All Products
Search

This Product

    Anti-DDoS:What is Anti-DDoS Origin?

    Document Center

    Anti-DDoS:What is Anti-DDoS Origin?

    Last Updated:Jul 11, 2024

    Anti-DDoS Origin is a security service that enhances mitigation against DDoS attacks for Alibaba Cloud services. Anti-DDoS Origin directly protects Alibaba Cloud resources. You do not need to change the IP addresses of the resources that you want to protect or consider the limits on the number of Layer 4 ports or Layer 7 domain names. You need to only add the IP address of an asset to an Anti-DDoS Origin instance for protection. This topic describes how Anti-DDoS Origin works, the mitigation capabilities of Anti-DDoS Origin, and the details of each Anti-DDoS Origin edition.

    How Anti-DDoS Origin works

    Anti-DDoS Origin protects your resources against Layer 3 and Layer 4 volumetric attacks. When the traffic exceeds the default traffic scrubbing threshold of Anti-DDoS Origin, traffic scrubbing is automatically triggered to mitigate DDoS attacks.

    Anti-DDoS Origin adopts passive scrubbing as a major mitigation approach and active blocking as an auxiliary approach to mitigate DDoS attacks. Anti-DDoS Origin uses conventional technologies such as reverse detection, blacklists, whitelists, and packet compliance. This way, your asset that is protected by Anti-DDoS Origin can work as expected even when an attack is ongoing. Anti-DDoS Origin deploys a DDoS attack detection and traffic scrubbing system at the egress of an Alibaba Cloud data center. This system is deployed in bypass mode.

    Why choose Anti-DDoS Origin?

    • Anti-DDoS Origin starts to protect your service immediately after you purchase an instance. Anti-DDoS Origin supports quick deployment within at least one minute. Anti-DDoS Origin directly protects your cloud services. This eliminates the need to deploy mitigation plans and switch IP addresses.

    • Anti-DDoS Origin provides burstable protection. When your assets experience volumetric DDoS attacks, Anti-DDoS Origin uses all resources in a region to provide best-effort protection.

    • Anti-DDoS Origin adopts Alibaba Cloud Border Gateway Protocol (BGP) bandwidth resources across different Internet service providers (ISPs). The ISPs include China Telecom, China Unicom, China Mobile, China Education and Research Network (CERNET), and Great Wall Broadband Network. You can obtain fast access to the networks of the ISPs by using only one IP address.

    • Anti-DDoS Origin provides protection bandwidth as required. This can ensure service stability and security for big promotions, event releases, and important services.

    • Anti-DDoS Origin supports protection capacity sharing among multiple IP addresses. This enhances protection for multiple IP addresses.

    Editions

    • Anti-DDoS Origin 1.0: Anti-DDoS Origin 1.0 Enterprise. You must select a region when you purchase an Anti-DDoS Origin 1.0 Enterprise instance. The instance can protect only the assets that reside in the same region as the instance.

    • Anti-DDoS Origin 2.0 (Subscription): Anti-DDoS Origin 2.0 of Inclusive Edition for Small and Medium Enterprises and Anti-DDoS Origin 2.0 Enterprise.

      • Anti-DDoS Origin 2.0 of Inclusive Edition for Small and Medium Enterprises: You must select a region when you purchase an instance of Anti-DDoS Origin 2.0 of Inclusive Edition for Small and Medium Enterprises. The instance can protect only the assets that reside in the same region as the instance.

      • Anti-DDoS Origin 2.0 Enterprise: You need to only purchase an instance to protect assets in all regions within the current Alibaba Cloud account.

      Note

      We recommend that you purchase an Anti-DDoS Origin 2.0 Enterprise instance instead of an Anti-DDoS Origin 1.0 Enterprise instance.

    • Anti-DDoS Origin 2.0 (Pay-as-you-go): You can add a regular Alibaba Cloud service to an Anti-DDoS Origin 2.0 (Pay-as-you-go) instance for protection. You can also purchase an Anti-DDoS Origin 2.0 (Pay-as-you-go) instance and then purchase an elastic IP address (EIP) with Anti-DDoS (Enhanced) enabled.

      Note

      • Regular Alibaba Cloud service: If you do not specify a DDoS mitigation capability when you purchase an Alibaba Cloud service, only the basic DDoS mitigation capability from 500 Mbit/s to 5 Gbit/s is provided.

      • EIP with Anti-DDoS (Enhanced) enabled: The EIPs for which Security Protection is set to Anti-DDoS (Enhanced) when you purchase the EIPs are supported.

    Mitigation capabilities

    Anti-DDoS Origin 1.0 provides best-effort protection. The following table describes the mitigation capabilities of Anti-DDoS Origin 2.0.

    Note

    • Best-effort protection defends against DDoS attacks based on the overall network capacity of Alibaba Cloud. The best-effort protection capability increases with the increase of the overall network capacity of Alibaba Cloud.

    • If the peak attack traffic exceeds the maximum mitigation capability provided in the region in which your Anti-DDoS Origin instance resides, you can contact your account manager to unsubscribe from the Anti-DDoS Origin instance. If your instance is a subscription instance, Alibaba Cloud refunds you the remaining subscription fee of the instance. If your instance is a pay-as-you-go instance, Alibaba Cloud stops the instance in advance.

      We recommend that you purchase an Anti-DDoS Proxy instance. Anti-DDoS Proxy uses the forward proxy mode to protect cloud assets in all regions and assets in data centers. For more information, see What is Anti-DDoS Proxy?

