All Products
Search

This Product

    Anti-DDoS:Protected objects

    Document Center

    Anti-DDoS:Protected objects

    Last Updated:Apr 19, 2025

    After you purchase an Anti-DDoS Origin instance, you must add your asset with a public IP address to the instance for protection. This allows Anti-DDoS Origin to provide default mitigation capability for the asset. If your protected asset experiences cross-border DDoS attacks and your service does not involve cross-border traffic, you can enable cross-border traffic blocking to quickly block cross-border traffic. This topic describes how to add an object for protection and enable cross-border traffic blocking for the protected object.

    Add an object for protection

    If you are using an Anti-DDoS Origin instance for the first time, you must follow the instructions on the page to complete authorization for the assets within your Alibaba Cloud account.

    Method 1: Automatically add assets for protection

    Rule

    Description

    Limits

    • Supported cloud service types: This method applies only to assets of regular Alibaba Cloud services. Assets of enhanced Alibaba Cloud services are automatically added to an Anti-DDoS Origin 2.0 (Pay-as-you-go) instance for protection. You do not need to manually or automatically add these assets.

    • Supported Anti-DDoS Origin instance types: This method applies only to Anti-DDoS Origin 2.0 (Subscription) instances and Anti-DDoS Origin 2.0 (Pay-as-you-go) instances.

    • Supported cloud service scope: This method automatically adds only the assets within the current Alibaba Cloud account. If the multi-account management feature is enabled, assets of members are not automatically added for protection.

    Automatic protection rules

    • Trigger condition for automatic addition: A cloud service is automatically added for protection only when the cloud service is in the Scrubbing or Blackhole state.

    • Existing cloud services: After you configure automatic addition, cloud services that meet the state condition are automatically added for protection within 5 to 30 minutes.

    • New cloud services: Cloud services that are created later and meet the state condition are also automatically added for protection.

    • Multiple Anti-DDoS Origin instances: If you purchase multiple Anti-DDoS Origin instances and enable automatic addition for all the instances, the instance that provides protection is randomly selected.

    Note

    Anti-DDoS Origin automatically adds cloud services for protection but does not automatically remove protected cloud services. If you want to remove a protected cloud service, you must manually remove it.

    Procedure

    1. Log on to the Traffic Security console.

    2. In the top navigation bar, select the resource group to which the instance belongs and select All Regions for the region.

    3. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Protected Objects.

    4. On the Protected Objects page, select the instance and click Protection Status by Attack Status under Enable. Set the state in which an asset is automatically added for protection.image

    Method 2: Manually add assets for protection

    Scenario 1: You purchase an Anti-DDoS Origin 1.0 (Subscription) instance

    The instance can only be an Anti-DDoS Origin Enterprise instance and protect an asset of a regular Alibaba Cloud service.

    1. Log on to the Traffic Security console.

    2. In the top navigation bar, select the resource group and region of your instance.

    3. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Protected Objects.

    4. On the Protected Objects page, select the instance and click Add Object for Protection.

    5. In the Add Object for Protection dialog box, select Add Asset or Add Manually, and then click Confirm.

      • Add Asset: Select a public IP address within the current Alibaba Cloud account.

      • Add Manually: Manually enter a public IP address within the current Alibaba Cloud account.

    Scenario 2: You purchase an Anti-DDoS Origin 2.0 (Subscription) instance

    The instance can be an Anti-DDoS Origin Enterprise instance or an Anti-DDoS Origin instance of Inclusive Edition for Small and Medium Enterprises and protect an asset of a regular Alibaba Cloud service.

    1. Log on to the Traffic Security console.

    2. In the top navigation bar, select the resource group to which the instance belongs and select All Regions for the region.

    3. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Protected Objects.

    4. On the Protected Objects page, select the instance and click Add Object for Protection.

    5. In the Add Object for Protection dialog box, select Add Asset or Add Manually, and then click Confirm.

      • Add Asset: Select a public IP address within the current Alibaba Cloud account.

      • Add Manually: Manually enter a public IP address within the current Alibaba Cloud account.

    Scenario 3: You purchase an Anti-DDoS Origin 2.0 (Pay-as-you-go) instance

    The instance can protect an asset of a regular Alibaba Cloud service or an elastic IP address (EIP) with Anti-DDoS (Enhanced) enabled.

    • Asset of a regular Alibaba Cloud service: You can perform the following operations to add the asset to the instance.

    • EIP with Anti-DDoS (Enhanced) enabled: After you purchase an EIP with Anti-DDoS (Enhanced) enabled, the EIP is automatically added for protection. You do not need to manually add it. You can view the purchased EIP with Anti-DDoS (Enhanced) enabled on the Protected Objects page. Click the EIPs With Anti-DDoS (Enhanced) Enabled tab.

