Purchasing an Anti-DDoS Origin instance does not automatically protect your assets. You must add each asset — identified by its public IP address — to the instance before protection takes effect. Once added, Anti-DDoS Origin applies its default mitigation capability to the asset.
This topic describes how to add assets for protection, enable cross-border traffic blocking, and manage protected objects.
Prerequisites
Before you begin, make sure you have:
A purchased Anti-DDoS Origin instance (1.0 or 2.0, Subscription or Pay-as-you-go)
An asset with a public IP address in your Alibaba Cloud account
Authorization granted for Anti-DDoS Origin to access assets in your account (required on first use — follow the on-screen instructions)
Add an object for protection
Anti-DDoS Origin supports two methods for adding assets: automatic and manual.
Method 1: Automatically add assets
Anti-DDoS Origin can automatically add an asset to an instance when the asset comes under attack.
Limits
| Item | Details |
|---|---|
| Supported cloud service types | Regular Alibaba Cloud services only. EIPs with Anti-DDoS (Enhanced) enabled are added automatically to Anti-DDoS Origin 2.0 (Pay-as-you-go) instances after purchase — no manual configuration needed. |
| Supported instances | Anti-DDoS Origin 2.0 (Subscription) and Anti-DDoS Origin 2.0 (Pay-as-you-go) |
| Effective scope | Assets in the current Alibaba Cloud account only. Assets from member accounts are not automatically added, even when multi-account management is enabled. |
Automatic protection rules
| Rule | Details |
|---|---|
| Trigger condition | A cloud service is automatically added for protection when it enters the Scrubbing or Blackhole state. |
| Existing cloud services | After you enable automatic addition, existing cloud services that meet the trigger condition are automatically protected within 5 to 30 minutes. |
| New cloud services | New cloud services are automatically protected when they meet the trigger condition. |
| Multiple instances | If you have multiple Anti-DDoS Origin instances with automatic addition enabled, one instance is selected at random to provide protection. |
| Removal | Anti-DDoS Origin does not automatically remove protected cloud services. To remove a protected asset, do it manually. |
Enable automatic addition
Log on to the Traffic Security console.
In the top navigation bar, select the resource group and All Regions.
In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Protected Objects.
On the Protected Objects page, select the instance, then click Enable under Protection Status by Attack Status and configure when assets are automatically added.
Method 2: Manually add assets
Use this method to add a specific asset to an instance immediately, without waiting for an attack.
Supported asset and instance combinations
| Instance type | Supported asset types |
|---|---|
| Anti-DDoS Origin 1.0 (Subscription) — Enterprise only | Regular Alibaba Cloud services |
| Anti-DDoS Origin 2.0 (Subscription) — Enterprise or Inclusive Edition for Small and Medium Enterprises | Regular Alibaba Cloud services |
| Anti-DDoS Origin 2.0 (Pay-as-you-go) | Regular Alibaba Cloud services; EIPs with Anti-DDoS (Enhanced) enabled |
| Anti-DDoS Origin 2.0 (Subscription) Enterprise or 2.0 (Pay-as-you-go) with multi-account management enabled | Assets of member accounts |
Add an asset
For Anti-DDoS Origin 2.0 (Pay-as-you-go) instances, EIPs with Anti-DDoS (Enhanced) enabled are added automatically after purchase. To manage them, go to the EIP with Anti-DDoS (Enhanced) Enabled tab on the Protected Objects page. When multi-account management is enabled, EIPs with Anti-DDoS (Enhanced) enabled that are purchased by member accounts are also automatically added for protection and can be viewed on the same tab.
Log on to the Traffic Security console.
In the top navigation bar, select the resource group and the region.
Anti-DDoS Origin 1.0 (Subscription): Select the specific region where the instance resides.
Anti-DDoS Origin 2.0 (Subscription) and 2.0 (Pay-as-you-go): Select All Regions.
In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Protected Objects.
On the Protected Objects page, select the instance and click Add Object for Protection.
In the Add Object for Protection dialog box, select the appropriate tab and add the asset.
Add Asset: Select an asset from your Alibaba Cloud account.
Add Manually: Enter the public IP address of the asset.
Add Assets of Members (available when multi-account management is enabled): Select assets from member accounts.
Click Confirm.
Enable cross-border traffic blocking for a protected object
Cross-border traffic blocking can be used up to 10 times per month and applies only to assets in the Chinese mainland. Assets outside the Chinese mainland do not support this feature.
Cross-border traffic blocking discards all cross-border traffic to a protected asset for a specified blocking period. Enable it only when a DDoS attack occurs and your service does not handle cross-border traffic. The policy takes effect through core routers in the Internet service provider (ISP) backbone network, blocking all traffic originating from outside the Chinese mainland.
