When a volumetric DDoS attack approaches your Anti-DDoS Proxy (Chinese Mainland) instance's mitigation capacity, scrubbing-center defenses alone may not prevent blackhole filtering from triggering. Near-origin traffic diversion addresses this by dropping attack traffic at Internet Service Provider (ISP) backbone core routers — close to the attack source, before it reaches your instance — reducing the total incoming volume and lowering the risk of hitting the blackhole threshold. You can disable this feature at any time.
When to use this feature
Enable near-origin traffic diversion when:
Your Anti-DDoS Proxy (Chinese Mainland) instance is under a volumetric attack that is approaching its mitigation capacity, and
A significant portion of the attack traffic originates from outside the Chinese mainland.
For example, if 30% of the attack traffic comes from outside the Chinese mainland, blocking that traffic can meaningfully reduce pressure on your instance.
Near-origin traffic diversion vs. location blacklist
Both features block traffic by geographic origin but operate differently:
| Near-origin traffic diversion | Location blacklist | |
|---|---|---|
| Where traffic is dropped | At ISP backbone core routers, near the attack source | At scrubbing centers, near the destination |
| Effect on total traffic volume | Reduces incoming traffic volume | No reduction |
| Attack type | Volumetric attacks near capacity | Connection flood attacks |
Use near-origin traffic diversion when you need to reduce the raw volume of incoming traffic. Use the location blacklist when you need to filter connection flood attacks without changing traffic volume. For more information about the location blacklist, see Configure the location blacklist.
Limitations
Near-origin traffic diversion is available only for Anti-DDoS Proxy (Chinese Mainland).
Each activation consumes one quota. The quota varies by function plan:
Function plan Quota Resets Standard 10 activations per account Never; cannot be upgraded Enhanced 10 activations per account per month At the beginning of each month Check your remaining quota before activating during an attack to avoid running out mid-incident.
Prerequisites
Before you begin, ensure that you have:
An Anti-DDoS Proxy (Chinese Mainland) instance. For more information, see Purchase an Anti-DDoS Proxy instance
Block traffic by ISP line
Each activation blocks traffic from outside the Chinese mainland on one ISP line — China Telecom or China Unicom — for a duration you specify. Start with China Telecom, then monitor the attack traffic volume. If the volume continues to approach your instance's mitigation capacity, block China Unicom traffic as well.
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select Chinese Mainland.
In the left-side navigation pane, choose Mitigation Settings > General Policies.
On the Protection for Infrastructure tab, select the instance you want to manage from the list on the left.
NoteSearch for an instance by instance ID or description.
In the Near-origin Traffic Diversion section, block one or both ISP lines:
China Telecom (Outside China): Click Actions to the right of this row. Set Blocking Duration (15 minutes to 24 hours), then click OK.
China Unicom (Outside China): Click Actions to the right of this row. Set Blocking Duration (15 minutes to 24 hours), then click OK.
Verify and manage blocking
After activating the feature, click View Blocking Information in the Near-origin Traffic Diversion section to confirm the blocked regions and blocking periods.
If traffic diversion succeeds, no error message appears. If an error message appears, follow the on-screen instructions to troubleshoot, then try again.
To stop blocking before the blocking period ends, click Unblock.
What's next
Monitor the attack traffic volume in the console. If traffic remains high after blocking one ISP line, block the other ISP line using the same steps.