Anti-DDoS Origin is a security service that enhances mitigation against DDoS attacks for Alibaba Cloud services. Anti-DDoS Origin directly protects Alibaba Cloud resources. You do not need to change the IP addresses of the resources that you want to protect or consider the limits on the number of Layer 4 ports or Layer 7 domain names. You need to only add the IP address of an asset to an Anti-DDoS Origin instance for protection. This topic describes how Anti-DDoS Origin works, the mitigation capabilities of Anti-DDoS Origin, and the details of each Anti-DDoS Origin edition.
How it works
Anti-DDoS Origin protects your resources against Layer 3 and Layer 4 volumetric attacks. When the traffic exceeds the default traffic scrubbing threshold of Anti-DDoS Origin, traffic scrubbing is automatically triggered to mitigate DDoS attacks.
Anti-DDoS Origin adopts passive scrubbing as a major mitigation approach and active blocking as an auxiliary approach to mitigate DDoS attacks. Anti-DDoS Origin uses conventional technologies such as reverse detection, blacklists, whitelists, and packet compliance. This way, your asset that is protected by Anti-DDoS Origin can work as expected even when an attack is ongoing. Anti-DDoS Origin deploys a DDoS attack detection and traffic scrubbing system at the egress of an Alibaba Cloud data center. This system is deployed in bypass mode.
Why choose Anti-DDoS Origin
Anti-DDoS Origin starts to protect your service immediately after you purchase an instance. Anti-DDoS Origin supports quick deployment within at least one minute. Anti-DDoS Origin directly protects your cloud services. This eliminates the need to deploy mitigation plans and switch IP addresses.
Anti-DDoS Origin provides burstable protection. When your assets experience volumetric DDoS attacks, Anti-DDoS Origin uses all resources in a region to provide best-effort protection.
Anti-DDoS Origin adopts Alibaba Cloud Border Gateway Protocol (BGP) bandwidth resources across different Internet service providers (ISPs). The ISPs include China Telecom, China Unicom, China Mobile, China Education and Research Network (CERNET), and Great Wall Broadband Network. You can obtain fast access to the networks of the ISPs by using only one IP address.
Anti-DDoS Origin provides protection bandwidth as required. This can ensure service stability and security for big promotions, event releases, and important services.
Anti-DDoS Origin supports protection capacity sharing among multiple IP addresses. This enhances protection for multiple IP addresses.
Editions
Category | Edition | Description |
Anti-DDoS Origin 1.0 (Subscription) | Enterprise | No longer available for new purchases. |
Anti-DDoS Origin 2.0 (Subscription) | Inclusive Edition for Small and Medium Enterprises, Enterprise | Only regular Alibaba Cloud services are supported. EIPs with Anti-DDoS (Enhanced) enabled are not supported.
|
Anti-DDoS Origin 2.0 (Pay-as-you-go) | Enterprise | Both regular Alibaba Cloud services and EIPs with Anti-DDoS (Enhanced) enabled are supported. |
Types of cloud services that can be protected
To clarify, Anti-DDoS Origin distinguishes between regular Alibaba Cloud services and Elastic IPs (EIPs) with Anti-DDoS (Enhanced) enabled.
Regular Alibaba Cloud services
These services have default DDoS mitigation capabilities and offer best-effort protection of up to hundreds of Gbit/s in regions within mainland China. For more information about mitigation capabilities, see Mitigation capabilities.
Regular Alibaba Cloud services include ECS instances, SLB instances, IPv6 gateways, simple application servers, WAF instances, GA instances, and EIPs (When you purchase an EIP, select Security Protection and then select Default, as shown in the following figure).
EIPs with Anti-DDoS (Enhanced) enabled
These services feature enhanced DDoS mitigation capabilities, providing best-effort protection of up to Tbit/s.
To enable Anti-DDoS (Enhanced) for EIPs, select Security Protection and then select Anti-DDoS (Enhanced), as shown in the following figure.
Mitigation capabilities
Anti-DDoS Origin offers best-effort protection against DDoS attacks, relying on the network capacity of the cloud data center. The protection level is dynamic and improves as Alibaba Cloud upgrades its network infrastructure, though it may be reduced during peak demand periods. Anti-DDoS Origin is available in editions 1.0 and 2.0, with edition 1.0 no longer available for new purchases. The table below outlines the reference mitigation capabilities of Anti-DDoS Origin 2.0.