After the blocking period ends, the policy is automatically disabled. To stop blocking before the period ends, disable it manually.
Before you begin: On the Attack Analysis page, confirm that attack traffic is coming from cross-border IP addresses.
Log on to the Traffic Security console.
In the top navigation bar, select the resource group and the region.
Anti-DDoS Origin 1.0 (Subscription): Select the specific region where the instance resides.
Anti-DDoS Origin 2.0 (Subscription) and 2.0 (Pay-as-you-go): Select All Regions.
In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Protected Objects.
Select the instance, find the IP address of the asset, and turn on the switch in the Cross-Border Traffic Blocking column.
Configure the blocking period (30 minutes to 1 day), then confirm.
To change the blocking period after it is set, disable cross-border traffic blocking and re-enable it with the new period. The Start Time and End Time appear in the asset list.
Manage protected objects
View protected object details
Log on to the Traffic Security console.
In the top navigation bar, select the resource group and the region.
Anti-DDoS Origin 1.0 (Subscription): Select the specific region where the instance resides.
Anti-DDoS Origin 2.0 (Subscription) and 2.0 (Pay-as-you-go): Select All Regions.
In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Protected Objects.
Select the instance to view the mitigation settings for all assets it protects.
The following tables describe the columns in the asset list.
Assets that are assigned public IP addresses and WAF instances
| Column | Description |
|---|---|
| IP | The asset protected by the instance. |
| Owner account of asset | The Alibaba Cloud account to which the asset belongs. Displayed only when multi-account management is enabled, the current account is the management account, and the instance is Anti-DDoS Origin 2.0 Enterprise. |
| Traffic scrubbing threshold | The minimum bandwidth that triggers traffic scrubbing, measured in Mbit/s and PPS. For details, see Configure traffic scrubbing thresholds. |
| Asset region | The region where the asset resides. |
| Asset type | The type of the asset. |
| Status | The security status: Normal or Blackhole Filtering Triggered. To deactivate blackhole filtering manually, click Deactivate Blackhole Filtering in the Actions column and confirm. For more information, see View information about blackhole filtering events. |
| Mitigation policy | The mitigation policy attached to the asset. Default means no custom policy is attached and the instance's default mitigation capability is active. Click the policy name to view details on the Mitigation Settings page. |
| Cross-border traffic blocking | Whether cross-border traffic blocking is enabled. |
| Actions | Delete: Remove the asset. Deactivate Blackhole Filtering: Available only when the status is Blackhole Filtering Triggered. View Applied Policy: View the attached mitigation policy. |
EIPs with Anti-DDoS (Enhanced) enabled
| Column | Description |
|---|---|
| IP | The EIP with Anti-DDoS (Enhanced) enabled. |
| Owner account of asset | The Alibaba Cloud account to which the EIP belongs. Displayed only when multi-account management is enabled and the current account is the management account. |
| Traffic scrubbing threshold | The minimum bandwidth that triggers traffic scrubbing, measured in Mbit/s and PPS. For details, see Configure traffic scrubbing thresholds. |
| Asset region | The region where the EIP resides. |
| Asset type | Fixed value: EIP with Anti-DDoS (Enhanced) Enabled. |
| Ports | The number of ports with port-specific mitigation policies. Click the  icon to expand the EIP and view its configured ports. |
| Status | The security status: Normal or Blackhole Filtering Triggered. To deactivate blackhole filtering manually, click Deactivate Blackhole Filtering in the Actions column and confirm. For more information, see View information about blackhole filtering events. |
| Mitigation policy | The mitigation policy attached to the EIP. Default means no custom policy is attached and the instance's default mitigation capability is active. Click the policy name to view details on the Mitigation Settings page. |
| Cross-border traffic blocking | Whether cross-border traffic blocking is enabled. |
| Actions | Add Port: Add a port. Deactivate Blackhole Filtering: Available only when the status is Blackhole Filtering Triggered. View Applied Policy: View the attached mitigation policy. |
Remove a protected object
On the Protected Objects page, select the instance.
In the asset list, find the asset and click Delete in the Actions column.
In the Delete Protected Object dialog box, review the prompt and click OK.
FAQ
What's next
After adding an asset, the Mitigation policy column shows Default, meaning the instance's default mitigation capability is active. To allow or block traffic with specific characteristics, create a custom mitigation policy and attach it to the asset.
Attaching a port-specific mitigation policy causes a transient connection interruption of a few seconds on TCP-based services. Attach port-specific policies during off-peak hours. Regular Alibaba Cloud service assets support IP-specific mitigation policies only. EIPs with Anti-DDoS (Enhanced) enabled support both IP-specific and port-specific mitigation policies. When both are configured, IP-specific policies take priority.