This topic lists frequently asked questions about the Anti-DDoS Pro (the Chinese mainland) and Anti-DDoS Premium (outside the Chinese mainland) services.
Question overview
Product billing and specifications
Integration and configuration
Features and protocol support
Protection and security mechanisms
Product billing and specifications
What happens after my Anti-DDoS Pro or Anti-DDoS Premium instance expires?
This topic uses Anti-DDoS Proxy (Chinese Mainland) as an example:
Within 7 days after expiration: The instance's mitigation capability is downgraded to the basic protection level, which has a 5 Gbps blackhole triggering threshold. If your service traffic or attack traffic exceeds 5 Gbps, the system triggers blackhole filtering for the IP address.
From 8 to 30 days after expiration: The instance stops forwarding all service traffic. You can restore the service by renewing your subscription during this period.
31 days or more after expiration: The instance and its resources are permanently released. All configurations are lost and cannot be recovered.
For more information, see Billing of Anti-DDoS Pro (the Chinese mainland).
What are the limits on the number of protected ports and domain names for Anti-DDoS Pro and Anti-DDoS Premium?
Number of protected ports:
Instances in the Chinese mainland: 50 by default, expandable to 1,500.
Instances outside the Chinese mainland: 5 by default, expandable to 1,500.
Number of protected domain names:
Instances in the Chinese mainland: 50 by default, expandable to 200.
Instances outside the Chinese mainland: 10 by default, expandable to 200.
Integration and configuration
How do I find the back-to-origin IP addresses for Anti-DDoS Pro and Anti-DDoS Premium? Do I need to add them to a whitelist manually?
Find the back-to-origin IP addresses: You can find the latest back-to-origin IP CIDR blocks on the Website Config page or related pages in the Anti-DDoS Pro and Anti-DDoS Premium console.
Add to a whitelist: Yes, you must add them manually. Anti-DDoS Pro and Anti-DDoS Premium do not automatically modify your origin server's security policies. If your origin server uses a firewall, security groups, or third-party security software, you must add the back-to-origin IP CIDR blocks of Anti-DDoS Pro and Anti-DDoS Premium to the whitelist. Otherwise, your origin server will block all non-malicious traffic forwarded by the services.
NoteFor more information, see Add the back-to-origin IP addresses of Anti-DDoS Pro and Anti-DDoS Premium to an allowlist.
Can I use a private IP address as an origin IP address? Is there a delay when I modify an origin IP address?
Origin IP address type: No, you cannot. Anti-DDoS Pro and Anti-DDoS Premium communicate with your origin server over the public network. Therefore, the origin IP address must be a public IP address.
Modification delay: Yes, there is. After you modify an origin IP address, it takes about 5 minutes for the new configuration to propagate across all POPs. To minimize business impact, make this change during off-peak hours.
NoteFor more information, see Static public IP addresses.
How do Anti-DDoS Pro and Anti-DDoS Premium handle load balancing, health checks, and session persistence?
Load balancing: When you configure multiple origin IP addresses:
For Layer 7 (website services): The Round Robin, IP Hash, and Least Time algorithms are supported.
For Layer 4 (non-website services): The default algorithm is Round Robin. You cannot change the algorithm.
Health checks: Health checks are supported. Health checks are enabled by default for website services and disabled by default for non-website services, but you can enable them manually. The services monitor the health of your origin servers and automatically remove unhealthy origin IP addresses from the rotation.
NoteFor more information about health checks, see Health check overview of SLB and Configure health checks.
Session persistence: Session persistence is supported for port forwarding configurations. This feature is disabled if application-layer protection is enabled. When session persistence is enabled, the service consistently forwards requests from the same client IP address to the same backend server for a specified period. For specific steps, see Configure session persistence.
NoteIf the client's network environment changes, for example, by switching from Wi-Fi to 4G, its public IP address changes. This causes session persistence to fail.
Can I use Anti-DDoS Pro or Anti-DDoS Premium with CDN or DCDN? How do I configure them?
Yes, you can, but chaining them directly is strongly discouraged. The correct method is to use the intelligent integration solution provided by Anti-DDoS Pro and Anti-DDoS Premium, which balances acceleration and protection.
