This page answers common questions about Anti-DDoS Origin.
Billing
What's the difference between Anti-DDoS Origin's unlimited protection and Anti-DDoS Proxy's burstable protection?
Anti-DDoS Origin's unlimited protection is included in the instance package — no additional fees. When an attack occurs, Anti-DDoS Origin automatically mobilizes the maximum distributed denial-of-service (DDoS) mitigation capability available in the instance's region. For details on what unlimited protection covers, see Terms.
Anti-DDoS Proxy (Chinese mainland) charges burstable protection fees daily based on the peak burstable protection bandwidth consumed. For the billing breakdown, see Billing of burstable protection bandwidth.
Troubleshooting
What do I do if an IP address protected by Anti-DDoS Origin is blackholed?
Manually deactivate blackhole filtering from the Anti-DDoS Origin console. If the protected object shows the Black Hole Activated state, follow the steps in Deactivate blackhole filtering.
To avoid manual intervention next time, set up automated deactivation. See Best practices for automatic deactivation of blackhole filtering.
What do I do if I selected the wrong region when purchasing an Anti-DDoS Origin instance?
The instance "region" is a sales region — it is separate from the region where your cloud assets reside. During purchase, you select an asset region (single-region, multi-region in the Chinese mainland, international and China (Hong Kong), Macao (China), and Taiwan (China), or global multi-region).
If the asset region you selected doesn't match the actual region of the IP addresses you want to protect, contact technical support to request a refund and repurchase the correct instance.
What do I do if the IP address capacity of my Anti-DDoS Origin instance is full?
Choose one of the following options:
Increase the quota on your current instance: Upgrade the Number of IP addresses that you want to protect setting. See Upgrade instance specifications.
Purchase a new instance: See Purchase an Anti-DDoS Origin instance.
What do I do if I get an "IP does not belong to you" error when adding a protected IP address?
Work through these checks in order:
Verify the IP address — confirm the address you entered is correct.
Check the region — the region of the cloud product associated with the IP must match the region of your Anti-DDoS Origin instance.
For WAF IP addresses — confirm that Anti-DDoS Origin supports the Web Application Firewall (WAF) instance's region. See the supported regions list in What is Anti-DDoS Origin?.
For IPv6 addresses — confirm that IPv6 Internet bandwidth is enabled on the associated ECS instance. See IPv6 communication.
After enabling multi-account management, how do I move protection for a public IP asset from a member account to the management account?
A public IP asset can be protected by only one instance at a time. To switch accounts:
Delete the protected object from the instance in the member account.
Add the protected object to the instance in the management account.
For the steps, see Protected objects.
Product selection and configuration
My service needs web application protection, DDoS protection, and IPv6 support. What's the recommended setup?
Use WAF and Anti-DDoS Origin together:
Add your website to WAF and enable IPv6 protection. WAF automatically enables dual-stack resolution, protecting against attacks from IPv6 environments and securing your origin server against IPv6 protocol requests. See Onboarding overview.
Purchase an Anti-DDoS Origin instance and add the WAF instance's IP address as a protected object. When your service is under a DDoS attack, traffic scrubbing is automatically triggered — attack traffic is discarded and legitimate traffic is forwarded to the origin server. See Protected objects.
When should I upgrade from Anti-DDoS Origin to Anti-DDoS Proxy?
Anti-DDoS Origin directly enhances DDoS mitigation for assets with public IP addresses — including Elastic Compute Service (ECS), Server Load Balancer (SLB), WAF, and elastic IP addresses (EIPs). Its key advantages: no IP changes required, no limits on Layer 4 ports or Layer 7 domain names, simple onboarding (just add the IP), and full IPv6 support.
Anti-DDoS Origin has two limitations:
It primarily protects against Layer 3 and Layer 4 DDoS attacks.
Its mitigation capacity is bounded by the overall capacity of the data center network. If attack traffic exceeds that threshold, or if you're experiencing a CC attack, Anti-DDoS Origin may not provide sufficient protection.
In either case, upgrade to Anti-DDoS Proxy to increase mitigation capacity.
You can also run both products together using Sec-Traffic Manager's interaction rules for tiered protection. Under normal conditions, traffic is forwarded to your cloud product with no added latency. If a large attack triggers blackhole routing, Sec-Traffic Manager automatically switches traffic to Anti-DDoS Proxy — adding approximately 20 ms of latency. After the attack stops, traffic fails back to your cloud product after a configurable delay.
What are EIPs integrated with Anti-DDoS Proxy, and what are they used for?
Anti-DDoS Proxy defends against terabit-level DDoS attacks but adds service latency. Anti-DDoS Origin handles scenarios that require large clean bandwidth and low latency across many IP addresses, ports, and domain names — but its mitigation capacity is comparatively limited.
EIPs integrated with Anti-DDoS Proxy combine both through transparent proxy mode: traffic is scrubbed at the Anti-DDoS Proxy data center at the network edge, then delivered to the server via EIPs and Internet Shared Bandwidth. The result is low latency with terabit-level DDoS defense.
This solution suits scenarios that require all-asset protection, multiple ports, low latency, and defense against volumetric attacks — such as high-quality games and game distribution platforms.
Concepts
What is traffic scrubbing and how does Anti-DDoS Origin handle it?
Traffic scrubbing is the first line of defense against DDoS attacks. It detects and filters malicious traffic while allowing legitimate traffic through.
Anti-DDoS Origin provides 24/7 real-time monitoring using AI-based analysis. When an attack is detected and inbound traffic reaches the bytes-per-second (BPS) or packets-per-second (PPS) traffic scrubbing threshold you've set, scrubbing is automatically triggered. Attack traffic is discarded; legitimate service traffic passes through unaffected.
Set or cancel the scrubbing threshold based on your service characteristics to balance protection sensitivity and service stability. See Set a scrubbing threshold and Cancel traffic scrubbing.
What is a blackhole and how does Anti-DDoS Origin handle it?
Blackhole routing is an extreme protection measure that safeguards the overall Alibaba Cloud network infrastructure during large-scale attacks.
When peak attack traffic against a single public IP address exceeds the maximum mitigation capability of the cluster hosting that IP (the blackhole triggering threshold), the system automatically applies a blackhole filtering policy. All inbound Internet traffic to that IP — both legitimate and attack traffic — is temporarily blocked until the attack weakens or stops.
After the attack subsides, manually deactivate blackhole filtering in the Anti-DDoS Origin console to restore public network access. See Alibaba Cloud blackhole filtering policy and Deactivate blackhole filtering.