All Products
Search

This Product

    Anti-DDoS:Protect non-website services

    Document Center

    Anti-DDoS:Protect non-website services

    Last Updated:Apr 03, 2026

    Anti-DDoS Proxy supports the configuration of port forwarding rules, which enables the use of the exclusive IP address of your Anti-DDoS Proxy instance as the service IP address. After the configuration, your Anti-DDoS Proxy instance can defend against transport-layer attacks such as SYN Flood and UDP Flood attacks, and application-layer attacks that do not use HTTP or HTTPS protocols. This topic outlines the steps to configure Anti-DDoS Proxy for non-website services.

    Prerequisites

    An Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland) instance is purchased. For more information, see Purchase an Anti-DDoS Proxy instance.

    Step 1: Create one or more port forwarding rules

    Before adding your services to the Anti-DDoS Proxy instance, create port forwarding rules to direct service traffic accordingly.

    1. Log on to the Anti-DDoS Proxy console.

    2. In the top navigation bar, select the region of your instance.

      • Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.

      • Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.

    3. In the left-side navigation pane, choose Provisioning > Port Config.

    4. On the Port Config page, select your instance and create a port forwarding rule.

      Note

      Rules marked with an exclamation mark icon are automatically generated for website services and cannot be manually modified or deleted. These rules are removed automatically when the associated website configurations are no longer linked to the instance. For information about how to configure website services, see Add a website.

      • If the server port in the website information is 80, a rule with Forwarding Protocol set to TCP and Forwarding Port set to 80 is automatically generated.

      • If the server port in the website information is 443, a rule with Forwarding Protocol set to TCP and Forwarding Port set to 443 is automatically generated.

      Parameter

      Description

      Forwarding Protocol

      Select the protocol for traffic forwarding. Valid values are TCP and UDP.

      Important

      Secure Acceleration lines do not support UDP Port Config.

      Forwarding Port

      The port that is used by the Anti-DDoS Pro or Anti-DDoS Premium instance for forwarding.

      Note

      • Set the Forwarding Port to be the same as the Origin Server Port for easier management.

      • To prevent the unauthorized setup of DNS protection servers, Anti-DDoS Pro and Anti-DDoS Premium do not support Port Config for port 53.

      • For the same Anti-DDoS Pro or Anti-DDoS Premium instance and forwarding protocol, the forwarding port of each rule must be unique. If you try to add a rule with the same protocol and forwarding port as an existing rule, the system reports a rule conflict.

      • Avoid conflicts with rules that are automatically generated by Website Config.

      Origin Server Port

      The port used by your Origin for services.

      Back-to-origin Scheduling Algorithm

      The default mode is Round-robin, which cannot be modified.

      Application-layer Protection

      This feature is available only for services that use the TCP protocol and are protected by an Anti-DDoS Pro or Anti-DDoS Premium instance of the Enhanced Edition. It protects against application-layer attacks that use protocols other than HTTP or HTTPS.

      For a description of attack types, see Types of DDoS attacks that can be mitigated.

      • Set the back-to-origin new connection timeout period: 1 to 3 seconds.

        When Anti-DDoS Pro or Anti-DDoS Premium attempts to establish a new connection with a back-end Origin Server, the connection times out if it is not successfully established within the specified period. This setting can prevent attackers from establishing TCP connections with the back-end Origin Server using a large number of fake HTTP requests, such as CC attacks, and then not sending valid data for an extended period.

      • Set the back-to-origin read/write connection timeout period: 60 to 600 seconds.

        • Read timeout: The period that Anti-DDoS Pro or Anti-DDoS Premium waits for a response from the back-end Origin Server after sending a request. If no data response is received from the Origin Server within this period, the connection is considered to have timed out.

        • Write timeout: During an operation where Anti-DDoS Pro or Anti-DDoS Premium sends data to the back-end Origin Server, if the data is not successfully sent within the specified period, the connection times out.

        This setting can prevent attackers from establishing legitimate connections and then sending or receiving data at an extremely low rate, which would occupy back-end Origin Server resources for a long time.

      Origin IP Address

      The IP address of the Origin.

      Note

      • The Origin can be an Alibaba Cloud service or a service not hosted on Alibaba Cloud. If the Origin is an Alibaba Cloud service, make sure it belongs to the current Alibaba Cloud account. If the Origin belongs to another Alibaba Cloud account, contact your business manager before adding it.

      • You can add Origin IP addresses to implement automatic load balancing. Separate the IP addresses with commas (,). You can configure a maximum of 20 Origin IP addresses.

    Step 2: Add your service to your Anti-DDoS Proxy instance

    After a port forwarding rule is created, you must change the IP address of your service to the exclusive IP address of your instance to redirect service traffic to the instance. After you change the IP address, your instance scrubs inbound traffic and then forwards service traffic to the origin server.

    1. On your Origin Server, allow the back-to-origin IP addresses of Anti-DDoS Pro and Anti-DDoS Premium. This prevents security software on your Origin Server from blocking the traffic forwarded from the instance. For more information, see Allow back-to-origin IP addresses of Anti-DDoS Pro and Anti-DDoS Premium.

    2. To prevent service interruptions caused by incorrect rule configurations, verify on a local computer that the rule configuration has taken effect. For more information, see Verify that the forwarding configuration has taken effect.

      Warning

      If you switch over your services before the rule takes effect, your services may be interrupted.

