This topic answers frequently asked questions about Anti-DDoS Origin.
What is the difference between the billing method for unlimited protection of Anti-DDoS Origin and the billing method for burstable protection of Anti-DDoS Pro and Anti-DDoS Premium?
Anti-DDoS Origin provides the capabilities described in Terms. When an attack occurs, Anti-DDoS Origin automatically schedules the maximum DDoS mitigation capability of Alibaba Cloud in the instance's region to provide unlimited protection. The unlimited protection service is included in the Anti-DDoS Origin instance package and does not incur additional burstable protection fees.
The burstable protection fees for Anti-DDoS Pro and Anti-DDoS Premium (Chinese mainland) are based on the daily peak of burstable protection bandwidth. For more information, see Billing of burstable protection bandwidth.
What do I do if an IP address protected by Anti-DDoS Origin is blackholed?
You can deactivate blackhole filtering in Anti-DDoS Origin.
If a protected object is in the Black Hole Activated state, you can manually deactivate blackhole filtering. For more information, see Deactivate blackhole filtering.
You can also see Best practices for automatic deactivation of blackhole filtering to implement automated responses and quickly deactivate blackhole filtering for your protected IP addresses.
What do I do if I select an incorrect region when I purchase an Anti-DDoS Origin instance?
If the IP address that you want to protect is not in the same region as your Anti-DDoS Origin instance, contact technical support to request a refund. Then, purchase a new Anti-DDoS Origin instance in the correct region.
What do I do if the IP address capacity of my Anti-DDoS Origin instance is full when I try to add a protected IP address?
If the number of IP addresses that you want to protect exceeds the Number Of IP Addresses That You Want To Protect quota of your Anti-DDoS Origin instance, you can either increase the Number Of IP Addresses That You Want To Protect for your current instance or purchase a new Anti-DDoS Origin instance. For more information, see Upgrade instance specifications and Purchase an Anti-DDoS Origin instance.
What do I do if I receive an "IP does not belong to you" error when adding a protected IP address?
You can troubleshoot the issue as follows:
Check the IP address that you entered and make sure it is correct.
Check the region of the cloud product that corresponds to the IP address that you want to protect. Make sure the region is the same as the region of your Anti-DDoS Origin instance.
If the IP address that you want to add is a WAF IP address, check the region of the WAF instance. Make sure Anti-DDoS Origin supports that region. For more information about the supported regions, see What is Anti-DDoS Origin?.
If the IP address that you want to add is an IPv6 address, check whether IPv6 Internet bandwidth is enabled. For information about how to enable IPv6 Internet bandwidth for an ECS instance, see IPv6 communication.
After I enable the multi-account management feature, how do I switch protection for a public IP asset from a member account to the management account?
An asset that is assigned a public IP address can be protected by only one instance. To switch protection from an instance in a member account to an instance in the management account, you must first delete the protected object from the member account. Then, you can add the protected object to the management account. For information about how to delete and add protected objects, see Protected objects.
My service requires Web Application Protection and DDoS protection, and must also support IPv6. How can I achieve this?
You can use the following solution:
Add your website to WAF and enable the IPv6 protection feature with one click. For more information, see Onboarding overview.
This protects your website from attacks initiated in an IPv6 environment and helps secure your origin server against IPv6 protocol requests. After you enable the IPv6 security protection feature, WAF automatically implements dual-stack resolution.
Purchase an Anti-DDoS Origin instance and add the IP address of the WAF instance to the Anti-DDoS Origin instance. For more information, see Protected objects.
When your service is under a DDoS attack, traffic scrubbing is automatically triggered. Attack traffic is discarded, and only legitimate service traffic is forwarded to the origin server.
For services protected by Anti-DDoS Origin, when should I also use Anti-DDoS Pro and Anti-DDoS Premium?
Anti-DDoS Origin directly enhances the mitigation against DDoS attacks for assets that are assigned public IP addresses, such as Alibaba Cloud ECS, SLB, WAF, and EIPs. Compared with Anti-DDoS Pro and Anti-DDoS Premium, Anti-DDoS Origin has several advantages. You do not need to change IP addresses. There are no limits on the number of Layer 4 ports or Layer 7 domain names. Deployment is simple because you only need to add the protected IP address. IPv6 is also supported.
