Protect EIPs Against DDoS Attacks with Anti-DDoS Pro - Elastic IP Address

Every EIP includes Anti-DDoS Basic— free DDoS mitigation of approximately 5 Gbps. When attack traffic exceeds the blackhole threshold, all inbound traffic is dropped and the service goes offline. To avoid this, allocate an EIP with Anti-DDoS (Enhanced) for terabit-level mitigation that works transparently — no configuration changes, no IP address swaps.

How Anti-DDoS (Enhanced) works

Anti-DDoS (Enhanced) uses Anti-DDoS Native to scrub attack traffic inline before it reaches your EIP:

Inbound: Traffic passes through Anti-DDoS Native, which detects and scrubs attack traffic, then forwards clean traffic to the EIP.
Outbound: Traffic goes directly through the EIP to the Internet — no additional processing.

This makes it suited for latency-sensitive workloads that require high-level protection, such as online gaming, live streaming, and financial services.

Anti-DDoS Basic vs. Enhanced

	Anti-DDoS Basic	Anti-DDoS (Enhanced)
Protection	Up to 5200 Mbps	Terabit-level (Tbps)
Cost	Free (included with every EIP)	Anti-DDoS Native fee (separate charge)
Availability	All EIPs, always enabled	Pay-as-you-go BGP (Multi-ISP) only, selected at creation
Changeable	Always enabled, can't be disabled	No — must be set when allocating the EIP

Limits

Security protection level is set at creation and can't be changed afterward. To switch, release the EIP and allocate a new one.
Anti-DDoS (Enhanced) is available only for pay-as-you-go BGP (Multi-ISP) EIPs. Subscription EIPs and BGP (Multi-ISP) Pro EIPs are not supported.
The IP address pool must be a DDoS Protection (Enhanced) pool when creating a DDoS Protection (Enhanced) EIP.

Available in specific regions only:

Resource	Supported regions
EIP	China (Beijing), China (Hangzhou), China (Shanghai), China (Hong Kong), Philippines (Manila), Japan (Tokyo), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), South Korea (Seoul), Thailand (Bangkok), US (Virginia), US (Silicon Valley), Germany (Frankfurt), UK (London), Mexico
IP address pool	China (Hong Kong), Philippines (Manila), Japan (Tokyo), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), South Korea (Seoul), Thailand (Bangkok), US (Virginia), US (Silicon Valley), Germany (Frankfurt), UK (London), Mexico

Allocate an Anti-DDoS (Enhanced) EIP

Before you allocate, activate Anti-DDoS Origin (Pay-As-You-Go).

Warning

Anti-DDoS Native (Pay-as-you-go) has a minimum 30-day commitment. You cannot deactivate the service within 30 days. Billing starts when you activate the service and add a resource for protection. See Anti-DDoS Origin 2.0 (Pay-as-you-go) Billing for details.

Console

Go to the EIP buy page, select a support region.
- Billing Method: Pay-as-you-go.
- Line Type: BGP (Multi-ISP).
- Security Protection: Anti-DDoS (Enhanced).
- IP Address Pool: To allocate from a custom pool, select your Anti-DDoS Enhanced pool. Otherwise, leave the default.
Complete payment.

API

Call AllocateEipAddress with SecurityProtectionTypes set to AntiDDoS_Enhanced.

To allocate from a custom IP address pool, also set PublicIpAddressPoolId to your pool ID.

Verify and use the EIP

After allocation, associate the EIP with a cloud resource to start using it.

To verify that Anti-DDoS (Enhanced) is active, find the EIP in the EIP console and check the Protection column — it should show the icon. Hover over the icon to view the scrubbing and blackhole thresholds.

Usage details are available the day after allocation in the Anti-DDoS console under Traffic Security > Network Security > Anti-DDoS Native > Billing Management.

Billing

Only pay-as-you-go EIPs support Anti-DDoS (Enhanced). Two separate charges apply:

Item

Charged by

Configuration fee + bandwidth or data transfer fee

EIP

Anti-DDoS Native Protection fee

Anti-DDoS Origin 2.0 (Pay-as-you-go)

The DDoS protection fee is billed separately and does not affect standard EIP billing.

Anti-DDoS Basic

Anti-DDoS Basic is enabled by default on all EIPs. Inbound internet traffic passes through Alibaba Cloud Security, which scrubs it — filtering attack packets, rate-limiting traffic, and rate-limiting packets — before it reaches your EIP.

When inbound traffic exceeds the blackhole threshold (typically around 5,200 Mbps), blackhole routing activates and all inbound traffic is dropped to protect the cluster. The default blackhole duration is 2.5 hours, though this varies based on attack frequency.

Scrubbing thresholds

Scrubbing triggers when traffic matches attack patterns and volume reaches the scrubbing threshold. Thresholds are set automatically based on EIP bandwidth:

EIP bandwidth	BPS threshold	PPS threshold
≤ 300 Mbps	450 Mbps	100,000 PPS (≤ 100 Mbps bandwidth) or bandwidth × 1,000 (> 100 Mbps)
> 300 Mbps	Bandwidth × 1.5	Bandwidth × 1,000

FAQ

Can I enable Anti-DDoS (Enhanced) on an existing EIP?

No. Security protection is set at creation and can't be changed. Release the existing EIP and allocate a new one with Anti-DDoS (Enhanced) selected.

Can I use subscription EIPs with Anti-DDoS (Enhanced)?

No. Only pay-as-you-go BGP (Multi-ISP) EIPs are supported.

Do I need to change my IP address?

No. Anti-DDoS (Enhanced) works transparently — no IP address changes or additional configuration are needed.

Can I use Anti-DDoS (Enhanced) with a BGP (Multi-ISP) Pro EIP?

No. Anti-DDoS (Enhanced) is available only for standard BGP (Multi-ISP) EIPs. BGP (Multi-ISP) Pro is a premium line type with different routing characteristics — it does not support the Anti-DDoS (Enhanced) security protection option.

Can I deactivate Anti-DDoS Origin (Pay-as-you-go) immediately?

No. The service has a minimum 30-day commitment from the date of activation.