Anti-DDoS Proxy is a proxy service that protects your services from large-scale distributed denial-of-service (DDoS) attacks. The service redirects your service traffic to globally distributed scrubbing centers, which filter out malicious attack traffic and forward only legitimate traffic to your origin server. This process ensures the stability and availability of your services during an attack.
How it works
Anti-DDoS Proxy ensures service stability in three steps:
Traffic redirection: All incoming traffic from the Internet is redirected to an Anti-DDoS scrubbing center by modifying the DNS record or by pointing the service IP address to the IP address of the Anti-DDoS instance. For more information, see Traffic redirection methods.
Traffic scrubbing: The Anti-DDoS scrubbing center uses multilayer detection and filtering engines to defend against Layer 3 and Layer 4 volumetric attacks, such as SYN floods and UDP floods. The center also protects against Layer 7 application-layer attacks, such as HTTP floods. Malicious attack traffic is precisely identified and dropped.
Forwarding traffic to the origin server: After the traffic is scrubbed, legitimate traffic is securely and reliably returned to your origin server through port and protocol forwarding.
Traffic redirection methods
You can use one of the following methods to direct your service traffic to the IP address of the Anti-DDoS instance for scrubbing.
Redirection Method | Description | Use cases | Pros | Cons |
DNS resolution | You change the DNS record of your domain name (for example, | Services that are accessed through a domain name, such as websites, web applications, and APIs. | Simple to configure and takes effect quickly. This allows for rapid switching during an attack. | Cannot protect against attacks that directly target the origin IP address. |
Direct IP pointing | You configure forwarding rules in the Anti-DDoS instance to use the instance's IP address as the service entry point. The traffic is then sent back to the real server IP address. Clients directly access the IP address of the Anti-DDoS instance. | Non-website services that are accessed directly using an IP address, such as games and app backend services. | Directly protects the IP address and hides the origin server. | Switching IP addresses may affect some client connections. |
Benefits
Quick and easy deployment
The service supports two connection types: DNS resolution and direct IP pointing. You do not need to install hardware or software, or adjust routing configurations. You can typically complete the setup in minutes, depending on factors such as DNS propagation time. This approach also hides and protects your origin IP address.
AI-driven precise protection
Network-layer attack prevention: In addition to traditional feature detection, the service uses an IP reputation library and deep packet inspection (DPI) to accurately identify and block various volumetric attacks.
Application-layer CC attack protection: An AI engine automatically learns your service model to accurately identify and filter CC attack traffic. The service supports fine-grained protection policies at the URL level, which significantly reduces O&M complexity.
Massive global mitigation capacity
The global protection network of Anti-DDoS Proxy has a total bandwidth of over 20 Tbps, with more than 5 Tbps of mitigation bandwidth outside the Chinese mainland. This capacity effectively defends against various DDoS attacks at the network, transport, and application layers, ensuring a smooth global access experience.
Flexible burstable protection
You can upgrade your protection bandwidth online at any time, and the changes take effect in seconds. This lets you instantly increase your defense capabilities in response to burst attacks without service interruptions or adjustments.
Financial-grade stability and high availability
The service uses a fully redundant architecture with comprehensive monitoring of data centers, servers, engines, and links. It includes robust automatic failover and recovery mechanisms to ensure 99.95% service availability.
Intelligent traffic rerouting
The service can work with other Alibaba Cloud products to automatically reroute traffic to Anti-DDoS Proxy when an attack occurs. During normal operation, the service does not intervene, which balances cost and security.
Product specifications
Anti-DDoS Proxy is available in two editions based on the physical region of your servers: Anti-DDoS Proxy (Chinese Mainland) and Anti-DDoS Proxy (Outside Chinese Mainland).
Product Type | Instance Edition | Core Features and Differences | Notes |
Anti-DDoS Proxy (Chinese Mainland) | Profession | Provides an exclusive IP address, multi-line Border Gateway Protocol (BGP) protection, and supports both basic and burstable protection. | - |
Advanced | Provides two advanced mitigation sessions per month (resets monthly). | Contact your account manager to activate this edition. | |
Anti-DDoS Proxy (Outside Chinese Mainland) | Insurance and Unlimited |
| - |
Sec-CMA 2.0 | Provides access acceleration for users in the Chinese mainland and application-layer DDoS protection. After you select a specific number of DDoS mitigation sessions, it gains the capability to defend against large-volume DDoS attacks from China Telecom, China Unicom, and China Mobile lines. | None | |
Sec-CMA 2.0 (Insurance) and Sec-CMA 2.0 (Unlimited) | Features are mostly the same as Sec-CMA 2.0. You can disable the Metering Method of 95th Percentile Burstable Clean Bandwidth and 95th Percentile Burstable QPS modes. | The features have been migrated to Sec-CMA 2.0. We do not recommend purchasing new instances. This option is only for existing instances. | |
Chinese Mainland Acceleration and Sec-CMA 1.0 | Legacy versions that do not support China Mobile lines. | We do not recommend purchasing new instances. We recommend that you upgrade to Sec-CMA 2.0. Contact your account manager to activate the upgrade. |
Use cases and purchasing recommendations
Server deployment region | User source | Service requirements | Recommended edition |
The Chinese mainland | The Chinese mainland and outside the Chinese mainland | General DDoS protection. | Anti-DDoS Proxy (Chinese Mainland) - Profession |
Outside the Chinese mainland | Outside the Chinese mainland | Cross-border access acceleration is not required. | Anti-DDoS Proxy (Outside Chinese Mainland) - Insurance or Unlimited |
Outside the Chinese mainland | The Chinese mainland | Cross-border access acceleration is required to ensure low latency and stability. | Anti-DDoS Proxy (Outside Chinese Mainland) - Sec-CMA 2.0 |
Outside the Chinese mainland | The Chinese mainland and outside the Chinese mainland | You need to accelerate cross-border access and serve users from outside the Chinese mainland without migrating your servers. | Combined purchase:
|
Outside the Chinese mainland | The Chinese mainland and outside the Chinese mainland | You can migrate your service to different servers based on the user source to enable access across borders. After migration, users from different regions are served by servers and protection editions located in their respective regions. |
|
Billing
Fees for Anti-DDoS Proxy consist of subscription instance fees and pay-as-you-go burstable fees.
Instance fees (subscription): You pay monthly or yearly based on the specifications you select, such as basic protection bandwidth, clean bandwidth, and queries per second (QPS). For more information, see Billing of Insurance and Unlimited mitigation plans for Anti-DDoS Proxy (outside the Chinese mainland), Billing of CMA for Anti-DDoS Proxy (outside the Chinese mainland), and Billing of Sec-CMA for Anti-DDoS Proxy (outside the Chinese mainland).
Burstable protection fees (pay-as-you-go): You are charged only when DDoS attack traffic exceeds your basic protection bandwidth. The fee is calculated daily based on the peak attack traffic. For more information, see Metering method of burstable protection bandwidth.
Burstable clean bandwidth/QPS fees (pay-as-you-go): You are charged only when your normal service traffic or QPS exceeds your basic specifications. The fee is calculated based on the daily or monthly 95th percentile bandwidth. For more information, see Billing of burstable clean bandwidth and Billing of burstable QPS.
Global advanced mitigation session: You can purchase a global advanced mitigation session for specific instances if required. For more information, see Billing of advanced mitigation sessions.