All Products
Search

This Product

    Anti-DDoS:Configure near-origin traffic diversion

    Document Center

    Anti-DDoS:Configure near-origin traffic diversion

    Last Updated:Jun 21, 2026

    Near-origin traffic diversion lets you block traffic from outside the Chinese Mainland on China Telecom and China Unicom lines. This feature drops traffic closer to its source, which reduces the risk of your Anti-DDoS Proxy instance triggering blackhole filtering. You can remove the block at any time. This topic describes how to configure near-origin traffic diversion.

    Use cases

    We recommend that you use near-origin traffic diversion when your Anti-DDoS Proxy instance is under a massive DDoS attack and the attack traffic threatens to exceed the instance's maximum protection capacity. For example, if traffic from outside the Chinese Mainland accounts for about 30% of the total attack traffic, you can block this traffic to significantly reduce the attack volume and keep it within your instance's protection capacity.

    Applicability

    Near-origin traffic diversion is available only for Anti-DDoS Proxy (Chinese Mainland) instances. This feature is not supported by Anti-DDoS Proxy instances that are deployed outside the Chinese Mainland.

    Procedure

    1. Log on to the Anti-DDoS Proxy console.

    2. In the top navigation bar, select the Chinese Mainland region.

    3. In the left-side navigation pane, choose Mitigation Settings > General Policies.

    4. On the Protection for Infrastructure tab, from the instance list on the left, select the Anti-DDoS Proxy instance that you want to configure.

      Note

      You can search for an instance by its instance ID or description.

    5. In the instance details, find the Near-origin Traffic Diversion section and do one of the following:

      • Block traffic from China Telecom (Outside China): In the Actions column, click the option to block traffic. Set the Blocking Duration and then click OK.

      • Block traffic from China Unicom (Outside China): In the Actions column, click the option to block traffic. Set the Blocking Duration and then click OK.

      Note

      We recommend that you first block traffic on China Telecom lines and monitor the trend of the attack traffic. If the attack traffic remains high and exceeds your current protection capacity, consider also blocking traffic on China Unicom lines.

    6. You can click View Blocking Information to view the blocked regions and time range.

      Note

      During the blocking period, you can click Unblock at any time to remove the block before it expires.

    Result

    If the configuration fails, an error message appears. Follow the prompts to troubleshoot and retry. Otherwise, the configuration is successful.

    Quotas and limitations

    • Blocking duration: You can set a custom duration from 15 minutes to 24 hours.

    • Quota consumption: Blocking traffic on a China Telecom or China Unicom line consumes one use from your quota. The total quota varies based on your instance plan.

      • Plan details

        • Standard plan: A non-replenishing, one-time quota of 10 uses per account.

        • Enhanced plan: Provides a total available quota of 20 uses per account, composed of two parts:

          • Base quota: 10 uses. This is a one-time, account-level quota, same as the Standard plan.

          • Recurring quota: 10 uses per account per calendar month, which resets automatically.

            Important

            The near-origin traffic diversion feature is an account-level feature. If you have multiple instances and at least one is on an Enhanced plan, the quota rules for the Enhanced plan apply to your entire account.

      • Upgrades and downgrades

        • Upgrade: When you upgrade to the Enhanced plan, you immediately gain 10 additional uses for the current month. These uses from the recurring quota are consumed first.

        • Downgrade: When you downgrade to the Standard plan, the recurring quota from the Enhanced plan is immediately forfeited. You can still use any remaining balance from your one-time quota.

      • Usage example

        1. Jan. 1: You purchase a Standard plan and receive a one-time quota of 10 uses.

        2. Jan. 2: You use the feature 3 times. Your remaining quota is 7 uses.

        3. Feb. 1: Your remaining quota is still 7 uses.

        4. Feb. 2: You upgrade to an Enhanced plan. You immediately gain 10 recurring uses for February. Your total remaining quota is 10 (recurring) + 7 (one-time) = 17 uses.

        5. Feb. 4: You use the feature once. This is deducted from the recurring quota. Your remaining quota is (10 - 1) recurring + 7 one-time = 16 uses.

        6. Mar. 1: The recurring quota resets. Your total remaining quota is 10 (recurring) + 7 (one-time) = 17 uses.

        7. Mar. 4: You downgrade to a Standard plan. The recurring quota is forfeited. Your remaining quota is 0 (recurring) + 7 (one-time) = 7 uses.

    Near-origin traffic diversion vs. location blacklist

    Feature

    Near-origin traffic diversion

    Location blacklist

    Implementation point

    Core routers on the ISP backbone network.

    Inside an Anti-DDoS Proxy traffic scrubbing center.

    Traffic drop location

    Near the attack source.

    Near the protected destination.

    Use cases

    Mitigates massive DDoS attacks that threaten to exceed your instance's protection capacity.

    To mitigate connection resource exhaustion attacks.

    Reduces traffic that enters Anti-DDoS Proxy

    Yes

    No

    Primary purpose

    Reduces the volume of traffic entering the Anti-DDoS Proxy network to decrease the overall network load.

    Blocks traffic from specific regions to protect the destination resource.