This topic provides answers to some frequently asked questions (FAQ) about Anti-DDoS Pro and Anti-DDoS Premium.

What happens if an Anti-DDoS Pro or Anti-DDoS Premium instance expires?

An expired instance no longer protects your services.
  • After the instance expires, the instance continues to forward your traffic for seven days. If the traffic exceeds the clean bandwidth of the instance, throttling is triggered and packet loss may occur.
  • After the instance expires seven days, the instance stops forwarding traffic. If the IP addresses of your services are mapped to the instance, your services become inaccessible.

For more information, see Instance expiration.

What is the clean bandwidth of an Anti-DDoS Pro or Anti-DDoS Premium instance?

The clean bandwidth of an instance is equal to the peak throughput of the inbound or outbound traffic of the protected services, whichever is greater. Unit: Mbit/s.

You can increase the clean bandwidth of an instance on the Instances page in the Anti-DDoS Pro console. For more information, see Upgrade the specifications of an Anti-DDoS Pro or Anti-DDoS Premium instance.

What happens if the traffic exceeds the clean bandwidth of an Anti-DDoS Pro or Anti-DDoS Premium instance?

If the traffic exceeds the clean bandwidth of the instance, throttling is triggered and packet loss may occur.

Can I manually deactivate blackhole filtering?

  • You can manually deactivate blackhole filtering for an Anti-DDoS Pro instance. Each Alibaba Cloud account can deactivate blackhole filtering up to five times a day. The limit is reset at 00:00:00 (UTC+8) the next day. For more information, see Deactivate blackhole filtering.
  • You cannot manually deactivate blackhole filtering for an Anti-DDoS Premium instance.

What are the back-to-origin CIDR blocks for Anti-DDoS Pro and Anti-DDoS Premium?

You can view the back-to-origin Classless Inter-Domain Routing (CIDR) blocks on the Website Config page in the Anti-DDoS Pro console. For more information, see Allow back-to-origin IP addresses to access the origin server. Back-to-origin CIDR blocks

Are the back-to-origin CIDR blocks of Anti-DDoS Pro or Anti-DDoS Premium automatically added to a security group?

No, the back-to-origin CIDR blocks are not automatically added. If you deploy third-party security software on your origin server, you must manually add the back-to-origin CIDR blocks of Anti-DDoS Pro or Anti-DDoS Premium to the whitelist of the security software. For more information, see Allow back-to-origin IP addresses to access the origin server.

Can I use an internal IP address as the IP address of the origin server for an Anti-DDoS Pro or Anti-DDoS Premium instance?

No, you cannot use an internal IP address as the IP address of the origin server. This is because Anti-DDoS Pro and Anti-DDoS Premium support traffic forwarding to origin servers only over the Internet.

I have modified the IP address of the origin server for an Anti-DDoS Pro or Anti-DDoS Premium instance. Does the modification immediately take effect?

No, the modification takes effect about 5 minutes later. We recommend that you perform this operation during off-peak hours. For more information, see Change the public IP address of an ECS origin server.

How do I identify which website is under attack when multiple website services are protected by an Anti-DDoS Pro or Anti-DDoS Premium instance?

If website services are targeted by volumetric DDoS attacks, you cannot identify which website is under attack from the dimension of data packets. We recommend that you add your website services to multiple instances. This way, you can separately view the monitoring data of the website services.

Do Anti-DDoS Pro and Anti-DDoS Premium support the health check feature?

Yes, Anti-DDoS Pro and Anti-DDoS Premium support the health check feature.
  • The health check feature is enabled for website services by default.
  • The health check feature is disabled for non-website services by default. You can enable the health check feature for non-website services in the Anti-DDoS Pro or Anti-DDoS Premium console. For more information, see Configure a health check.

For more information about the health check feature, see Health check overview.

How is traffic distributed to multiple origin servers that are protected by an Anti-DDoS Pro or Anti-DDoS Premium instance?

  • Traffic that is destined for website services is distributed to origin servers by using the IP hash policy.
  • Traffic that is destined for non-website services is distributed to origin servers by using the weighted round-robin policy.

Can I configure session persistence in Anti-DDoS Pro and Anti-DDoS Premium?

Yes, you can configure session persistence for non-website services in the Anti-DDoS Pro or Anti-DDoS Premium console. For more information, see Configure session persistence.

How does session persistence work for an Anti-DDoS Pro or Anti-DDoS Premium instance?

After you configure session persistence for an instance, the instance forwards requests from the same IP address to the same origin server within a specific period. If you change the network from a wired network or 4G network to a wireless network, the change in the client IP address results in a session persistence failure.

What is the default TCP timeout period for an Anti-DDoS Pro or Anti-DDoS Premium instance?