    Region

    Anti-DDoS Origin 2.0 (Subscription) of Inclusive Edition for Small and Medium Enterprises

    Anti-DDoS Origin 2.0 (Subscription) Enterprise

    Anti-DDoS Origin 2.0 (Pay-as-you-go)

    Regular Alibaba Cloud service

    EIP with Anti-DDoS (Enhanced) enabled

    Regular Alibaba Cloud service

    EIP with Anti-DDoS (Enhanced) enabled

    Regular Alibaba Cloud service

    EIP with Anti-DDoS (Enhanced) enabled

    China (Beijing), China (Shanghai), China (Hangzhou), China (Shenzhen), China (Ulanqab), China (Zhangjiakou), China (Hohhot), and China (Heyuan)

    Up to 200 Gbit/s to 400 Gbit/s.

    Not supported.

    Best-effort protection of up to hundreds of Gbit/s.

    Not supported.

    Best-effort protection of up to hundreds of Gbit/s.

    Best-effort protection of up to Tbit/s. The mitigation capability is provided only for China (Beijing), China (Shanghai), and China (Hangzhou).

    China (Chengdu), China (Guangzhou), and China (Qingdao)

    Mitigation capability of up to tens of Gbit/s.

    Best-effort protection of up to tens of Gbit/s.

    Best-effort protection of up to tens of Gbit/s.

    Regions outside the Chinese mainland

    The maximum mitigation capability is 10 Gbit/s. We recommend that you use EIPs with Anti-DDoS (Enhanced) enabled.

    The mitigation capability is limited. We recommend that you use EIPs with Anti-DDoS (Enhanced) enabled.

    The mitigation capability is limited. We recommend that you use EIPs with Anti-DDoS (Enhanced) enabled.

    Best-effort protection of up to Tbit/s.

    Feature comparison

    The following table describes the features of different editions.

    Item

    Anti-DDoS Origin 1.0

    Anti-DDoS Origin 2.0 (Subscription)

    Anti-DDoS Origin 2.0 (Pay-as-you-go)

    Enterprise

    Inclusive Edition for Small and Medium Enterprises

    Enterprise

    Enterprise

    Objects that can be protected

    Alibaba Cloud assets: Elastic Compute Service (ECS) instances, Server Load Balancer (SLB) instances, EIPs, EIPs that are associated with NAT gateways, IPv6 gateways, simple application servers, Web Application Firewall (WAF) instances, and Global Accelerator (GA) instances.

    • Alibaba Cloud assets: ECS instances, SLB instances, EIPs, EIPs that are associated with NAT gateways, IPv6 gateways, simple application servers, WAF instances, and GA instances.

    • EIP with Anti-DDoS (Enhanced) enabled.

    Billing methods

    Subscription. For more information, see Anti-DDoS Origin 1.0 (Subscription).

    Subscription. For more information, see Anti-DDoS Origin 2.0 (Subscription).

    Subscription. For more information, see Anti-DDoS Origin 2.0 (Subscription).

    Pay-as-you-go. For more information, see Anti-DDoS Origin 2.0 (Pay-as-you-go).

    Mitigation sessions

    Unlimited.

    Two sessions per month.

    Unlimited.

    Unlimited.

    Number of regions that can be protected

    Protects assets that are assigned public IP addresses in one region.

    Protects assets that are assigned public IP addresses in one region.

    Protects assets that are assigned public IP addresses in all regions within the current Alibaba Cloud account.

    Protects assets that are assigned public IP addresses in all regions within the current Alibaba Cloud account.

    Network types of the assets that can be protected

    Either IPv4 assets or IPv6 assets are supported.

    Either IPv4 assets or IPv6 assets are supported.

    Both IPv4 assets and IPv6 assets are supported.

    Both IPv4 assets and IPv6 assets are supported.

    Number of IP addresses that can be protected

    Unlimited.

    Less than 30.

    Unlimited.

    Unlimited.

    Clean bandwidth

    Unlimited.

    Less than or equal to 1,000 Mbit/s.

    Unlimited.

    Unlimited.

    Bandwidth specifications for EIPs with Anti-DDoS (Enhanced) enabled are limited. For more information, see Anti-DDoS Origin 2.0 (Pay-as-you-go).

    Mitigation logs feature

    Supported.

    Not supported.

    Supported.

    Supported.

    Multi-account management feature

    Not supported.

    Not supported.

    Supported.

    Not supported.

    Note

    The clean bandwidth that you specify for an instance is shared by all Alibaba Cloud assets protected by the instance. For example, the total clean bandwidth of the three Alibaba Cloud assets that you want to add to an Anti-DDoS Origin instance is 2,000 Mbit/s. You must specify a clean bandwidth that is greater than 2,000 Mbit/s when you purchase the instance.

    Limits

    You can directly purchase Anti-DDoS Origin instances only in the Chinese mainland. If you want to purchase an Anti-DDoS Origin instance outside the Chinese mainland, contact your account manager. For more information about how to contact the account manager, see Contact us.

    How to use an Anti-DDoS Origin instance

    1. Purchase an Anti-DDoS Origin instance. For more information, see Purchase an Anti-DDoS Origin instance.

    2. Add an asset that is assigned a public IP address to the instance. For more information, see Add an object for protection.

    3. Create custom mitigation policies based on your business requirements. For more information, see Use the mitigation settings feature (previous version).

    4. View monitoring data of service traffic. For more information, see Use the service monitoring feature.

    5. Enable the mitigation logs feature. You can use this feature to query and analyze mitigation logs and view mitigation reports. For more information, see Enable mitigation analysis.

    6. View the attack event details after an attack occurred. For more information, see View information on the Attack Analysis page.

    7. View blackhole filtering events and traffic scrubbing events. For more information, see View the Event Center page.