This page defines the key concepts you'll encounter when using Anti-DDoS Origin.
DDoS attack
A Distributed Denial of Service (DDoS) attack attempts to make a service unavailable by overwhelming it with traffic. DDoS attacks fall into two categories:
Volumetric attacks — Target network bandwidth. Attackers use multiple compromised machines or attack simulators to flood a target with requests or data packets, exhausting bandwidth until the service becomes unavailable.
Application-layer attacks — Target servers directly. Malicious requests exhaust server memory or CPU, preventing the server from responding to legitimate requests.
Traffic scrubbing
Traffic scrubbing uses an anti-DDoS device or service to inspect and filter inbound traffic. It separates attack traffic from service traffic, forwarding only service traffic to the server. This reduces pressure on the server and keeps the service available during an attack.
When attack traffic exceeds the mitigation capability, traffic scrubbing alone can no longer protect the service. At that point, blackhole filtering is triggered.
Blackhole filtering
Blackhole filtering is triggered when a DDoS attack exceeds the mitigation capability provided for a service. To protect other services on the same network, the system discards all inbound traffic destined for the affected service.
For details on when blackhole filtering is triggered and how long it lasts, see Blackhole filtering policy of Alibaba Cloud.
Best-effort protection
Best-effort protection defends against DDoS attacks based on the network capacity of the cloud data center where your assets are hosted. The protection level is dynamic: it improves as Alibaba Cloud expands its network infrastructure, but may be reduced during periods of high data center demand.
For the protection capabilities of each Anti-DDoS Origin instance type, see Mitigation capabilities.
Mitigation sessions
A mitigation session tracks how much best-effort protection a protected asset has consumed in a given month.
How sessions are counted:
The system records a traffic data point every 5 seconds (12 per minute). When attack traffic exceeds the threshold N Gbps, the system starts accumulating attack duration. Every 15 minutes of accumulated attack time (180 data points) consumes one mitigation session.
| Asset location | Threshold (N) |
|---|---|
| The Chinese mainland | 20 Gbps |
| Outside the Chinese mainland | 10 Gbps |
The red line represents the inbound traffic of a public IP-enabled asset. The accumulated attack duration (X+Y in the diagram) counts toward session consumption.
Example (Chinese mainland asset):
A Chinese mainland asset is attacked twice in one month, both exceeding 20 Gbps: the first attack lasts 10 minutes, the second lasts 12 minutes, for 22 minutes of accumulated attack time.
| Accumulated attack time | Sessions consumed |
|---|---|
| 0–15 min | 0 |
| 15 min | 1st session consumed; remaining 7 min carried forward |
| 7 min (carried) + 8 min of additional attacks (= 15 min in new session) | 2nd session consumed |