This page answers common questions about Anti-DDoS Pro (Chinese mainland) and Anti-DDoS Premium (outside the Chinese mainland).
Jump to a category:
Product billing and specifications (2 questions)
Integration and configuration (4 questions)
Features and protocol support (3 questions)
Protection and security mechanisms (6 questions)
Product billing and specifications
What happens after my Anti-DDoS Pro or Anti-DDoS Premium instance expires?
Expiration is a three-phase process (using Anti-DDoS Pro as the example):
Within 7 days: Mitigation is downgraded to basic protection. If attack or service traffic exceeds 5 Gbps, the system triggers blackhole filtering.
Days 8–30: The instance stops forwarding all traffic. Renewing your subscription restores service.
Day 31 and beyond: The instance and all its configurations are permanently released and cannot be recovered.
For billing details, see Billing of Anti-DDoS Pro.
What are the limits on protected ports and domain names?
| Resource | Chinese mainland | Outside the Chinese mainland |
|---|---|---|
| Protected ports | 50 (expandable to 1,500) | 5 (expandable to 1,500) |
| Protected domain names | 50 (expandable to 200) | 10 (expandable to 200) |
Integration and configuration
How do I find the back-to-origin IP addresses? Do I need to add them to an allowlist manually?
Find the latest back-to-origin IP CIDR blocks on the Website Config page in the Anti-DDoS Proxy console.
Yes, add them to your allowlist manually. Anti-DDoS Proxy does not automatically update your origin server's security policies. If your origin server uses a firewall, security groups, or third-party security software, add the back-to-origin IP CIDR blocks to the allowlist — otherwise, the origin server will block legitimate traffic forwarded by the service.
For instructions, see Add back-to-origin IP addresses to an allowlist.
Can I use a private IP address as an origin IP address? Is there a delay when I change the origin IP?
Origin IP type: No. Anti-DDoS Proxy communicates with your origin server over the public network, so the origin IP address must be a public IP address.
Change propagation delay: Yes. After you change an origin IP address, it takes about 5 minutes for the new configuration to propagate across all points of presence (POPs). Make this change during off-peak hours to minimize service impact.
For background on public IP addresses, see Static public IP addresses.
How does Anti-DDoS Proxy handle load balancing, health checks, and session persistence?
Load balancing
When you configure multiple origin IP addresses, the available algorithms depend on the service type:
Layer 7 (website services): Round Robin, IP Hash, or Least Time.
Layer 4 (non-website services): Round Robin only. The algorithm cannot be changed.
Health checks
Health checks are enabled by default for website services and disabled by default for non-website services (you can enable them manually). The service monitors your origin servers and automatically removes unhealthy IPs from the rotation.
For details, see Health check overview and Configure health checks.
Session persistence
Session persistence is supported for port forwarding configurations. It consistently routes requests from the same client IP to the same backend server for a specified duration. Note that session persistence is disabled when application-layer protection is enabled, and it will fail if the client's IP address changes (for example, when switching from Wi-Fi to a mobile network).
For configuration steps, see Configure session persistence.
Can I use Anti-DDoS Pro or Anti-DDoS Premium with CDN or DCDN?
Yes, but do not chain them directly. Direct chaining has significant drawbacks:
CDN/DCDN in front of Anti-DDoS: If CDN/DCDN POPs are attacked and sandboxed, traffic cannot reach Anti-DDoS Pro or Anti-DDoS Premium, leaving your service unprotected.
Anti-DDoS in front of CDN/DCDN: The back-to-origin path adds latency and degrades acceleration performance.
The correct approach is to use Sec-Traffic Manager, available in the Enhanced Function Plan. Resolve your domain to the CNAME record generated by Sec-Traffic Manager. Under normal conditions, traffic routes through CDN/DCDN for acceleration. When an attack is detected, traffic automatically switches to Anti-DDoS Pro or Anti-DDoS Premium for scrubbing, then reverts after the attack subsides.
Features and protocol support
What common protocols does Anti-DDoS Proxy support?
| Protocol | Support |
|---|---|
| IPv6 | Anti-DDoS Pro (Chinese mainland) only. Not supported outside the Chinese mainland. |
| WebSocket | Supported. See WebSocket configuration. |
| NTLM authentication | Not supported. Requests forwarded through Anti-DDoS Proxy may fail NTLM authentication at the origin server. Use Anti-DDoS Origin instead. |
| gRPC | Not supported. |
| Server-Sent Events (SSE) | Supported. |
What is the default connection timeout?
| Layer | Default timeout |
|---|---|
| Layer 4 TCP connections | 900 seconds |
| Layer 7 HTTP/HTTPS connections | 120 seconds |
How does Anti-DDoS Proxy handle HTTPS?
