Tiered Protection and related operations - Anti-DDoS - Alibaba Cloud Documentation Center

Tiered protection combines Anti-DDoS Origin with Anti-DDoS Proxy to deliver adaptive DDoS defense. Your services run behind low-latency Origin protection by default and automatically escalate to Proxy-based deep scrubbing when a volumetric attack triggers blackhole state. This topic explains how to create a tiered protection rule, configure DNS switchover, and manage traffic routing.

Before you begin

Supported cloud resources

Your service runs on one of the following Alibaba Cloud resources with a public IP address:

Elastic IP Address (EIP)
Elastic Compute Service (ECS) instance
Server Load Balancer (SLB) instance
Web Application Firewall (WAF) instance

Anti-DDoS instance

Anti-DDoS Origin: You have purchased an Anti-DDoS Origin instance with the Enterprise edition and enabled Origin protection for your public IP assets (ECS, SLB, EIP, or WAF). For details, see Purchase an Anti-DDoS Origin instance and Purchase an Anti-DDoS Origin instance.
Anti-DDoS Proxy:
- Anti-DDoS Proxy (Chinese Mainland): Profession.
- Anti-DDoS Proxy (Outside Chinese Mainland): Insurance or Unlimited.
Important
The instance must have sufficient clean bandwidth and queries per second (QPS) to meet your service requirements. For details, see Purchase an Anti-DDoS Proxy instance.

Configuration requirements

Your website is already added to the Anti-DDoS Proxy instance.
You have verified that Anti-DDoS Proxy forwards traffic correctly.

How it works

Tiered protection uses a two-stage defense strategy that dynamically adjusts based on real-time attack traffic:

Stage 1 — Low-latency protection (default): Anti-DDoS Origin scrubs traffic at the network edge. Because traffic does not traverse additional proxy nodes, latency stays minimal. This stage handles routine traffic and small-scale attacks.
Stage 2 — Advanced mitigation (attack escalation): When a massive volumetric attack causes all associated IP addresses to enter blackhole state, the system automatically reroutes traffic to Anti-DDoS Proxy for deep packet inspection. Only clean traffic reaches your origin servers.

Important

When a cloud resource enters blackhole state, all its IP addresses become unreachable and traffic is temporarily unavailable. A tiered protection rule with an associated Anti-DDoS Proxy instance can automatically restore service by rerouting traffic through the Proxy.

The following table summarizes each protection stage:

Stage	Protection provider	Traffic path	Trigger condition
Normal	Anti-DDoS Origin	Client → Anti-DDoS Origin (scrubbing) → Cloud resource (ECS, SLB, EIP, or WAF)	Default state. No attack or small-scale attack detected.
Emergency	Anti-DDoS Proxy (Professional, Advanced, Insurance, or Unlimited edition)	Client → Anti-DDoS Proxy (deep scrubbing) → Cloud resource	All associated IP addresses enter blackhole state due to a massive volumetric attack.
Automatic switchback	Anti-DDoS Origin (restored)	Client → Anti-DDoS Origin → Cloud resource (low-latency restored)	Attack traffic stops and remains stable beyond the configured switchback waiting time. Note Traffic switchover and switchback rely on DNS record changes. Propagation typically takes 30–60 seconds, depending on client-side DNS cache refresh times.

Configure a tiered protection rule

Follow these steps to create a tiered protection rule that associates your cloud resources with an Anti-DDoS Proxy instance for automatic attack escalation.

Step 1: Create the rule

Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
- Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.
- Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.
In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager.
On the General Interaction tab, click Add Rule.

Configure the following parameters,then Click Next.

Parameter	Description
Interaction Scenario	Select Tiered Protection.
Rule Name	Enter a descriptive name for this tiered protection rule, such as `production-api-tiered-protection`.
Anti-DDoS IP Address	Select the region where the cloud resource is deployed and enter the public IP address of the resource. The IP address must be of an ECS, SLB, EIP, or WAF resource that is already protected by Anti-DDoS Origin Enterprise edition.
Resource for Interaction	Select the Anti-DDoS Proxy instance to use for traffic scrubbing during attack escalation. Click Add IP Address of Cloud Resource to add more addresses. You can add up to 20 IP addresses. Note When you add multiple IP addresses, all addresses share the same Anti-DDoS Proxy instance. If one IP is attacked, traffic is redistributed to the remaining addresses. Traffic switches to Anti-DDoS Proxy only when all addresses are under attack simultaneously. For independent failover of each IP address, see Multi-path failover.
Waiting Time of Switchback	The failback waiting period (how long Anti-DDoS Proxy waits after an attack stops before routing traffic back to your cloud resource). Valid range: 30 to 120 minutes. Note Recommendation: 60 minutes.

