Anti-DDoS Origin adds DDoS mitigation capacity to Alibaba Cloud resources without requiring IP changes or network redesign. It does not limit the number of Layer 4 ports or Layer 7 domain names. After purchase, attach a public IP address and protection activates within minutes.
The service targets Layer 3 and Layer 4 volumetric attacks — including UDP floods and SYN floods. It does not mitigate application-layer (Layer 7) attacks such as HTTP floods. For Layer 7 protection, use Anti-DDoS Proxy.
How it works
Anti-DDoS Origin runs in bypass mode at the egress of Alibaba Cloud data centers. It uses passive traffic scrubbing as the primary method, supplemented by active blocking, so normal service traffic is unaffected.
Attack detection. The system monitors traffic to your public IP addresses in real time.
Traffic scrubbing. When inbound traffic exceeds the default scrubbing threshold, traffic is automatically redirected to a scrubbing center.
Traffic reinjection. The scrubbing center drops attack traffic and reinjects clean traffic to your origin server, keeping your services accessible during an attack.
When to use Anti-DDoS Origin
Anti-DDoS Origin is a good fit when you need to:
Strengthen protection quickly for existing cloud resources — ECS instances, Elastic IP addresses (EIPs), and SLB instances — without changing IPs or network topology.
Cover multiple assets cost-effectively: multiple IP addresses share one instance.
Handle Layer 3/4 volumetric attacks during traffic spikes such as sales promotions or product launches.
Maintain business continuity without dedicated scrubbing infrastructure.
If you need Tbps-level protection, dedicated resources, a higher SLA, or Layer 7 mitigation, use Anti-DDoS Proxy instead.
Benefits
Instant deployment. Protection takes effect immediately after purchase, in as little as one minute. No deployment steps or IP address changes are needed.
Elastic protection. During large-scale attacks, the service automatically uses all available DDoS mitigation resources in the current region, providing unlimited protection.
Excellent performance. Uses Alibaba Cloud BGP bandwidth, so a single IP address provides high-speed access for users across multiple carriers — including China Telecom, China Unicom, and China Mobile.
Massive bandwidth. Provides large-scale traffic scrubbing bandwidth suitable for sales promotions, product launches, and core business services.
Flexible sharing. Multiple IP addresses can share one protection instance, efficiently covering multiple assets.
Key concepts
DDoS attack: A distributed denial-of-service (DDoS) attack uses malicious traffic to exhaust network or device resources, preventing websites or services from operating normally. For details, see What is a DDoS attack.
Regular Alibaba Cloud service vs. EIP with Anti-DDoS (Enhanced) enabled:
| Regular Alibaba Cloud service | EIP with Anti-DDoS (Enhanced) enabled | |
|---|---|---|
| Definition | Cloud products with default DDoS mitigation — ECS instances, EIPs, and SLB instances | EIPs with enhanced DDoS mitigation enabled at purchase time |
| When policies take effect | Only when under attack and traffic is being scrubbed | Always; all traffic passes through the scrubbing center |
| Mitigation capability | Shared region-level scrubbing, up to hundreds of Gbps in the Chinese mainland | Tbps-level unlimited protection |
| Purchase configuration | Set Security Protection to Default when purchasing an EIP | Set Security Protection to Anti-DDoS (Pro/Premium) when purchasing an EIP |
Editions
Anti-DDoS Origin 1.0 is no longer available for new purchases. All information below refers to version 2.0. Mitigation capability is not a fixed value — it is dynamically adjusted based on the overall protection level of the cloud data center.
