This topic provides answers to some frequently asked questions about Anti-DDoS Pro and Anti-DDoS Premium.

What happens if an Anti-DDoS Pro or Anti-DDoS Premium instance expires?

An expired instance can no longer protect your services.
  • After the instance expires, the instance continues to forward your traffic for seven days. If the traffic volume exceeds the clean bandwidth of the instance, throttling is triggered, and random packet loss may occur.
  • After the instance expires seven days, the instance stops forwarding traffic. If the IP addresses of your services are mapped to the instance, your services become inaccessible.

For more information, see Instance expiration.

What is the clean bandwidth of an Anti-DDoS Pro or Anti-DDoS Premium instance?

The clean bandwidth of an instance is equal to the peak inbound or outbound traffic of the protected services, whichever is greater. Unit: Mbit/s.

You can increase the clean bandwidth of an instance on the Instances page in the Anti-DDoS Pro console. For more information, see Upgrade the specifications of an Anti-DDoS Pro or Anti-DDoS Premium instance.

What happens if the traffic volume exceeds the clean bandwidth of an Anti-DDoS Pro or Anti-DDoS Premium instance?

If the traffic volume exceeds the clean bandwidth of the instance, throttling is triggered, and random packet loss may occur.

Can I manually deactivate blackhole filtering?

The answer to this question varies based on the instance that you use.
  • If you use an Anti-DDoS Pro instance, you can manually deactivate blackhole filtering.

    Each Alibaba Cloud account can deactivate blackhole filtering up to five times a day. The limit is reset at 00:00 the next day. For more information, see Deactivate blackhole filtering.

  • If you use an Anti-DDoS Premium instance, you cannot manually deactivate blackhole filtering.

    Unlike an Anti-DDoS Pro instance, which has a fixed protection bandwidth, an Anti-DDoS Premium instance mitigates DDoS attacks with all the capabilities that are available. You do not need to manually deactivate blackhole filtering for an Anti-DDoS Premium instance.

    Note If you use an Anti-DDoS Premium instance with the Insurance plan, and the quota for advanced mitigation sessions in the current month is exhausted, blackhole filtering is triggered after your service is attacked. In this case, we recommend that you upgrade your instance to the Unlimited plan, which provides unlimited protection capabilities. After you upgrade your instance to the Unlimited plan, blackhole filtering is automatically deactivated.

What are the back-to-origin CIDR blocks of an Anti-DDoS Pro or Anti-DDoS Premium instance?

You can view the back-to-origin CIDR blocks on the Website Config page in the Anti-DDoS Pro console. For more information, see Allow back-to-origin IP addresses to access the origin server.

Are the back-to-origin CIDR blocks of an Anti-DDoS Pro or Anti-DDoS Premium instance automatically added to a whitelist?

No, the back-to-origin CIDR blocks are not automatically added to a whitelist. If you deploy a firewall or third-party security software on your origin server, you must manually add the back-to-origin CIDR blocks of your Anti-DDoS Pro or Anti-DDoS Premium instance to the whitelist of the firewall or security software. For more information, see Allow back-to-origin IP addresses to access the origin server.

Can I use an internal IP address as the IP address of the origin server for an Anti-DDoS Pro or Anti-DDoS Premium instance?

No, you cannot use an internal IP address as the IP address of the origin server. This is because Anti-DDoS Pro and Anti-DDoS Premium forwards traffic to origin servers only over the Internet.

I have changed the IP address of the origin server for an Anti-DDoS Pro or Anti-DDoS Premium instance. Does the change immediately take effect?

No, the change takes effect about 5 minutes later. We recommend that you perform this operation during off-peak hours. For more information, see Change the public IP address of an ECS origin server.

How do I identify which website is under attack when multiple websites are protected by an Anti-DDoS Pro or Anti-DDoS Premium instance?

If websites are targeted by volumetric DDoS attacks, you cannot identify which website is under attack from the dimension of data packets. We recommend that you add your websites to different instances. This way, you can separately view the monitoring data of each website.

Do Anti-DDoS Pro and Anti-DDoS Premium support the health check feature?