    1. Log on to the Traffic Security console.

    2. In the top navigation bar, select the resource group to which the instance belongs and select All Regions for the region.

    3. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Protected Objects.

    4. On the Protected Objects page, select the instance and click Add Object for Protection.

    5. In the Add Object for Protection dialog box, select Add Asset or Add Manually, and then click Confirm.

      • Add Asset: Select a public IP address within the current Alibaba Cloud account.

      • Add Manually: Manually enter a public IP address within the current Alibaba Cloud account.

    Scenario 4: You enable the multi-account management feature and add assets of members

    If your Alibaba Cloud account has the multi-account management feature enabled and is the management account, you can add assets of members for protection. For more information, see Multi-account management.

    Note

    You can enable the multi-account management feature only for Anti-DDoS Origin 2.0 (Subscription) Enterprise instances and Anti-DDoS Origin 2.0 (Pay-as-you-go) instances.

    • Asset of a regular Alibaba Cloud service: You can perform the following operations to add the asset to the instance.

    • EIP with Anti-DDoS (Enhanced) enabled: After the multi-account management feature is enabled, an EIP with Anti-DDoS (Enhanced) enabled that is purchased by a member is automatically added for protection. You do not need to manually add it. You can view the purchased EIP with Anti-DDoS (Enhanced) enabled on the Protected Objects page. Click the EIPs With Anti-DDoS (Enhanced) Enabled tab.

    1. Log on to the Traffic Security console.

    2. In the top navigation bar, select the resource group to which the instance belongs and select All Regions for the region.

    3. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Protected Objects.

    4. On the Protected Objects page, select the instance and click Add Object for Protection.

    5. In the Add Object for Protection dialog box, select Add Assets of Members, and then click Confirm.

    Enable cross-border traffic blocking for a protected object

    Important

    The cross-border traffic blocking mitigation policy has a validity period and can be used only 10 times per month. We recommend that you enable this policy only when a DDoS attack occurs.

    The cross-border traffic blocking mitigation policy discards all cross-border service traffic within a specified blocking period. This policy is suitable for scenarios in which your service does not involve cross-border traffic. The policy typically discards traffic from specific regions based on the location of the attack source by using core routers in the backbone network of an Internet service provider (ISP).

    • If the protected asset resides in the Chinese mainland, the cross-border traffic blocking mitigation policy blocks all traffic from outside the Chinese mainland.

    • If the protected asset resides outside the Chinese mainland, the cross-border traffic blocking mitigation policy is not supported.

    When an attack occurs, you can log on to the Traffic Security console and view the details of the attack event on the Attack Analysis page. If you find that the attack traffic comes from cross-border IP addresses, you can enable cross-border traffic blocking for the public IP address. After the blocking period ends, the traffic blocking is automatically deactivated. If you no longer want to block cross-border traffic, you can manually disable it before the blocking period ends.

    1. Log on to the Traffic Security console.

    2. In the top navigation bar, select the resource group to which the instances belong and the region in which the instances reside.

      • Anti-DDoS Origin 1.0 (Subscription) instances: Select the region in which the instance resides.

      • Anti-DDoS Origin 2.0 (Subscription) and Anti-DDoS Origin 2.0 (Pay-as-you-go) instances: Select All Regions.

    3. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Protected Objects.

    4. Select the instance, find the IP address, and turn on the switch in the Cross-border Traffic Blocking column. Then, set the blocking period.

      Note

      The blocking period can be 30 minutes to 1 day. You cannot directly change the blocking period after you configure it. If you want to change the blocking period, you must disable cross-border traffic blocking and enable it again.

      You can view the Blocking Start Time and Blocking End Time in the asset list. After the blocking period ends, the traffic blocking is automatically deactivated, and the Cross-border Traffic Blocking status of the public IP address changes to Disabled.

    Manage protected objects

    View the details of protected objects

    1. Log on to the Traffic Security console.

    2. In the top navigation bar, select the resource group to which the instances belong and the region in which the instances reside.

      • Anti-DDoS Origin 1.0 (Subscription) instances: Select the region in which the instance resides.

      • Anti-DDoS Origin 2.0 (Subscription) and Anti-DDoS Origin 2.0 (Pay-as-you-go) instances: Select All Regions.

    3. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Protected Objects.

    4. On the Protected Objects page, select the instance that you want to view. You can view the protection configuration details of the public IP addresses that are protected by the instance.

      Assets that are assigned public IP addresses and WAF instances

      Item

      Description

      IP

      The public IP address that is protected by the instance.

      Asset Owner

      If the current Alibaba Cloud account has the multi-account management feature enabled and is the management account, and you are using an Anti-DDoS Origin 2.0 Enterprise instance, this item will be displayed.