Anti-DDoS Origin 2.0 is available in three editions:
| Inclusive Edition for SME (subscription) | Enterprise Edition (subscription) | Enterprise Edition (pay-as-you-go) | |
|---|---|---|---|
| Supported asset types | Regular Alibaba Cloud services only | Regular Alibaba Cloud services only | Regular Alibaba Cloud services and EIPs with Anti-DDoS (Enhanced) enabled |
| Protected objects | ECS, SLB, EIPs (including EIPs associated with NAT gateways), IPv6 gateways, simple application servers, WAF, and GA | Same as Inclusive Edition | Same as Inclusive Edition, plus EIPs with Anti-DDoS (Enhanced) enabled |
| Asset regions covered | One region per account | All regions in the account | All regions in the account |
| Network types | IPv4 or IPv6 (one type only) | Both IPv4 and IPv6 | Both IPv4 and IPv6 |
| Number of protected IPs | 1–29 | 30–2,000 | Up to 2,000 |
| Clean bandwidth | 50 Mbps–1,000 Mbps, specified at purchase | Starts from 100 Mbps; unlimited scale-out supported | Regular services: billed by clean traffic, no bandwidth cap. EIP with Anti-DDoS (Enhanced): billed by clean traffic, bandwidth is limited |
| Mitigation sessions | 2 sessions/month | Unlimited | Unlimited |
| SLS logs | Not supported | Supported | Supported |
| Multi-account management | Not supported | Supported | Supported |
Clean bandwidth is shared across all protected cloud products. The instance specification must exceed the total bandwidth of all protected assets. For example, to protect three products with a combined bandwidth of 2,000 Mbps, select an instance with clean bandwidth greater than 2,000 Mbps.
Mitigation capabilities by region (version 2.0)
| Region | Inclusive Edition for SME (subscription) | Enterprise Edition (subscription) | Enterprise Edition (pay-as-you-go) — EIP with Anti-DDoS (Enhanced) |
|---|---|---|---|
| Chinese mainland — main cities: China (Beijing), China (Shanghai), China (Hangzhou), China (Shenzhen), China (Ulanqab), China (Zhangjiakou), China (Hohhot), China (Heyuan) | Up to 300–600 Gbps | Up to 300–600 Gbps | Up to Tbit/s; available in China (Beijing), China (Shanghai), and China (Hangzhou) only |
| Chinese mainland — other cities: China (Chengdu), China (Guangzhou), China (Qingdao) | Up to 10 Gbps | Up to 10 Gbps | Up to Tbit/s |
| China (Hong Kong), Singapore, Germany (Frankfurt), US (Silicon Valley), US (Virginia) | Up to 100–200 Gbps | Up to 100–200 Gbps | Up to Tbit/s |
| Japan (Tokyo) | Up to tens of Gbps | Up to tens of Gbps | Up to Tbit/s |
| Other regions | Less than 10 Gbps | Less than 10 Gbps | Up to Tbit/s |
Get started
Follow these steps to start using Anti-DDoS Origin:
Add protected objects — add cloud resources with public IP addresses to the instance
Configure mitigation policies — customize policies based on your traffic characteristics (Mitigation Settings (Legacy))
Monitor service traffic — view real-time traffic data (Business Monitoring)
Enable mitigation analysis — query mitigation logs and view built-in reports
View attack events — inspect details of attack events on protected assets (Attack analysis)
View blackhole filtering and scrubbing events — track events in Event Center
FAQ
What is the difference between Anti-DDoS Origin and Anti-DDoS Proxy?
Anti-DDoS Origin attaches directly to your existing public IP addresses — no IP changes required. It provides region-level shared protection (Gbps-scale) and is cost-effective for general volumetric attack mitigation.
Anti-DDoS Proxy requires routing traffic through an Anti-DDoS Proxy IP address. It provides dedicated, Tbps-level protection with a higher SLA and supports Layer 7 attack mitigation. Use Anti-DDoS Proxy for core services or when you need to handle ultra-large-scale attacks.
| Anti-DDoS Origin | Anti-DDoS Proxy | |
|---|---|---|
| Positioning | Enhanced protection for cloud products | Professional-grade standalone protection |
| IP address change | Not required | Required — traffic switches to an Anti-DDoS Proxy IP |
| Mitigation capability | Region-level shared (Gbps-scale) | Dedicated resources (Tbit/s-scale), higher SLA |
| Best for | Cost-effective basic mitigation, no-disruption setup | Core services, ultra-large-scale attacks, or Layer 7 attacks |
| Cost | Lower | Higher |
Can Anti-DDoS Origin mitigate HTTP flood attacks?
No. Anti-DDoS Origin mitigates only Layer 3 and Layer 4 volumetric attacks — for example, UDP floods and SYN floods. For Layer 7 attack protection, use Anti-DDoS Proxy.