Direct chaining methods:
Traffic flow: CDN/DCDN to Anti-DDoS Pro/Premium: If CDN/DCDN POPs are attacked, they may be sandboxed. This prevents traffic from reaching Anti-DDoS Pro or Anti-DDoS Premium and renders the protection ineffective.
Traffic flow: Anti-DDoS Pro/Premium to CDN/DCDN: The back-to-origin path through Anti-DDoS Pro or Anti-DDoS Premium adds latency, which negatively impacts the acceleration performance of CDN/DCDN.
Integration solution: Use the Sec-Traffic Manager, available in the Enhanced function plan of Anti-DDoS Pro and Anti-DDoS Premium, to integrate with CDN/DCDN.
How it works: Resolve your domain name to the CNAME record generated by Sec-Traffic Manager. Under normal conditions, traffic is routed through CDN/DCDN for acceleration. When an attack is detected, traffic is automatically switched to Anti-DDoS Pro or Anti-DDoS Premium for traffic scrubbing. After the attack, traffic routing reverts to CDN/DCDN.
Benefits: This solution provides both a fast user experience for normal access and high availability during attacks.
Features and protocol support
What common protocols do Anti-DDoS Pro and Anti-DDoS Premium support?
IPv6: Anti-DDoS Pro (the Chinese mainland) supports IPv6. Anti-DDoS Premium (outside the Chinese mainland) does not support IPv6 at this time.
WebSocket: WebSocket is supported. For more information, see WebSocket configuration for Anti-DDoS Pro and Anti-DDoS Premium.
NTLM authentication: NTLM authentication is not supported. Requests forwarded through Anti-DDoS Pro or Anti-DDoS Premium may fail NTLM authentication at the origin server. Use Anti-DDoS Origin instead.
gRPC: gRPC is not supported.
Server-Sent Events (SSE): SSE is supported.
What is the default connection timeout for Anti-DDoS Pro and Anti-DDoS Premium?
Layer 4 TCP connections: 900 seconds.
Layer 7 HTTP/HTTPS connections: 120 seconds.
How do Anti-DDoS Pro and Anti-DDoS Premium support HTTPS?
HTTPS mutual authentication: HTTPS mutual authentication is supported. For a detailed guide, see Use Anti-DDoS Pro and Anti-DDoS Premium to deploy HTTPS mutual authentication.
For Layer 7 (Website Config): You must upload the server-side certificate and the client CA certificate in the console. The Anti-DDoS POPs handle client certificate validation.
For Layer 4 (Port Config): The service acts as a transparent transport channel, and your origin server handles the entire mutual authentication process.
SSL protocols and cipher suites: TLS 1.0 to 1.3 are supported. A wide range of mainstream and legacy cipher suites, including
ECDHE-ECDSA-AES128-GCM-SHA256, are also supported. You can customize the TLS security policy in the console.For more information, see Customize the TLS security policy for an HTTPS certificate.
SNI compatibility issues: If users with older browsers or certain Android clients cannot access your HTTPS site, it is likely because their clients do not support Server Name Indication (SNI). Anti-DDoS Pro and Anti-DDoS Premium use SNI to host multiple HTTPS domain names. Incompatible clients cannot complete the TLS handshake. For more information about issues related to SNI, see HTTPS access exceptions that may be caused by SNI.
Protection and security mechanisms
What is clean bandwidth, and what happens if the limit is exceeded?
Clean bandwidth is the non-malicious service traffic directed to your protected service. The system measures both inbound and outbound traffic and uses the higher value for billing, measured in Mbit/s.
Impact of exceeding the limit: If your actual service traffic exceeds your instance's clean bandwidth specification, the system triggers rate limiting. This can cause service stuttering, slow responses, intermittent connection failures, or random packet loss. Resolve the issue as follows:
Confirm your bandwidth usage In the Anti-DDoS Pro and Anti-DDoS Premium console, go to the Instances page. Monitor the instance's bandwidth chart to check if your usage exceeds the purchased specification.
Emergency Instance Upgrade
Goal: Increase the clean bandwidth limit to restore service performance.
Steps:
Log on to the Anti-DDoS Pro and Anti-DDoS Premium console.
On the Instances page, find the target instance, and then click Upgrade in the Actions column.
In the Clean Bandwidth section, select a higher specification and complete the payment.
Effective time: The configuration change takes effect across the network in 3 to 5 minutes.