      The Alibaba Cloud account to which the asset belongs. This column is displayed only when the current Alibaba Cloud account has the multi-account management feature enabled and is the management account, and you purchase an Anti-DDoS Origin 2.0 Enterprise instance.

      Traffic Scrubbing Threshold

      The minimum bandwidth that must be reached before traffic scrubbing is triggered. The bandwidth is measured in Mbit/s and packets per second (PPS). For more information, see Set a traffic scrubbing threshold.

      Region

      The region in which the asset resides.

      Asset Type

      The type of the asset.

      Status

      The security status of an asset.

      • Normal

      • Blackholed: Click Deactivate Blackhole in the Actions column. In the Deactivate Blackhole dialog box, view the remaining quota for deactivating blackhole filtering, confirm the deactivation, and then click OK. You can view the records of blackhole events. For more information, see View the details of a blackhole event.

      Mitigation Policy

      The mitigation policy that is attached to the public IP address.

      If the value is Default, the default mitigation capability of Anti-DDoS Origin is used for the public IP address. If a custom mitigation policy is used, you can click the policy to go to the Mitigation Settings page and view the details of the policy.

      Cross-border Traffic Blocking

      Indicates whether cross-border traffic blocking is enabled.

      Actions

      • Delete: Delete the protected object.

      • Deactivate Blackhole: This operation is available only when the status of the asset is Blackholed.

      • View Applied Policy: View the details of the mitigation policy that is attached to the public IP address.

      Eips with anti-DDoS (enhanced) enabled

      Item

      Description

      IP

      The EIP with Anti-DDoS (Enhanced Edition) enabled.

      Asset Owner

      This column is displayed only when the current Alibaba Cloud account has the multi-account management feature enabled and is the management account.

      The Alibaba Cloud account to which the asset belongs. This column is displayed only when the current Alibaba Cloud account has the multi-account management feature enabled and is the management account.

      Traffic Scrubbing Threshold

      The minimum bandwidth that must be reached before traffic scrubbing is triggered. The bandwidth is measured in Mbit/s and pps. For more information, see Set a traffic scrubbing threshold.

      Region

      The region in which the EIP with Anti-DDoS (Enhanced) enabled resides.

      Asset Type

      The value is fixed as EIP with Anti-DDoS (Enhanced Edition) Enabled.

      Ports

      The number of ports for which port-specific mitigation policies are configured under Anti-DDoS Pro/Premium EIP. You can click the 展开箭头 icon on the left of the target IP to view which ports have mitigation policies configured.

      Status

      The security status of the EIP with Anti-DDoS (Enhanced) enabled.

      • Normal

      • Blackholed: Click Deactivate Blackhole in the Actions column. In the Deactivate Blackhole dialog box, view the remaining quota for deactivating blackhole filtering, confirm the deactivation, and then click OK. You can view the records of blackhole events. For more information, see View the details of a blackhole event.

      Mitigation Policy

      The mitigation policy that is attached to the EIP with Anti-DDoS (Enhanced) enabled.

      If the value is Default, the default mitigation capability of Anti-DDoS Origin is used for the EIP with Anti-DDoS (Enhanced) enabled. If a custom mitigation policy is used, you can click the policy to go to the Mitigation Settings page and view the details of the policy.

      Cross-border Traffic Blocking

      Indicates whether cross-border traffic blocking is enabled.

      Actions

      • Add Port: Add a port.

      • Deactivate Blackhole: This operation is available only when the status of the EIP with Anti-DDoS (Enhanced) enabled is Blackholed.

      • View Applied Policy: View the details of the mitigation policy that is attached to the EIP with Anti-DDoS (Enhanced) enabled.

    Delete a protected object

    1. On the Protected Objects page, select the instance.

    2. In the asset list, find the public IP address and click Delete in the Actions column.

    3. In the Delete Protected Object dialog box, read the prompt information and click OK.

    FAQ

    References

    • After you add an object for protection, if the Mitigation Policy is Default, the default mitigation capability of Anti-DDoS Origin is used for the public IP address. If your service requires that traffic with specific characteristics be allowed or blocked, you can customize a mitigation policy and attach the policy to the protected object. For more information, see IP-specific mitigation policies and Port-specific mitigation policies.

      Warning

      • When you attach a port-specific mitigation policy to a port, a transient connection that lasts a few seconds occurs on your TCP-based services. We recommend that you attach a port-specific mitigation policy to a port during off-peak hours.

      • Assets of regular Alibaba Cloud services support only IP-specific mitigation policies. EIPs with Anti-DDoS (Enhanced) enabled support both IP-specific and port-specific mitigation policies. If you configure both IP-specific and port-specific mitigation policies, IP-specific mitigation policies have a higher priority.

    • For information about how to set a traffic scrubbing threshold for an asset, see Set a traffic scrubbing threshold.