When you add a website to Anti-DDoS Proxy, traffic is always routed through the scrubbing center, which increases access latency. Tiered protection resolves this by using Anti-DDoS Origin as the primary layer — it protects your services without adding latency. When volumetric DDoS attacks occur, traffic automatically shifts to Anti-DDoS Proxy for scrubbing. After the attack stops and the waiting time you set elapses, traffic shifts back to the cloud resource.
Supported instance types
| Product | Supported mitigation plans |
|---|---|
| Anti-DDoS Proxy (Chinese Mainland) | Profession, Advanced |
| Anti-DDoS Proxy (Outside Chinese Mainland) | Insurance, Unlimited |
Prerequisites
Before you begin, ensure that you have:
An Alibaba Cloud resource with a public IP address — an elastic IP address (EIP), an Elastic Compute Service (ECS) instance, a Server Load Balancer (SLB) instance, or a Web Application Firewall (WAF) instance
An Anti-DDoS Origin instance purchased and an asset added for protection. See Purchase an Anti-DDoS Origin instance and Add an object for protection
An Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland) instance purchased. See Purchase an Anti-DDoS Proxy instance
A website added to Anti-DDoS Proxy. See Add websites
Anti-DDoS Proxy forwarding traffic as expected. See Verify the forwarding configurations on your on-premises computer
How tiered protection works
After a tiered protection rule is active:
| Traffic state | Behavior |
|---|---|
| Normal conditions | Anti-DDoS Origin protects traffic destined for the cloud resource. Access latency is not affected. |
| Under volumetric DDoS attack | Traffic automatically shifts to Anti-DDoS Proxy for scrubbing. |
| After the attack stops | Traffic shifts back to the cloud resource once the Waiting Time of Switchback elapses. |
If you configure multiple IP addresses: traffic shifts to Anti-DDoS Proxy only if all IP addresses are under attack simultaneously. If only some IP addresses are attacked, traffic redistributes among the unaffected IP addresses. For more information about how to forward traffic to Anti-DDoS Proxy when one of the IP addresses is attacked, see Share one Anti-DDoS Proxy instance among multiple cloud resources.
Blackhole filtering affects traffic switching:
If blackhole filtering is active on the Anti-DDoS Proxy instance, or before the specified waiting time that starts from the start time of the blackhole filtering event of the instance elapses, traffic cannot shift to that instance.
If blackhole filtering is active on a cloud resource, traffic automatically shifts to Anti-DDoS Proxy. Traffic cannot shift back until blackhole filtering is deactivated. Once deactivated, traffic shifts back immediately, regardless of the waiting time.
Create a tiered protection rule
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance:
Anti-DDoS Proxy (Chinese Mainland): Select Chinese Mainland.
Anti-DDoS Proxy (Outside Chinese Mainland): Select Outside Chinese Mainland.
In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager.
On the General Interaction tab, click Add Rule. In the panel that appears, set Interaction Scenario to Tiered Protection, then configure the following parameters: Click OK.
Parameter Description Rule name Enter a name for the rule. The name can be up to 128 characters and can contain letters, digits, and underscores (_). Anti-DDoS Pro Select the Anti-DDoS Proxy instance. Resource for Interaction Select the region where the cloud resource resides and enter its IP address. The IP address must be an EIP or the IP address of a cloud resource added to the Anti-DDoS Origin Enterprise instance (ECS, SLB, or WAF). Click Add IP Address of Cloud Resource to add more IP addresses. You can add up to 20 IP addresses. Waiting Time of Switchback Enter the number of minutes Anti-DDoS Proxy waits after an attack stops before shifting traffic back to the cloud resource. Valid values: 30–120. Unit: minutes. The recommended value is 60. Modify the hosts file on your on-premises computer to verify the tiered protection rule. This step prevents issues caused by inconsistent back-to-origin policies. See Verify the forwarding configurations on your local computer.
At your DNS provider, update the DNS record to point to the CNAME of Sec-Traffic Manager. See Change the CNAME record to redirect traffic to Sec-Traffic Manager. After updating the DNS record, open a browser and verify the website loads. If access fails, see How do I handle slow response, high latency, and access failure on a service protected by Anti-DDoS Proxy?
Manage a tiered protection rule
If an attack is in progress: switch to Anti-DDoS Proxy manually
When traffic is being scrubbed by Anti-DDoS Proxy, the 
icon appears in the Resource for Interaction column. You can manually switch traffic to Anti-DDoS Proxy before blackhole filtering is triggered, reducing the impact on your services.
Traffic can shift to Anti-DDoS Proxy only if blackhole filtering is not active on the instance.
After manually switching to Anti-DDoS Proxy, traffic does not shift back automatically. Click Switchback to return traffic to the cloud resource.
On the General Interaction tab of the Sec-Traffic Manager page, find the rule with Interaction Scenario set to Tiered Protection.
In the Actions column, click Switch to Anti-DDoS. In the dialog box, click OK.
If traffic is already on Anti-DDoS Proxy: switch back manually
When traffic is being scrubbed by Anti-DDoS Proxy, the icon appears in the Anti-DDoS IP Address column. You can switch traffic back to the cloud resource once the attack stops and the cloud resource is operating normally.
Before switching back, confirm the attack has stopped and the cloud resources are working as expected. Switching back prematurely may cause the resources to be added to sandboxes and disrupt services.
If you manually switched to Anti-DDoS Proxy using Switch to Anti-DDoS, you must click Switchback to return traffic — automatic switchback does not apply.
If blackhole filtering is active on all associated cloud resource IP addresses, the switchback fails. If blackhole filtering is deactivated for some IP addresses, traffic shifts back to those first. Once deactivated for the remaining IP addresses, traffic shifts back to them as well.
On the General Interaction tab of the Sec-Traffic Manager page, find the rule with Interaction Scenario set to Tiered Protection.
In the Actions column, click Switchback. In the dialog box, click OK.
Edit a rule
On the General Interaction tab of the Sec-Traffic Manager page, find the rule with Interaction Scenario set to Tiered Protection.
In the Actions column, click Edit. Modify the Anti-DDoS Pro, Resource for Interaction, or Waiting Time of Switchback parameter, then click Next.
Delete a rule
Before deleting an interaction rule, make sure the domain name of your website is not mapped to the CNAME of Sec-Traffic Manager. Otherwise, access to your website may fail after you delete the rule.
On the General Interaction tab of the Sec-Traffic Manager page, find the rule with Interaction Scenario set to Tiered Protection.
In the Actions column, click Delete. In the dialog box, click Delete.