Update your DNS records as prompted: To activate the rule, point your domain's DNS record to the CNAME provided by Sec-Traffic Manager. Follow these steps:

Verify locally before updating DNS: Before you update your public DNS records, verify the rule by modifying the hosts file on your local computer. This helps you catch origin forwarding policy conflicts before they affect production traffic. For detailed steps, see Locally validate your forwarding configuration.

Update your DNS records: After you verify the rule locally, update your domain's DNS record to point to the CNAME provided by Sec-Traffic Manager.

Domain registrar	How to update
Alibaba Cloud	Update the record in the Alibaba Cloud DNS console.
Third-party provider	Log on to your domain registrar's management console and update the DNS record for your domain.

Validation Results
After the DNS update, verify that your website is accessible.
Note
- After you update the DNS record,the rule may take some time to fully take effect due to DNS propagation (TTL).For details, see Modify a CNAME record for Traffic Scheduler.
- If you encounter issues, see Troubleshoot slow response, high latency, and access failures for services protected by Anti-DDoS Proxy.

Switch traffic

Tiered Protection rules support two switching modes:

Note

Both automatic and manual switching rely on DNS-based traffic scheduling. Switching may be affected by DNS propagation time. Evaluate the impact on your service in advance.

Switching mode

Description

Applicable scenario

Automatic

The system monitors real-time traffic and attack patterns. It automatically switches traffic to Anti-DDoS Proxy or switches traffic back to Anti-DDoS Origin.

Automated 24/7 defense without manual intervention.

Manual

Manually switch traffic to Anti-DDoS Proxy or switch traffic back to Anti-DDoS Origin from the console based on your business requirements.

Proactive switching before major events.

Complex attack scenarios not covered by automatic switching.

Troubleshooting and emergency drills.

Automatic switching

Switchover type	Trigger condition
Switch to Anti-DDoS Proxy	All cloud resource IP addresses enter blackhole state.
Switch back to Anti-DDoS Origin	After the attack ends and the switchback waiting time elapses, the system automatically switches traffic back to Anti-DDoS Origin.

Manual switching

In addition to automatic switching, you can manually switch traffic to Anti-DDoS Proxy for scrubbing or switch traffic back to Anti-DDoS Origin based on your business requirements.

Switch to Anti-DDoS

Procedure:
1. On the Sec-Traffic Manager page, click the General Interaction tab.
2. Find the tiered protection rule whose interaction scenario is Tiered Protection and that has not been automatically switched to Anti-DDoS Proxy (Indicated by the icon under Resource for Interaction).
3. In the Actions column, click Switch to Anti-DDoS. In the confirmation dialog, click OK.
Restrictions:
- Switch traffic to Anti-DDoS Proxy when the Proxy instance is in blackhole state, or when the switchback waiting time has not elapsed since the last blackhole event.
- After you manually switch traffic to Anti-DDoS Proxy, automatic switchback is disabled. Use the Switchback operation to switch traffic back.

Switchback

Procedure:
1. On the Sec-Traffic Manager page, click the General Interaction tab.
2. Find the tiered protection rule whose interaction scenario is Tiered Protection and whose traffic is being scrubbed by Anti-DDoS Proxy (Indicated by the icon under Anti-DDoS Pro or Anti-DDoS Premium Instance).
3. In the Actions column, click Switchback. In the confirmation dialog, click OK.
Restrictions:
- If all associated cloud resource IP addresses are in blackhole state, the switchback operation is not allowed.
- If some IP addresses have exited blackhole state while others remain in blackhole state.
  - Traffic is switched back only to the IP addresses that have exited blackhole state.
  - Traffic for the remaining IP addresses is automatically restored after blackhole state ends.

Manage rules

After you create a rule, you can perform the following operations from the General Interaction tab.

Operation

Description

Edit

Modify the rule parameters. Interaction Scenario and Rule Name cannot be changed after the rule is created.

Delete

Delete the rule.

Before you delete a rule, remove the Sec-Traffic Manager CNAME from your domain's DNS records. Deleting a rule while the CNAME is still active causes your website to become inaccessible.