Yes, Anti-DDoS Pro and Anti-DDoS Premium support the health check feature. The health check feature is enabled for website services by default. The health check feature is disabled for non-website services by default. You can enable the health check feature for non-website services in the Anti-DDoS Pro or Anti-DDoS Premium console. For more information, see Configure a health check.

For more information about the health check feature, see Health check overview.

How is traffic distributed to multiple origin servers that are protected by an Anti-DDoS Pro or Anti-DDoS Premium instance?

Traffic that is destined for website services is distributed to origin servers by using the IP hash policy. Traffic that is destined for non-website services is distributed to origin servers by using the weighted round-robin policy.

Can I configure session persistence in the Anti-DDoS Pro or Anti-DDoS Premium console?

Yes, you can configure session persistence for non-website services in the Anti-DDoS Pro or Anti-DDoS Premium console. For more information, see Configure session persistence.

How does session persistence work for an Anti-DDoS Pro or Anti-DDoS Premium instance?

After you configure session persistence for an instance, the instance forwards requests from the same IP address to the same origin server within a specific period. If the network of a client is changed from a wired network or 4G network to a wireless network, session persistence fails because the IP address of the client changes.

What is the default TCP timeout period for an Anti-DDoS Pro or Anti-DDoS Premium instance?

The default timeout period is 900 seconds.

What are the default HTTP and HTTPS timeout periods for an Anti-DDoS Pro or Anti-DDoS Premium instance?

The default timeout periods are 120 seconds.

Do Anti-DDoS Pro and Anti-DDoS Premium support IPv6?

No, Anti-DDoS Pro and Anti-DDoS Premium do not support IPv6.

Do Anti-DDoS Pro and Anti-DDoS Premium support WebSocket?

Yes, Anti-DDoS Pro and Anti-DDoS Premium support WebSocket. For more information, see How do I enable WebSocket?.

Do Anti-DDoS Pro and Anti-DDoS Premium support mutual HTTPS authentication?

Website services that are added to Anti-DDoS Pro or Anti-DDoS Premium do not support mutual HTTPS authentication. Non-website services that are added to Anti-DDoS Pro or Anti-DDoS Premium and use TCP port forwarding support mutual HTTPS authentication.

Why am I unable to access HTTPS websites by using a browser of an earlier version or from an Android mobile client?

You are unable to access HTTPS websites because the browser or client may not support Server Name Indication (SNI). Make sure that the browser or client supports SNI. For more information, see How do I handle HTTPS access exceptions that occur when clients do not support SNI?.

Which SSL protocols and cipher suites are supported by Anti-DDoS Pro and Anti-DDoS Premium?

The following SSL protocols are supported: TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3.

The following cipher suites are supported:
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA384
  • AES128-GCM-SHA256
  • AES256-GCM-SHA384
  • AES128-SHA256 AES256-SHA256
  • ECDHE-ECDSA-AES128-SHA
  • ECDHE-ECDSA-AES256-SHA
  • ECDHE-RSA-AES128-SHA
  • ECDHE-RSA-AES256-SHA
  • AES128-SHA AES256-SHA
  • DES-CBC3-SHA

For more information, see Create a custom TLS policy.

How do Anti-DDoS Pro and Anti-DDoS Premium ensure the security of an uploaded certificate and its private key? Do Anti-DDoS Pro and Anti-DDoS Premium decrypt HTTPS traffic and record the content of HTTPS requests?

If you use Anti-DDoS Pro or Anti-DDoS Premium to protect HTTPS services, you must upload the required HTTPS certificate and its private key. This way, Anti-DDoS Pro and Anti-DDoS Premium can decrypt HTTPS traffic to detect attacks and analyze the characteristics of attacks. Alibaba Cloud uses a dedicated key server to store and manage private keys. The key server is based on Alibaba Cloud Key Management Service (KMS) and can ensure the data security, integrity, and availability of both certificates and private keys. This helps meet the requirements for regulation, classified protection, and compliance. For more information about KMS, see What is Key Management Service?.

