DDoS Pro or Anti-DDoS Premium instance. Anti-DDoS Pro and Anti-DDoS Premium use the forward proxy mode to protect cloud assets in all regions and assets in data centers. For more information, see What are Anti-DDoS Pro and Anti-DDoS Premium?

Region

Anti-DDoS Origin 2.0 (Subscription) of Inclusive Edition for Small and Medium Enterprises

Anti-DDoS Origin 2.0 (Subscription) Enterprise

Anti-DDoS Origin 2.0 (Pay-as-you-go)

Regular Alibaba Cloud service

EIP with Anti-DDoS (Enhanced) enabled

Regular Alibaba Cloud service

EIP with Anti-DDoS (Enhanced) enabled

Regular Alibaba Cloud service

EIP with Anti-DDoS (Enhanced) enabled

China (Beijing), China (Shanghai), China (Hangzhou), China (Shenzhen), China (Ulanqab), China (Zhangjiakou), China (Hohhot), and China (Heyuan)

Up to 200 Gbit/s to 400 Gbit/s.

Not supported.

Best-effort protection of up to hundreds of Gbit/s.

Not supported.

Best-effort protection of up to hundreds of Gbit/s.

Best-effort protection of up to Tbit/s.

China (Chengdu), China (Guangzhou), and China (Qingdao)

Mitigation capability of up to tens of Gbit/s.

Not supported.

Best-effort protection of up to tens of Gbit/s.

Not supported.

Best-effort protection of up to tens of Gbit/s.

Best-effort protection of up to Tbit/s.

Regions outside the Chinese mainland

The maximum mitigation capability is 10 Gbit/s. We recommend that you use EIPs with Anti-DDoS (Enhanced) enabled.

Not supported.

The mitigation capability is limited. We recommend that you use EIPs with Anti-DDoS (Enhanced) enabled.

Not supported.

The mitigation capability is limited. We recommend that you use EIPs with Anti-DDoS (Enhanced) enabled.

Best-effort protection of up to Tbit/s.

Feature comparison

The following table describes the features of different editions.

Item

Anti-DDoS Origin 1.0

Anti-DDoS Origin 2.0 (Subscription)

Anti-DDoS Origin 2.0 (Pay-as-you-go)

Enterprise

Inclusive Edition for Small and Medium Enterprises

Enterprise

Enterprise

Objects that can be protected

Alibaba Cloud assets: Elastic Compute Service (ECS) instances, Server Load Balancer (SLB) instances, EIPs, EIPs that are associated with NAT gateways, IPv6 gateways, simple application servers, Web Application Firewall (WAF) instances, Global Accelerator (GA) instances, and Anycast EIPs.

  • Alibaba Cloud assets: ECS instances, SLB instances, EIPs, EIPs that are associated with NAT gateways, IPv6 gateways, simple application servers, WAF instances, GA instances, and Anycast EIPs.

  • EIP with Anti-DDoS (Enhanced) enabled.

Billing methods

Subscription. For more information, see Anti-DDoS Origin 1.0 (Subscription).

Subscription. For more information, see Anti-DDoS Origin 2.0 (Subscription).

Subscription. For more information, see Anti-DDoS Origin 2.0 (Subscription).

Pay-as-you-go. For more information, see Pay-as-you-go.

Mitigation sessions

Unlimited.

Two sessions per month.

Unlimited.

Unlimited.

Number of regions that can be protected

Protects assets that are assigned public IP addresses in one region.

Protects assets that are assigned public IP addresses in one region.

Protects assets that are assigned public IP addresses in all regions within the current Alibaba Cloud account.

Protects assets that are assigned public IP addresses in all regions within the current Alibaba Cloud account.

Network types of the assets that can be protected

Either IPv4 assets or IPv6 assets are supported.

Either IPv4 assets or IPv6 assets are supported.

Both IPv4 assets and IPv6 assets are supported.

Both IPv4 assets and IPv6 assets are supported.

Number of IP addresses that can be protected

Unlimited.

Less than 30.

Unlimited.

Unlimited.

Clean bandwidth

Unlimited.

Less than or equal to 1,000 Mbit/s.

Unlimited.

Unlimited.

For more information, see Pay-as-you-go.

Mitigation logs feature

Supported.

Not supported.

Supported.

Supported.

Multi-account management feature

Not supported.

Not supported.

Supported.

Not supported.

Note

The clean bandwidth that you specify for an instance is shared by all Alibaba Cloud assets protected by the instance. For example, the total clean bandwidth of the three Alibaba Cloud assets that you want to add to an Anti-DDoS Origin instance is 2,000 Mbit/s. You must specify a clean bandwidth that is greater than 2,000 Mbit/s when you purchase the instance.

Limits

You can directly purchase Anti-DDoS Origin instances of paid editions only in the Chinese mainland. If you want to purchase an Anti-DDoS Origin instance of a paid edition outside the Chinese mainland, contact your account manager. For more information about how to contact the account manager, see Contact us.

How to use an Anti-DDoS Origin instance of a paid edition

  1. Purchase an Anti-DDoS Origin instance of a paid edition. For more information, see Purchase an Anti-DDoS Origin instance of a paid edition.

  2. Add an asset that is assigned a public IP address to the instance. For more information, see Add objects for protection.

  3. Create custom mitigation policies based on your business requirements. For more information, see Use the mitigation settings feature (public preview).

  4. View monitoring data of service traffic. For more information, see Use the service monitoring feature.

  5. Enable the mitigation logs feature. You can use this feature to query and analyze mitigation logs and view mitigation reports. For more information, see Enable mitigation analysis.

  6. View the attack event details after an attack occurred. For more information, see View information on the Attack Analysis page.

  7. View blackhole filtering events and traffic scrubbing events. For more information, see View the Event Center page.