    3. Switch the traffic of your non-website services to the Anti-DDoS Pro or Anti-DDoS Premium instance.

      Typically, you only need to replace the service IP address with the exclusive IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance to officially switch your service traffic to the instance. The specific procedure may vary based on your service development platform.

      Note

      • If your services also use a domain name to specify the server address (for example, the domain name example.com is set as the server address in a game client, or the domain name is hardcoded in the client application), you do not need to configure Website Config. Instead, you must change the DNS resolution at your DNS provider to point the A record of the domain name to the exclusive IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance. For more information, see Change a DNS record.

      • In some scenarios, you may need to use a domain name to connect Layer 4 services and associate services with multiple Anti-DDoS IPs for automatic traffic switching. In this case, connect non-website services by adding a domain name and changing the CNAME record. For more information, see Use a CNAME record to connect non-website services.

    Step 3: Configure port forwarding and DDoS mitigation policies

    After you change the IP address of your service to the exclusive IP address of your instance, the instance uses default mitigation policies to scrub and forward traffic. You can create custom DDoS mitigation policies and enable the session persistence and health check features based on your business requirements to optimize port forwarding.

    On the Port Config page, select your instance, find the port forwarding rule that you want to manage, and then configure the following parameters based on your business requirements.

    Parameter

    Description

    Session Persistence

    After you add your non-website service to Anti-DDoS Proxy, issues such as logon timeout and disconnections may occur. In this case, you can enable the session persistence feature. This feature forwards requests from the same client to the same backend server within a specified period of time.

    1. Click Configure in the Session Persistence column.

    2. In the Session Persistence dialog box, enable or disable session persistence based on your business requirements.

      • To enable session persistence, configure the Timeout Period parameter and click Set Timeout Period and Enable.

      • To disable session persistence, click Disable Session Persistence.

    Health Check

    If your service has multiple origin servers, you can use the health check feature to check the availability of each origin server. This ensures that requests from clients are not forwarded to unhealthy origin servers.

    1. Click Configure in the Health Check column.

    2. In the Health Check panel, enable or disable health check.

      1. To enable health check, turn on Enable Health Check, configure the parameters, and then click OK. For more information, see Configure health checks.

      2. To disable health check, turn off Enable Health Check and click OK.

    DDoS Mitigation Policies

    You can configure DDoS mitigation policies to limit the connection speeds and packet lengths of non-website services that are protected by Anti-DDoS Proxy. This protects non-website services against connection-oriented DDoS attacks that consume low bandwidth.

    1. Click DDoS Mitigation Policies in the Configure column.

    2. On the Protection for Non-website Services tab, configure DDoS mitigation policies for the current forwarding rule as needed. For more information, see Configure a DDoS mitigation policy.

    Step 4: View the protection data of a port

    After adding your non-website service to the Anti-DDoS Proxy instance, you can view the traffic that is redirected over the port on the Security Overview page of the Anti-DDoS Proxy console.

    1. In the left-side navigation pane, click Security Overview.

    2. Click the Instances tab, select your instance and specify a time range to view the protection data.

      Feature

      Description

      Bandwidth (labeled 1)

      • For an Bandwidth instance, it provides a bandwidth trend chart that shows trends in inbound traffic, outbound traffic, attack traffic, and rate-limited traffic on the instance over a specified period. Traffic is measured in bps or pps.

      • For an Overview instance, it provides three tabs: Inbound Traffic Distribution (which is the same as the bandwidth trend chart), Outbound Traffic Distribution (distribution of inbound traffic), and Outbound Traffic Distribution (distribution of outbound traffic).

      Connections (labeled 2)

      • Concurrent Connections: The number of TCP connections established between clients and Anti-DDoS Proxy at the same time.

        • Active connections: The number of TCP connections that are in the Established state.

        • Inactive connections: The number of TCP connections that are in any state other than Established.

      • New Connections: The number of new TCP connections established between clients and Anti-DDoS Proxy per second.

      Network Layer Attack Events, Alert on Exceeded Upper Limits, and Destination Rate Limit Events (labeled 3)

      • Network Layer Attack Events:

        Hover over the attacked IP address or port to view details, including the IP address and port, attack type, peak traffic, and protection result.

      • Alerts on Exceeded Upper Limits:

        Event types include service bandwidth, new connections, and concurrent connections. When the metrics for an event type exceed your purchased specifications, an alert is triggered. This does not affect your current services, but we recommend upgrading your instance. For more information, see Upgrade an instance.

        You can click Details in the Status column to go to the System Logs page and view detailed information.

        Note

        Alerts on exceeded upper limits are updated every Monday at 10:00 (UTC+8) with data from the previous day. If you have configured notifications by using internal messages, text messages, or email, you also receive a notification at 10:00 (UTC+8) every Monday that contains data from the previous day.

      • Destination Rate Limit Events

        When metrics such as new connections, concurrent connections, or service bandwidth significantly exceed the instance specifications, a rate-limiting policy is triggered. This affects your services and generates a destination rate limit event.

        • If rate limiting is triggered by normal service traffic, upgrade your instance as soon as possible. For more information, see Upgrade an instance.

        • If rate limiting is triggered by a DDoS attack, adjust your protection settings promptly. For more information, see Protection settings.

        You can click Details in the Status column to go to the System Logs page and view detailed information.

      Service Distribution by Location and Service Distribution by ISP (labeled 4)

      • Service Distribution by Location: The distribution of source locations for normal service traffic.

      • Service Distribution by ISP: The distribution of ISPs for normal service traffic.