The default timeout period is 900 seconds. You can specify the timeout period for non-website services in the Anti-DDoS Pro or Anti-DDoS Premium console. For more information, see Configure session persistence.

What are the default HTTP and HTTPS timeout periods for an Anti-DDoS Pro or Anti-DDoS Premium instance?

The default timeout periods are 120 seconds.

Do Anti-DDoS Pro and Anti-DDoS Premium support IPv6?

No, Anti-DDoS Pro and Anti-DDoS Premium do not support IPv6.

Do Anti-DDoS Pro and Anti-DDoS Premium support WebSocket?

Yes, Anti-DDoS Pro and Anti-DDoS Premium support WebSocket. For more information, see How do I enable WebSocket?

Do Anti-DDoS Pro and Anti-DDoS Premium support mutual HTTPS authentication?

  • Website services that are added to Anti-DDoS Pro or Anti-DDoS Premium do not support mutual HTTPS authentication.
  • Non-website services that are added to Anti-DDoS Pro or Anti-DDoS Premium and use TCP port forwarding support mutual HTTPS authentication.

Why am I unable to access HTTPS websites by using the browsers of earlier versions or from an Android mobile client?

You are unable to access HTTPS websites because the browser or client does not support Server Name Indication (SNI). Make sure that the browser or client supports SNI. For more information, see How do I handle HTTPS access exceptions that occur when clients do not support SNI?

Which SSL protocols and cipher suites are supported by Anti-DDoS Pro and Anti-DDoS Premium?

The following Secure Sockets Layer (SSL) protocols are supported: TLS 1.0 ,TLS 1.1, TLS 1.2, and TLS 1.3.

The following cipher suites are supported:
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA384
  • AES128-GCM-SHA256
  • AES256-GCM-SHA384
  • AES128-SHA256 AES256-SHA256
  • ECDHE-ECDSA-AES128-SHA
  • ECDHE-ECDSA-AES256-SHA
  • ECDHE-RSA-AES128-SHA
  • ECDHE-RSA-AES256-SHA
  • AES128-SHA AES256-SHA
  • DES-CBC3-SHA

For more information, see Create a custom TLS policy.

What are the limits on the numbers of ports and domain names protected by an Anti-DDoS Pro or Anti-DDoS Premium instance?

  • The following list describes the maximum number of protected ports:
    • An Anti-DDoS Pro instance protects 50 ports by default. You can upgrade the instance to protect a maximum of 400 ports.
    • An Anti-DDoS Premium instance protects 5 ports by default. You can upgrade the instance to protect a maximum of 400 ports.
  • The following list describes the maximum number of protected domain names:
    • An Anti-DDoS Pro instance protects 50 domain names by default. You can upgrade the instance to protect a maximum of 200 domain names.
    • An Anti-DDoS Premium instance protects 10 domain names by default. You can upgrade the instance to protect a maximum of 200 domain names.

Why does the traffic chart show a traffic scrubbing event even though the volume of the traffic received by the server does not exceed the traffic scrubbing threshold?

An Anti-DDoS Pro or Anti-DDoS Premium instance automatically filters out malformed packets. The packets include small SYN packets and packets that do not meet TCP requirements due to specific reasons, such as invalid SYN flags. This way, your servers do not allocate resources to manage these malformed packets. These filtered malformed packets are counted in the scrubbed traffic statistics. Therefore, the traffic chart may show a traffic scrubbing event even though the volume of the traffic received by the server does not exceed the traffic scrubbing threshold.

Do Anti-DDoS Pro and Anti-DDoS Premium protect websites that use NTLM authentication?

No, Anti-DDoS Pro and Anti-DDoS Premium do not protect websites that use NT (New Technology) LAN Manager (NTLM) authentication. The website request forwarded by an Anti-DDoS Pro or Anti-DDoS Premium instance cannot pass the NTLM authentication of the origin server. In this case, the client encounters repeated authentication requests. We recommend that you use other authentication methods for your website.

Do the ports enabled in Anti-DDoS Pro or Anti-DDoS Premium affect my service security?

No, the ports enabled in Anti-DDoS Pro or Anti-DDoS Premium do not affect your service security.

Anti-DDoS Pro and Anti-DDoS Premium provide traffic access and forwarding for external services. Ports are predefined in a protection cluster. If you don't specify these predefined ports to an Anti-DDoS Pro and Anti-DDoS Premium instance, it won't affect the traffic flow. The traffic destined for each domain name or port that is added to the instance is forwarded to the origin server only by using the specified ports. You can specify the ports when you add a domain name or port to the instance. Access requests only on the ports that are specified in an Anti-DDoS Pro or Anti-DDoS Premium instance are forwarded to the origin server. If you enable the ports that are not specified in an Anti-DDoS Pro or Anti-DDoS Premium instance, no security risks or threats are imposed on your origin server.