DDoS attacks flood your services with malicious traffic, making them unavailable to legitimate users. This page maps common attack types to the mechanisms that cause outages, then walks through a layered set of mitigations — from baseline hardening steps that every service should take, to optional professional services for high-risk environments.
Common attack types
Understanding which OSI layer an attack targets helps you choose the right defense. All four types below cause a denial of service through different mechanisms.
| Attack type | Common examples | How it disrupts service |
|---|---|---|
| Network-layer attack | UDP reflection attacks, NTP Flood attacks | Floods network bandwidth with high-volume traffic, saturating the link so legitimate requests cannot get through. |
| Transport-layer attack | SYN flood, connection flood | Exploits the TCP handshake to exhaust the server's connection pool, leaving no capacity for real users. |
| Session-layer attack | SSL-VPN connection attacks | Initiates large numbers of SSL handshakes to exhaust SSL session resources on the server. |
| Application-layer attack | DNS flood, HTTP flood (also known as CC attacks), bot attacks in games | Sends application-valid requests at high volume to exhaust CPU and memory, causing the application to stop responding. |
Baseline mitigations (recommended for all services)
Start here regardless of your service type or budget. These steps reduce your attack surface and improve your architecture's natural resilience.
System hardening
Minimize the attack surface
Reduce the number of entry points exposed to the Internet. In the ECS console, find the security group associated with your instance and create security group rules. For a typical web server:
Open only ports 80 and 443 to the Internet.
Restrict remote management ports (22 or 3389) to specific IP address ranges, such as your office network.
If a Server Load Balancer (SLB) instance or an Anti-DDoS Proxy instance is deployed in front of your origin server, configure the security group to accept traffic only from the back-to-origin IP address ranges of those products.
For details, see Create a security group.
Use a virtual private cloud (VPC)
Deploy your resources inside a virtual private cloud (VPC) to logically isolate your network. This contains the blast radius if an internal machine is compromised. For details, see What is VPC?.
Harden your servers
Improve each server's ability to withstand connection-layer attacks and slow down resource exhaustion:
Keep software up to date: Apply OS and application security patches promptly.
Reduce open services and ports: Shut down services and ports not in use. A web server should only expose port 80.
Restrict external file sharing: Prevent external networks from modifying core files.
Tune network policies: On your router, configure throttling, packet filtering, spoofed-source packet drops, SYN thresholds, and disabled ICMP and UDP broadcasts. Use software firewalls such as iptables to rate-limit new TCP connections from suspected malicious IP addresses and cap the number of concurrent connections from a single source. Reduce the maximum number of SYN half-open connections and shorten their timeout.
Monitor logs: Review network device and server logs regularly to catch anomalies or early attack indicators.
Architecture optimization
Run a performance baseline
Before or after launch, run a load test to determine the throughput ceiling of your current architecture. This gives you a concrete reference point for DDoS planning — you cannot defend what you have not measured.
Deploy Server Load Balancer
Use an SLB instance as the entry point for incoming traffic and attach multiple ECS instances to the backend. Distributing traffic across multiple servers removes single points of failure and raises the overall capacity an attacker must overwhelm. For details, see Quickly enable load balancing for IPv4 services.
Provision spare bandwidth
Get the P95 (95th percentile) bandwidth value for the last 30 days from Cloud Monitor. Provision 50%–100% of that peak value as spare capacity based on your budget. This absorbs traffic bursts and small-scale attacks without affecting normal users.
Configure Auto Scaling
Set up a scaling group with a rule such as: "Add one ECS instance if the average CPU utilization exceeds 75% for three consecutive minutes." This handles application-layer attacks — such as HTTP floods — that drive CPU or memory to saturation.
Auto Scaling is not effective against network-layer attacks. Set a maximum instance count to cap scaling costs during an attack.
For details, see What is Auto Scaling?.
Optimize DNS resolution
Service redundancy: Host your domain with multiple DNS providers to achieve high availability for DNS resolution.
Traffic filtering: Drop unsolicited DNS responses, queries from unknown sources, burst requests, and abnormal fast-retransmission packets.
Access control: Apply access control lists (ACLs), BCP38 source address validation, and IP reputation filtering to block malicious sources. Enable DNS client validation.
Efficiency tuning: Set a reasonable TTL value and enable DNS response caching to reduce load on the authoritative server.
Professional security services (optional)
For services that face sustained or large-scale attacks, Alibaba Cloud offers dedicated anti-DDoS products. The table below shows the protection details each product covers and the scenarios where it fits.
| Service | Protection details | Best for |
|---|---|---|
| Web Application Firewall (WAF) | Defends against connection-layer, session-layer, and application-layer attacks, including common HTTP floods. | HTTP/HTTPS services: websites, APIs, H5 pages. |
| Anti-DDoS Origin | Provides shared, unlimited protection for the IP addresses of your Alibaba Cloud products. Protection takes effect immediately. | Services already on Alibaba Cloud that need stronger baseline mitigation or want to avoid blackhole filtering. |
| Anti-DDoS Proxy | Defends against high-volume network-layer, transport-layer, and application-layer attacks. | Services prone to large-scale volumetric attacks: games, finance applications, and e-commerce platforms. |
For details, see What is WAF?, What is Anti-DDoS Origin?, and What is Anti-DDoS Proxy?.
Set up service monitoring
Anti-DDoS Origin Basic alerts
When your service is under a DDoS attack, Anti-DDoS Origin Basic sends alerts by default via text message and email. To configure alert recipients, see Set up alerting for Anti-DDoS Origin Basic attack events.
In the Traffic Security console, go to the Event Center to view ongoing attack events, attack types, and traffic peaks.
Cloud Monitor
Cloud Monitor collects metrics for your Alibaba Cloud resources and custom metrics, monitors service availability, and supports threshold-based alerts. For details, see What is Cloud Monitor?.
Usage restrictions
DDoS attacks can harm the stability of the shared network environment. To protect resources for all users, follow these rules:
Do not use cloud products (such as OSS, DNS, ECS, SLB, or EIPs) to build or resell DDoS mitigation services on the cloud.
Do not release instances that are in blackhole filtering status.
Do not continuously replace, detach, or add IP-based products — such as SLB instances, elastic IP addresses (EIPs), or NAT Gateways — for servers in blackhole filtering status.
Do not build an IP pool or spread attack traffic across many IP addresses for the purpose of defense.
Do not use cloud products not designed for network security — such as CDN or OSS — to protect services under attack.
Do not use multiple accounts to bypass the rules above.