Anti-DDoS Pro and Anti-DDoS Premium use an uploaded certificate and its private key to decrypt HTTPS traffic only in the scenarios when they detect attacks in real time. Anti-DDoS Pro and Anti-DDoS Premium record only specific content of request payloads. The content is determined based on attack characteristics. Then, Anti-DDoS Pro and Anti-DDoS Premium can provide attack reports and data statistics based on the content. Anti-DDoS Pro and Anti-DDoS Premium can record the full content of requests or responses only when they are authorized.

Anti-DDoS Pro and Anti-DDoS Premium have been accredited against authoritative standards, including ISO 9001, ISO 20000, ISO 27001, ISO 27017, ISO 27018, ISO 22301, ISO 27701, ISO 29151, BS 10012, CSA STAR, MLPS level 4, Service Organization Control (SOC) 1, SOC 2, SOC 3, Cloud Computing Compliance Criteria Catalogue (C5), Outsourced Service Providers Audit Report (OSPAR), ISO 27001 (Indonesia), and Payment Card Industry Data Security Standard (PCI DSS). The standards also include those that prove the effectiveness of Anti-DDoS Pro and Anti-DDoS Premium across financial sectors in Hong Kong (China) and the Philippines. In addition, Anti-DDoS Pro and Anti-DDoS Premium provide the same security and compliance qualifications as Alibaba Cloud.

Note If you use Anti-DDoS Pro or Anti-DDoS Premium to protect HTTPS services, you can use a dual-certificate method. This method allows you to independently use a set of certificate and private key on both your Anti-DDoS Pro or Anti-DDoS Premium instance and the origin server. The two sets of certificates and private keys must be valid. This way, the key server can separately manage the certificates and private keys.

What are the limits on the numbers of ports and domain names that can be protected by an Anti-DDoS Pro or Anti-DDoS Premium instance?

  • The following list describes the maximum number of ports that can be protected:
    • An Anti-DDoS Pro instance protects 50 ports by default. You can upgrade the instance to protect a maximum of 400 ports.
    • An Anti-DDoS Premium instance protects 5 ports by default. You can upgrade the instance to protect a maximum of 400 ports.
  • The following list describes the maximum number of domain names that can be protected:
    • An Anti-DDoS Pro instance protects 50 domain names by default. You can upgrade the instance to protect a maximum of 200 domain names.
    • An Anti-DDoS Premium instance protects 10 domain names by default. You can upgrade the instance to protect a maximum of 200 domain names.

Why does the traffic chart show a traffic scrubbing event even though the volume of the traffic received by the server does not exceed the traffic scrubbing threshold?

An Anti-DDoS Pro or Anti-DDoS Premium instance automatically filters out malformed packets. The packets include small SYN packets and packets that do not meet TCP requirements due to specific reasons, such as invalid SYN flags. In this case, your server does not allocate resources to manage these malformed packets. These malformed packets are counted in the scrubbed traffic statistics. Therefore, the traffic chart may show a traffic scrubbing event even though the volume of the traffic received by the server does not exceed the traffic scrubbing threshold.

Can Anti-DDoS Pro and Anti-DDoS Premium protect websites that use NTLM authentication?

No, Anti-DDoS Pro and Anti-DDoS Premium cannot protect websites that use New Technology LAN Manager (NTLM) authentication. The website requests forwarded by an Anti-DDoS Pro or Anti-DDoS Premium instance cannot pass the NTLM authentication of the origin server. In this case, the clients receive repeated authentication requests. We recommend that you use other authentication methods for your website.

Do the ports enabled in Anti-DDoS Pro or Anti-DDoS Premium affect my service security?

No, the ports enabled in Anti-DDoS Pro or Anti-DDoS Premium do not affect your service security.

Anti-DDoS Pro and Anti-DDoS Premium provide traffic access and forwarding. Ports are predefined in a protection cluster. You can use the predefined ports to protect your services after you add your websites to an Anti-DDoS Pro and Anti-DDoS Premium instance. The traffic destined for each domain name or port that is added to the instance is forwarded to the origin server only by using the specified ports. You can specify the ports when you add a domain name or port to the instance. Only the access requests over the ports that are specified in an Anti-DDoS Pro or Anti-DDoS Premium instance are forwarded to the origin server. If you enable the ports that are not specified in an Anti-DDoS Pro or Anti-DDoS Premium instance, no security risks or threats are imposed on your origin server.