Mutual authentication (mTLS)
HTTPS mutual authentication is supported. The behavior differs by service layer:
Layer 7 (Website Config): Upload the server-side certificate and the client CA certificate in the console. The Anti-DDoS POPs handle client certificate validation.
Layer 4 (Port Config): The service acts as a transparent transport channel. Your origin server handles the entire mutual authentication process.
For a setup guide, see Use Anti-DDoS Proxy to deploy HTTPS mutual authentication.
SSL/TLS protocols and cipher suites
TLS 1.0 through 1.3 are supported, along with a wide range of cipher suites including ECDHE-ECDSA-AES128-GCM-SHA256. Customize the TLS security policy in the console. See Customize the TLS security policy.
SNI compatibility
Anti-DDoS Proxy uses Server Name Indication (SNI) to host multiple HTTPS domain names on a shared IP. Older browsers and some Android clients that do not support SNI cannot complete the TLS handshake and will fail to access your site. See HTTPS access exceptions caused by SNI for details.
Protection and security mechanisms
What is clean bandwidth, and what happens if I exceed the limit?
Clean bandwidth is the volume of legitimate (non-attack) traffic routed to your protected service. Both inbound and outbound traffic are measured, and the higher value is used for billing (in Mbit/s).
If your service traffic exceeds the purchased clean bandwidth limit, the system triggers rate limiting, which causes service stuttering, slow responses, intermittent connection failures, or packet loss. To resolve this:
In the Anti-DDoS Proxy console, go to the Instances page and check the bandwidth chart to confirm your usage exceeds the purchased limit.
On the Instances page, find the instance and click Upgrade in the Actions column.
In the Clean Bandwidth section, select a higher specification and complete the payment. The change takes effect within 3–5 minutes.
How do I handle blackhole filtering? Can I manually deactivate it?
Blackhole filtering is triggered when attack traffic exceeds your instance's maximum mitigation capability. All traffic through the affected instance becomes inaccessible.
Step 1: Assess the attack. In the Anti-DDoS Proxy console, go to the Security Overview page to check the peak traffic volume and trend, and confirm whether the attack has stopped or weakened.
Step 2: Deactivate blackhole filtering.
The process differs by instance type:
Anti-DDoS Pro (Chinese mainland)
Manual deactivation is supported. Each Alibaba Cloud account has five deactivation opportunities per day, reset at 00:00 daily.
In the Anti-DDoS Proxy console, go to Mitigation Settings > General Policies.
Select the affected instance.
In the Blackhole Filtering Deactivation section, click Unblock.
For detailed steps, see Deactivate blackhole filtering.
Anti-DDoS Premium (outside the Chinese mainland)
Manual deactivation is not currently supported. Depending on your plan:
Insurance Plan: If blackhole filtering was triggered because you exhausted your monthly advanced mitigation sessions, upgrade to the Unlimited Plan. Blackhole filtering is automatically deactivated after the upgrade.
Unlimited Plan: These instances provide unlimited advanced mitigation and should not be subject to blackhole filtering from exceeded mitigation capacity. If it occurs anyway, submit a ticket.
Why does the Security Overview page show scrubbed traffic even when no attack is happening?
This is expected behavior. Anti-DDoS Proxy automatically filters malformed network packets from all inbound traffic — for example, small SYN packets or packets with abnormal flags that violate TCP protocol standards. These filtered packets count as "scrubbed traffic," so a small amount of scrubbed traffic will appear even during normal operation without a large-scale attack.
Does Anti-DDoS Proxy support blocking traffic by geographic location?
Yes. The Location Blacklist feature lets you configure access control policies based on country or region to precisely block or allow traffic from IP addresses outside the Chinese mainland.
Is it safe to upload my HTTPS certificate and private key? Does Anti-DDoS Proxy log the content of HTTPS requests?
Certificate and key security: Yes, it is secure. Certificates and private keys are stored on a dedicated Key Server built on Alibaba Cloud Key Management Service (KMS). The service is certified by ISO 27001, SOC 1/2/3, and PCI DSS. For details, see the Alibaba Cloud Trust Center.
Traffic privacy: No. Anti-DDoS Proxy decrypts HTTPS traffic only for real-time inspection and does not log the full content of requests or responses. When an attack is detected, partial attack characteristics (payload) are logged for report analysis only.
You can use a dual-certificate solution — one certificate and key pair on Anti-DDoS Proxy and a different valid pair on your origin server. This lets you manage certificates on each side independently.
Do the open ports on Anti-DDoS Proxy clusters pose a security risk?
No. The open ports are used only for traffic ingestion and forwarding. Traffic is forwarded exclusively to the ports you configure for your domain names or services in the console. Requests to origin server ports that are not configured in the service are not forwarded.