How do I handle blackhole filtering? Can I manually deactivate blackhole filtering for an Anti-DDoS Pro or Anti-DDoS Premium instance?
When attack traffic exceeds your instance's maximum mitigation capability, the system applies blackhole filtering to the instance's IP address to protect the stability of the entire Alibaba Cloud data center. All services routed through the instance become completely inaccessible. Resolve the issue as follows:
Assess the attack status Log on to the Anti-DDoS Pro and Anti-DDoS Premium console. On the Security Overview page, check the peak traffic and trend of the attack to confirm whether it has stopped or weakened.
Deactivate blackhole filtering
Anti-DDoS Pro (the Chinese mainland) instances
Goal: Manually restore service access after you confirm that the attack traffic has dropped to a level within the instance's mitigation capability.
Prerequisite: Each Alibaba Cloud account has five opportunities per day to manually deactivate blackhole filtering. The count is reset at 00:00 every day.
Steps: For detailed instructions on how to manually deactivate blackhole filtering, see Deactivate blackhole filtering.
Log on to the Anti-DDoS Pro and Anti-DDoS Premium console. In the navigation pane on the left, choose . On the page that appears, find and select the instance for which you want to deactivate blackhole filtering.
In the Blackhole Filtering Deactivation section for the instance, click Unblock.
Anti-DDoS Premium (outside the Chinese mainland) instances
Limitation: Manual deactivation of blackhole filtering is not currently supported.
Recommendations:
Insurance plan: If blackhole filtering is triggered because you have exhausted all your advanced mitigation sessions for the month, immediately upgrade the instance to the Unlimited plan. Blackhole filtering is automatically deactivated after the upgrade.
Unlimited plan: These instances provide unlimited advanced mitigation and should not be subject to blackhole filtering due to exceeding mitigation capabilities. If this occurs, submit a ticket.
Why does the Security Overview page show scrubbed traffic even when the traffic scrubbing threshold is not reached?
This is normal behavior. Anti-DDoS Pro and Anti-DDoS Premium automatically filter all malformed network packets from inbound traffic, such as small SYN packets or packets with abnormal flags that do not comply with TCP protocol standards. These intercepted packets are counted as "scrubbed traffic." Therefore, you may see a small amount of scrubbed traffic recorded even when your service is not experiencing a large-scale attack.
Do Anti-DDoS Pro and Anti-DDoS Premium support blocking access from IP addresses outside the Chinese mainland?
Yes, they do. Anti-DDoS Pro and Anti-DDoS Premium provide a Location Blacklist feature. You can configure access control policies based on countries or regions to precisely block or allow traffic from IP addresses outside the Chinese mainland.
Is it safe to upload an HTTPS certificate and private key? Do Anti-DDoS Pro and Anti-DDoS Premium decrypt and log the content of HTTPS requests?
Key security: Yes, it is highly secure. Anti-DDoS Pro and Anti-DDoS Premium use a dedicated certificate server (Key Server) to store and manage certificates and private keys. This service is built on Alibaba Cloud Key Management Service (KMS) and is certified by multiple international security authorities, such as ISO 27001, SOC 1/2/3, and PCI DSS, to ensure key security. This is the same level of security and compliance that protects Alibaba Cloud itself. For details, see the Alibaba Cloud Trust Center.
Traffic privacy: No, they do not log the full content of requests. Anti-DDoS Pro and Anti-DDoS Premium decrypt HTTPS traffic only for real-time inspection. They do not log the full content of requests or responses. The service logs partial attack characteristics (payload) for report analysis only when an attack is detected.
NoteWhen you use Anti-DDoS Pro or Anti-DDoS Premium to protect HTTPS services, you can also use a dual-certificate solution. This involves using one certificate and key pair on the Anti-DDoS service and a different pair on your origin server. Both pairs must be valid. This lets you manage the certificate and key uploaded to the service separately from those on your origin server.
Do the open ports on the Anti-DDoS Pro and Anti-DDoS Premium clusters pose a security risk?
No, they do not. The Anti-DDoS Pro and Anti-DDoS Premium clusters use the open ports only for traffic ingestion and forwarding. Service traffic is only forwarded to the specific ports you configure for your domain names or services in the console. Requests to origin server ports not configured in the service are not forwarded. Therefore, they pose no additional security risk.