Anti-DDoS:Pre-sales FAQ

Does Alibaba Cloud Anti-DDoS provide free services?

Yes. Anti-DDoS Basic is automatically activated for every Alibaba Cloud user — no purchase or configuration needed. It mitigates attacks up to 5 Gbit/s at no charge. When an attack exceeds that threshold, Anti-DDoS Basic blocks all inbound traffic to the affected resource to prevent additional mitigation costs.

Unlimited protection is not free because bandwidth is the primary cost driver in DDoS mitigation. Alibaba Cloud pays Internet Service Providers (ISPs) such as China Telecom, China Unicom, and China Mobile for the bandwidth used to absorb and filter attack traffic. The 5 Gbit/s cap reflects the threshold Alibaba Cloud can sustain at no cost to you.

For more information, see What is Anti-DDoS Origin?

Is Anti-DDoS Proxy billed only when it mitigates attacks?

No. Anti-DDoS Proxy uses a subscription model — you pay for the capacity regardless of whether attacks occur. Purchase an instance and complete payment before using it; protection is active for the duration of your subscription.

Does Anti-DDoS have trial plans?

• Anti-DDoS Origin: Anti-DDoS Basic (free, up to 5 Gbit/s) is the trial equivalent. To evaluate higher protection capacity, use Anti-DDoS Basic first, then upgrade to Anti-DDoS Origin Enterprise. The upgrade is transparent and does not interrupt your network or connections. Anti-DDoS Origin Enterprise has no free trial.

• Anti-DDoS Proxy: No free trial is available. Anti-DDoS Proxy relies on dedicated scrubbing data centers, which carry significant infrastructure costs.

Which Anti-DDoS Proxy solution should I use if my servers are outside the Chinese mainland?

Serving users in the Chinese mainland (servers cannot be moved)

• Option 1 — Chinese Mainland Acceleration (CMA): Pair an Insurance or Unlimited instance with a CMA instance. When no attacks are detected, the CMA instance routes traffic efficiently for users in the Chinese mainland.

• Option 2 — Secure Chinese Mainland Acceleration (Sec-CMA): Pair an Insurance or Unlimited instance with a Sec-CMA instance. This combines DDoS mitigation with cross-border traffic acceleration. Unlike CMA, Sec-CMA stays active during attacks — no manual traffic switching required, which prevents latency spikes and packet loss. For configuration details, see Use an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan. For Sec-CMA setup, see Use an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan.

Serving users in the Chinese mainland (servers can be moved)

If your service requires low network latency (for example, a gaming service), migrate your servers to a region in the Chinese mainland and use Anti-DDoS Proxy (Chinese Mainland).

Serving users in and outside the Chinese mainland

• Option 1 — Split deployment: Deploy separate server fleets in and outside the Chinese mainland. Protect the Chinese mainland fleet with Anti-DDoS Proxy (Chinese Mainland) and the outside fleet with Anti-DDoS Proxy (Outside Chinese Mainland) — Insurance or Unlimited mitigation plan.

• Option 2 — CMA or Sec-CMA: If splitting deployments is not feasible, apply the CMA or Sec-CMA approach described above.

Can Anti-DDoS Proxy protect servers not deployed on Alibaba Cloud?

Yes. Both Anti-DDoS Proxy (Chinese Mainland) and Anti-DDoS Proxy (Outside Chinese Mainland) protect any server with a public IP address — including servers hosted on other cloud platforms or in on-premises data centers.

For more information, see What is Anti-DDoS Proxy?

Can Anti-DDoS Proxy protect servers with domain names registered through Alibaba Cloud but hosted elsewhere?

Yes. The domain registrar does not affect protection eligibility. If you use Anti-DDoS Proxy (Chinese Mainland), the domain must have a valid Internet Content Provider (ICP) filing.

Is ICP filing required?

• Anti-DDoS Proxy (Chinese Mainland): Yes, ICP filing is required for all protected domain names.

• Anti-DDoS Proxy (Outside Chinese Mainland): No ICP filing required, but your service must comply with applicable laws.

For ICP filing instructions, see ICP filing application overview.

Which regions does Anti-DDoS Proxy cover?

• Anti-DDoS Proxy (Chinese Mainland): Protects servers deployed in the Chinese mainland.

• Anti-DDoS Proxy (Outside Chinese Mainland): Protects servers deployed outside the Chinese mainland, including Hong Kong (China).

How many domains can each Anti-DDoS Proxy instance protect?

To increase the limit when purchasing an instance, see Purchase an Anti-DDoS Proxy instance.

Does Anti-DDoS Proxy support wildcard domains?

Yes. Add wildcard domains on the Website Config page. A wildcard DNS record uses an asterisk (*) as the leftmost label — for example, *.aliyundoc.com matches any subdomain of aliyundoc.com and resolves it to www.aliyundoc.com.

For setup instructions, see Add forwarding rules.

What ports can I add to Anti-DDoS Proxy?

Ports 80–65535 are supported with no restrictions. However, avoid the following vulnerable TCP ports, as ISPs may block traffic on them, making your website inaccessible in certain regions:

42, 135, 137, 138, 139, 445, 593, 1025, 1434, 1068, 3127, 3128, 3129, 3130, 4444, 5554, 5800, 5900, 9996

For configuration details, see Specify custom ports.

What are the prerequisites for using Anti-DDoS Proxy (Outside Chinese Mainland)?

• Website service: Add the domain name to your instance. ICP filing is not required, but your service must be legal.

• Non-website service: Add the service port to your instance.

Does the basic protection bandwidth of Anti-DDoS Proxy (Chinese Mainland) cover normal traffic or only attack traffic?

Both. The basic protection bandwidth covers all traffic — normal and attack — passing through your protected workloads. All traffic routes through the scrubbing centers first: attack traffic is filtered out, and clean service traffic is forwarded to your origin server.