However, Anti-DDoS Origin has limitations. It mainly provides protection against Layer 3 and Layer 4 distributed denial-of-service (DDoS) attacks. The unlimited protection capability is limited by the overall capacity of the data center network. If the attack traffic exceeds the overall protection level of the data center network or if you are experiencing a CC attack, Anti-DDoS Origin may not provide sufficient security protection. In this case, you need to upgrade to Anti-DDoS Pro and Anti-DDoS Premium to enhance your mitigation capabilities.
You can also use Anti-DDoS Origin with Anti-DDoS Pro and Anti-DDoS Premium. Using the interaction rules of Sec-Traffic Manager, you can implement tiered protection. This approach enhances your DDoS mitigation capability while ensuring a smooth experience for legitimate users. If a DDoS attack does not exceed the mitigation capability of Anti-DDoS Origin, service traffic is forwarded to the cloud product by default without adding latency. If a large attack triggers blackhole routing, Sec-Traffic Manager switches the traffic to Anti-DDoS Pro or Anti-DDoS Premium to defend against the volumetric attack. This switch adds a latency of about 20 ms. After the attack stops, the service traffic fails back to the cloud product after a delay that you can configure in Sec-Traffic Manager.
What are the core technical advantages of EIPs integrated with Anti-DDoS Proxy? What are the suitable business scenarios?
Alibaba Cloud provides solutions such as Anti-DDoS Origin and Anti-DDoS Pro and Anti-DDoS Premium to protect against DDoS attacks. Anti-DDoS Pro and Anti-DDoS Premium can defend against terabit-level DDoS attacks but introduce some service latency. While Anti-DDoS Origin is suitable for scenarios that require large clean bandwidth and low latency across multiple IP addresses, domain names, and ports, its mitigation capability is relatively limited.
EIPs integrated with Anti-DDoS Proxy use a transparent proxy mode. Traffic is scrubbed by the Anti-DDoS Pro or Anti-DDoS Premium data center at the edge of the network and then reaches the server through EIPs and Internet Shared Bandwidth. This solution combines the low latency and all-asset access of Anti-DDoS Origin with the terabit-level DDoS defense of Anti-DDoS Pro and Anti-DDoS Premium.
EIPs integrated with Anti-DDoS Proxy are suitable for customers who require both the volumetric attack defense of Anti-DDoS Pro and Anti-DDoS Premium and the low latency of Anti-DDoS Origin. These scenarios are characterized by all-asset protection, multiple ports, low latency, and volumetric attacks. Examples include high-quality games and game distribution industries.
What is traffic scrubbing? How does Anti-DDoS Origin perform traffic scrubbing?
Traffic scrubbing is the first line of defense against DDoS attacks. It is designed to accurately detect and filter malicious attack traffic.
How it works: The system provides 24/7 real-time monitoring and intelligent analysis of the Internet traffic that flows to your asset. When the AI-based intelligent analysis detects a DDoS attack and the request traffic reaches the BPS or PPS scrubbing threshold that you set, Anti-DDoS Origin triggers traffic scrubbing.
Mitigation effect: It accurately separates and discards DDoS attack traffic from your legitimate service traffic. This ensures that access requests from legitimate users are not affected and your service remains available during attacks. You can flexibly set or cancel the scrubbing threshold based on your service characteristics to achieve the best balance between protection sensitivity and service stability.
For more information, see Set a scrubbing threshold and Cancel Traffic Scrubbing.
What is a black hole? How does Anti-DDoS Origin handle black holes?
Blackhole routing is an extreme protection measure used during large-scale attacks to protect the stability of the overall Alibaba Cloud network infrastructure.
Triggering conditions: When the peak attack traffic against a single public IP address exceeds the maximum mitigation capability of the cluster where the IP address is located (the blackhole triggering threshold), the system automatically triggers a blackhole filtering policy. This prevents the attack from affecting other users' assets.
How it works: All inbound Internet traffic to the IP address, including legitimate access and attack traffic, is temporarily blocked. It is as if the traffic has fallen into a "black hole", making the IP address inaccessible from the Internet for a period. This is a necessary "circuit-breaking" mechanism. After the attack weakens or stops, you can manually deactivate blackhole filtering in the Anti-DDoS Origin console to quickly restore public network access for the asset.
For more information, see Alibaba Cloud blackhole filtering policy and Deactivate blackhole filtering.