How to choose an Anti-DDoS service for businesses frequently under DDoS attack - Anti-DDoS

How it works

Anti-DDoS Proxy ensures service stability in three steps:

Traffic redirection: All incoming traffic from the Internet is redirected to an Anti-DDoS scrubbing center by modifying the DNS record or by pointing the service IP address to the IP address of the Anti-DDoS instance. For more information, see Traffic redirection methods.
Traffic scrubbing: The Anti-DDoS scrubbing center uses multilayer detection and filtering engines to defend against Layer 3 and Layer 4 volumetric attacks, such as SYN floods and UDP floods. The center also protects against Layer 7 application-layer attacks, such as HTTP floods. Malicious attack traffic is precisely identified and dropped.
Forwarding traffic to the origin server: After the traffic is scrubbed, legitimate traffic is securely and reliably returned to your origin server through port and protocol forwarding.

Traffic redirection methods

The following methods direct your service traffic to an Anti-DDoS instance for scrubbing.

Redirection Method	Description	Use cases	Pros	Cons
DNS resolution	You change the DNS record of your domain name (for example, `www.example.com`) to the canonical name (CNAME) address provided by Anti-DDoS Proxy.	Services that are accessed through a domain name, such as websites, web applications, and APIs.	Simple to configure and takes effect quickly. This allows for rapid switching during an attack.	Cannot protect against attacks that directly target the origin IP address.
Direct IP pointing	You configure forwarding rules in the Anti-DDoS instance to use the instance's IP address as the service entry point. The traffic is then sent back to the real server IP address. Clients directly access the IP address of the Anti-DDoS instance.	Non-website services that are accessed directly using an IP address, such as games and app backend services.	Directly protects the IP address and hides the origin server.	Switching IP addresses may affect some client connections.

Benefits

Quick and easy deployment

Two connection types are supported: DNS resolution and direct IP pointing. No hardware, software, or routing changes are required. Setup typically completes in minutes, depending on DNS propagation time. Your origin IP address is hidden and protected.
AI-driven precise protection
- Network-layer attack prevention: Beyond traditional feature detection, the service uses an IP reputation library and deep packet inspection (DPI) to identify and block volumetric attacks.
- Application-layer CC attack protection: An AI engine learns your service model to identify and filter CC attack traffic. Fine-grained URL-level protection policies reduce O&M complexity.
Massive global mitigation capacity

Anti-DDoS Proxy provides over 20 Tbps of total bandwidth, including more than 5 Tbps outside the Chinese mainland. This capacity defends against DDoS attacks at the network, transport, and application layers, ensuring smooth global access.
Flexible burstable protection

Protection bandwidth upgrades take effect in seconds, letting you increase defense capacity in response to burst attacks without service interruptions.
Financial-grade stability and high availability

A fully redundant architecture with comprehensive monitoring of data centers, servers, engines, and links provides automatic failover and recovery, ensuring 99.95% service availability.
Intelligent traffic rerouting

Integrates with other Alibaba Cloud products to automatically reroute traffic to Anti-DDoS Proxy when an attack occurs. During normal operation, the service does not intervene, balancing cost and security.

Product specifications

Anti-DDoS Proxy is available in two editions based on the physical region of your servers: Anti-DDoS Proxy (Chinese Mainland) and Anti-DDoS Proxy (Outside Chinese Mainland).