Region | Anti-DDoS Origin 2.0 (Subscription) of Inclusive Edition for Small and Medium Enterprises | Anti-DDoS Origin 2.0 (Subscription) Enterprise | Anti-DDoS Origin 2.0 (Pay-as-you-go) Enterprise | ||
Regular Alibaba Cloud service | Regular Alibaba Cloud service | Regular Alibaba Cloud service | EIP with Anti-DDoS (Enhanced) enabled | ||
Chinese mainland | China (Beijing), China (Shanghai), China (Hangzhou), China (Shenzhen), China (Ulanqab), China (Zhangjiakou), China (Hohhot), China (Heyuan) | Up to 300 Gbit/s to 600 Gbit/s. | Up to Tbit/s. Only available for purchase in China (Beijing), China (Shanghai), and China (Hangzhou). | ||
China (Chengdu), China (Guangzhou), China (Qingdao) | Up to tens of Gbit/s. | ||||
Regions outside the Chinese mainland | China (Hong Kong), Singapore, Japan (Tokyo), Germany (Frankfurt), US (Silicon Valley), US (Virginia) | Up to tens of Gbit/s. For higher protection requirements, we recommend you use EIPs with Anti-DDoS (Enhanced) enabled. | Up to Tbit/s. | ||
Other regions | The maximum mitigation capability is 10 Gbit/s. We recommend you use EIPs with Anti-DDoS (Enhanced) enabled. | Up to Tbit/s. | |||
Feature comparison
The following table describes the features of different editions.
Item | Anti-DDoS Origin 1.0 | Anti-DDoS Origin 2.0 (Subscription) | Anti-DDoS Origin 2.0 (Pay-as-you-go) | |
Enterprise | Inclusive Edition for Small and Medium Enterprises | Enterprise | Enterprise | |
Objects that can be protected | Alibaba Cloud assets: ECS instances, SLB instances, EIPs (including EIPs associated with NAT gateways), IPv6 gateways, simple application servers, WAF instances, GA instances |
| ||
Billing methods | Subscription. For more information, see Anti-DDoS Origin 1.0 (subscription). | Subscription. For more information, see Anti-DDoS Origin 2.0 (Subscription). | Subscription. For more information, see Anti-DDoS Origin 2.0 (Subscription). | Pay-as-you-go. For more information, see Anti-DDoS Origin 2.0 (Pay-as-you-go). |
Mitigation sessions | Unlimited. | Two sessions per month. | Unlimited. | Unlimited. |
Number of regions that can be protected | Protects assets that are assigned public IP addresses in one region. | Protects assets that are assigned public IP addresses in one region. | Protects assets that are assigned public IP addresses in all regions within the current Alibaba Cloud account. | Protects assets that are assigned public IP addresses in all regions within the current Alibaba Cloud account. |
Network types of the assets that can be protected | Either IPv4 assets or IPv6 assets are supported. | Either IPv4 assets or IPv6 assets are supported. | Both IPv4 assets and IPv6 assets are supported. | Both IPv4 assets and IPv6 assets are supported. |
Number of IP addresses that can be protected | Minimum of 100 IPs. | When purchasing an instance, you can select a value from 1 to 29. | When you purchase an instance, you can select from 30 to 2000. For higher specifications, please contact a sales manager. | A maximum of 2,000. |
Clean bandwidth | You can flexibly select bandwidth when purchasing an instance, with support for unlimited scaling. | 50 to 1,000 Mbit/s. | Minimum of 100 Mbit/s. |
|
SLS logs | Supported. | Not supported. | Supported. | Supported. |
Multi-account management | Not supported. | Not supported. | Supported. | Supported. |
The clean bandwidth that you specify for an instance is shared by all Alibaba Cloud assets protected by the instance. For example, the total clean bandwidth of the three Alibaba Cloud assets that you want to add to an Anti-DDoS Origin instance is 2,000 Mbit/s. You must specify a clean bandwidth that is greater than 2,000 Mbit/s when you purchase the instance.
Limits
You can directly purchase Anti-DDoS Origin instances only in the Chinese mainland. If you want to purchase an Anti-DDoS Origin instance outside the Chinese mainland, contact your account manager. For more information about how to contact the account manager, see Contact us.
How to use an Anti-DDoS Origin instance
Add an oAdd an asset that is assigned a public IP address to the instancebject for protection.
Create custom mitigation policies based on your business requirements.
Enable the mitigation logs feature. You can use this feature to query and analyze mitigation logs and view mitigation reports.
View blackhole filtering events and traffic scrubbing events. For more information, see View the Event Center page.