All Products
Search

This Product

    Anti-DDoS:Resolving origin IP exposure

    Document Center

    Anti-DDoS:Resolving origin IP exposure

    Last Updated:Jun 18, 2026

    After you configure Anti-DDoS Proxy, if attacks bypass Anti-DDoS Proxy to directly attack the origin server, the origin server IP address may be exposed. In this case, you need to change the origin server IP address.

    Identify the causes of origin server IP exposure

    Before you change the origin server IP address, identify and eliminate all factors that could expose it. Otherwise, the new IP address may be exposed through the same channels.

    Check the following items:

    • Security vulnerabilities on the origin server, such as trojans or backdoors.

      We recommend that you use Alibaba Cloud Security Center to scan for and fix security vulnerabilities on your server. For more information, see What is Security Center.

    • Unprotected services on the origin server that are not routed through Anti-DDoS Proxy, such as MX records of mail servers, BBS records, and other non-web records.

      Important

      Check all DNS records of your website domain and make sure that no records resolve directly to the IP address of the origin server.

    • Source code information leakage. For example, the phpinfo() command may expose the IP address.

    • Malicious scanning. After you configure Anti-DDoS Proxy, you can set up origin protection to allow only inbound traffic from Anti-DDoS Proxy back-to-origin IP addresses on the origin server. For more information, see Configure ACLs for the origin server.

    Change the origin server IP address

    After you eliminate all factors that may expose the origin server IP address, change the origin server IP address. For more information, see Static public IP.

    If you do not want to change the origin server IP address, or if the IP address is still exposed after the change, we recommend that you deploy a Server Load Balancer (SLB) instance in front of your backend ECS instances. For more information about SLB, see Quick start for Server Load Balancer. Use the following network architecture: Client → Anti-DDoS Proxy → SLB → ECS.

    Traffic between the SLB instance and the ECS instance is transmitted over the internal network. Even if the origin server IP address is attacked and blackholed, Anti-DDoS Proxy can still access the origin server through the SLB instance over the internal network. Services accessed through Anti-DDoS Proxy remain unaffected.

    Note

    When you use this architecture, enter the IP address of the SLB instance as the server address in the Anti-DDoS Proxy console.