Product Type	Instance Edition	Core Features and Differences	Notes
Anti-DDoS Proxy (Chinese Mainland)	Profession	Provides an exclusive IP address, multi-line Border Gateway Protocol (BGP) protection, and supports both basic and burstable protection.	-
Anti-DDoS Proxy (Chinese Mainland)	Advanced	Provides two advanced mitigation sessions per month (resets monthly).	Contact your account manager to activate this edition.
Anti-DDoS Proxy (Outside Chinese Mainland)	Insurance and Unlimited	Both the Insurance and Unlimited mitigation plans are for services deployed exclusively outside China. They differ in billing method, capacity, and the number of advanced mitigation sessions. The Insurance plan offers two per month, while the Unlimited plan has no limit. To reduce latency for users in the Chinese mainland accessing sites outside China, use these plans with a Secure Acceleration (Sec-CMA) line. For more information, see Configure Sec-CMA for Anti-DDoS Proxy (outside the Chinese mainland).	-
	Sec-CMA 2.0	Provides access acceleration for users in the Chinese mainland and application-layer DDoS protection. After you select a specific number of DDoS mitigation sessions, it gains the capability to defend against large-volume DDoS attacks from China Telecom, China Unicom, and China Mobile lines.	None
	Sec-CMA 2.0 (Insurance) and Sec-CMA 2.0 (Unlimited)	Features are mostly the same as Sec-CMA 2.0. You can disable the Metering Method of 95th Percentile Burstable Clean Bandwidth and 95th Percentile Burstable QPS modes.	The features have been migrated to Sec-CMA 2.0. We do not recommend purchasing new instances. This option is only for existing instances.
	Chinese Mainland Acceleration and Sec-CMA 1.0	Legacy versions that do not support China Mobile lines.	We do not recommend purchasing new instances. We recommend that you upgrade to Sec-CMA 2.0. Contact your account manager to activate the upgrade.

Use cases and purchasing recommendations

Server location	User Source	Business requirements	Recommended edition
The Chinese mainland	the Chinese mainland and outside the Chinese mainland	General-purpose DDoS protection.	Anti-DDoS Proxy (Chinese Mainland) - Profession
Outside the Chinese mainland	Outside the Chinese mainland only	No cross-border acceleration needed.	Anti-DDoS Proxy (Outside Chinese Mainland) -Insurance or Unlimited
Outside the Chinese mainland	the Chinese mainland	Requires cross-border acceleration to ensure low latency and stability.	Anti-DDoS Proxy (Outside Chinese Mainland)-Sec-CMA 2.0
Outside the Chinese mainland	the Chinese mainland and outside the Chinese mainland	Cross-border acceleration needed without server migration, plus access from outside the Chinese mainland.	Combined purchase: Anti-DDoS Proxy (Outside Chinese Mainland)-Sec-CMA 2.0 Anti-DDoS Proxy (Outside Chinese Mainland) -Insurance or Unlimited
Outside the Chinese mainland	within and outside the Chinese mainland	Migrate servers by user region. After migration, each region's users access locally hosted services protected by the corresponding edition.	Services for users in the Chinese mainland: Anti-DDoS Proxy (Chinese Mainland) - Profession Services for users outside the Chinese mainland: Anti-DDoS Proxy (Outside Chinese Mainland) - Insurance or Unlimited

Billing

Fees for Anti-DDoS Proxy consist of subscription instance fees and pay-as-you-go burstable fees.

Instance fees (subscription): You pay monthly or yearly based on the specifications you select, such as basic protection bandwidth, clean bandwidth, and queries per second (QPS). For more information, see Billing of Insurance and Unlimited mitigation plans for Anti-DDoS Proxy (outside the Chinese mainland), Billing of CMA for Anti-DDoS Proxy (outside the Chinese mainland), and Billing of Sec-CMA for Anti-DDoS Proxy (outside the Chinese mainland).
Burstable protection fees (pay-as-you-go): You are charged only when DDoS attack traffic exceeds your basic protection bandwidth. The fee is calculated daily based on the peak attack traffic. For more information, see Metering method of burstable protection bandwidth.
Burstable clean bandwidth/QPS fees (pay-as-you-go): You are charged only when your normal service traffic or QPS exceeds your basic specifications. The fee is calculated based on the daily or monthly 95th percentile bandwidth. For more information, see Billing of burstable clean bandwidth and Billing of burstable QPS.
Global advanced mitigation session: You can purchase a global advanced mitigation session for specific instances if required. For more information, see Billing of global advanced mitigation sessions.

Anti-DDoS Network Latency

Anti-DDoS Proxy (the Chinese mainland): 73 ms to 113 ms for users in the Chinese mainland, and about 313 ms for users outside the Chinese mainland.
Anti-DDoS Proxy (outside the Chinese mainland):
- Insurance and Unlimited mitigation plans: 60 ms to 100 ms for users outside the Chinese mainland, and about 300 ms for users in the Chinese mainland.
- CMA and Sec-CMA lines: Network latency is less than 50 ms.