Anti-DDoS Diversion protects Internet Data Center (IDC) servers outside the Chinese mainland from DDoS attacks by redirecting inbound traffic to the Alibaba Cloud scrubbing center, filtering out malicious traffic, and reinjecting legitimate traffic back into your network — without changing your original IP addresses or network architecture.
How it works
Anti-DDoS Diversion consists of four stages:
Attack detection: Your O&M team monitors traffic patterns (such as sudden spikes in packet volume or unusual source distribution) and confirms a DDoS attack. Detection is manual, so the O&M team initiates diversion through the traffic security console or via API.
Traffic diversion: The scrubbing center advertises Border Gateway Protocol (BGP) updates to global carriers using AS134963, redirecting all inbound traffic destined for the protected Classless Inter-Domain Routing (CIDR) block to the scrubbing center. The routing change typically takes effect within two to three minutes.
Traffic reinjection: After scrubbing, clean traffic is forwarded back to your IDC through Generic Routing Encapsulation (GRE) tunnels or Cross Connects. Reinjection uses Layer 2 or Layer 2.5 forwarding (OSI model of TCP/IP protocol), preventing scrubbed traffic from looping back to the scrubbing center.
Mitigation reports: Comprehensive logs and statistics are generated for all detected and mitigated attack traffic, including pre-attack and post-scrubbing traffic data and attack magnitude.
Diversion modes
Anti-DDoS Diversion supports two modes: On-demand and Always-on.
On-demand mode
Traffic flows normally through your IDC. When your O&M team detects an attack, they manually activate diversion to route traffic through the scrubbing center. Once the attack is resolved, they stop diversion to restore the direct traffic path.
Because activation is manual, there is a short delay between attack detection and protection taking effect. During this window, your service may experience degradation. On-demand mode is best suited for businesses that experience occasional attacks.
On-demand mode includes two instance types based on monthly mitigation session limits:
Insurance: Provides two mitigation sessions per month. After exhausting these sessions, contact Alibaba Cloud technical support to switch to Unlimited mode.
Unlimited: Provides unlimited mitigation sessions per month.
Always-on mode
All traffic is continuously routed through the scrubbing center, providing immediate protection against attacks. This eliminates the detection-to-activation delay, but introduces slight latency due to the additional traffic processing hop. Always-on mode provides unlimited mitigation sessions and is better suited for businesses that frequently experience attacks.
Choose a mode
| On-demand | Always-on | |
|---|---|---|
| Normal traffic path | Direct to IDC | Through scrubbing center |
| Attack response | Manual activation required | Immediate, automatic |
| Latency impact | None during normal operation | Slight, always present |
| Mitigation sessions | Limited (Insurance) or unlimited | Unlimited |
| Best for | Occasional attacks | Frequent attacks |
On-demand diversion walkthrough
The following example shows how On-demand mode works using GRE tunnels for traffic reinjection.
Setup (before an attack)
Set up a GRE tunnel between your IDC's virtual border router (VBR) and the Alibaba Cloud scrubbing center.
Establish a BGP peering relationship between the VBR and the scrubbing center.
Activating diversion (during an attack)
When your O&M team detects a DDoS attack, activate diversion from the traffic security console or via API.
The scrubbing center advertises the protected CIDR block globally using AS134963. Inbound traffic is redirected from your IDC to the scrubbing center. Outbound traffic remains unaffected and continues to flow directly from your IDC to the internet service provider (ISP).
If inbound traffic continues reaching your IDC after diversion is active, investigate the following:
Verify that Routing Assets Database (RADB) and Resource Public Key Infrastructure (RPKI) are functioning correctly.
Confirm that both your IDC server and the scrubbing center are advertising the same subnet CIDR block in the same format (for example,
1.1.XX.XX/24). If they are, stop your VBR from advertising the same BGP updates to the ISP as the scrubbing center.
Scrubbed traffic is forwarded back to your IDC through the established GRE tunnel.
Stopping diversion (after the attack)
If you previously stopped advertising BGP updates to the ISP, ensure you republish the announcement before stopping diversion.
Stop diversion. The scrubbing center ceases advertising your CIDR block, and traffic returns to its normal direct path.
Anti-DDoS Diversion vs Anti-DDoS Proxy
Both products protect IDC servers deployed on-premises or in the cloud. The key differences are in protection scope and intended use.
| Anti-DDoS Diversion | Anti-DDoS Proxy | |
|---|---|---|
| Protection layers | Network layer (ICMP flood, UDP flood) and transport layer (TCP SYN flood) | Network layer, transport layer, and application layer (HTTP/HTTPS flood) |
| Primary focus | Underlying network infrastructure | Specific applications and business systems |
| Ideal for | Protecting public CIDR blocks and ISP-grade infrastructure | Protecting web applications and services |
Anti-DDoS Diversion operates at Tbit/s mitigation capacity and is suited for protecting on-premises servers and small internet service providers (ISPs) outside the Chinese mainland.