All Products
Search
Document Center

Anti-DDoS:Overview

Last Updated:Feb 22, 2024

Anti-DDoS Pro and Anti-DDoS Premium both provide Sec-Traffic Manager for you to configure rules on the interaction between them and the protected cloud services. You can configure rules for Anti-DDoS Pro or Anti-DDoS Premium. These rules take effect only in specific scenarios. This feature ensures service continuity and provides protection against distributed denial-of-service (DDoS) attacks. Sec-Traffic Manager provides features such as cloud service interaction, tiered protection, Content Delivery Network (CDN) interaction, Dynamic Route for CDN (DCDN) interaction, network acceleration, and Sec-MCA.

Scenarios

If you add your websites to Anti-DDoS Pro or Anti-DDoS Premium, you only need to add the domain names of your websites. For more information, see Add one or more websites. If you add your non-website services to Anti-DDoS Pro or Anti-DDoS Premium, you only need to add the ports of your services. For more information, see Configure port forwarding rules.

After your services are added to Anti-DDoS Pro or Anti-DDoS Premium, all service traffic, including normal and malicious traffic, is forwarded to Anti-DDoS Pro or Anti-DDoS Premium. Malicious traffic is filtered out, and only normal traffic is forwarded to the origin server. During normal service access, normal traffic is also forwarded by Anti-DDoS Pro or Anti-DDoS Premium. This may cause a low latency to the service.

To resolve this issue, you can enable the cloud service interaction feature of Sec-Traffic Manager. If no attacks occur, normal traffic is directly forwarded to the origin server without increasing latency. If attacks occur, traffic is switched to Anti-DDoS Pro or Anti-DDoS Premium for scrubbing and forwarding.

In addition to the preceding scenarios, Sec-Traffic Manager enables interactions between Anti-DDoS Pro or Anti-DDoS Premium and Anti-DDoS Origin, CDN, DCDN, Chinese Mainland Acceleration (MCA), and Sec-MCA. For more information, see Benefits.

Note Anti-DDoS Pro and Anti-DDoS Premium provides Sec-Traffic Manager for you to configure rules for your service access. Whether to use Sec-Traffic Manager does not affect the billing of Anti-DDoS Pro and Anti-DDoS Premium. For more information about the billing methods of Anti-DDoS Pro and Anti-DDoS Premium, see Billing of Anti-DDoS Pro and Billing of Anti-DDoS Premium of the Insurance and Unlimited mitigation plans.

Benefits

The following table describes the interaction scenarios of Sec-Traffic Manager and related topics.

× indicates that Anti-DDoS Pro does not support this interaction scenario.

Interaction scenarioDescriptionAnti-DDoS ProAnti-DDoS Premium
Cloud Service InteractionYour services use Alibaba Cloud public IP addresses and are protected by Anti-DDoS Pro or Anti-DDoS Premium to achieve the following effects:
  • If no DDoS attacks occur, service traffic is directly forwarded to the origin server. Anti-DDoS Pro or Anti-DDoS Premium is dormant to avoid a high latency.
  • If DDoS attacks occur, Anti-DDoS Pro or Anti-DDoS Premium automatically takes effect. Anti-DDoS Pro or Anti-DDoS Premium scrubs service traffic and forwards normal traffic to the origin server.
Note Anti-DDoS Pro or Anti-DDoS Premium can interact with Alibaba Cloud Global Accelerator (GA). For more information, see What is Global Accelerator?.
Create a cloud service interaction rule
Tiered ProtectionYour services are protected by Anti-DDoS Origin Enterprise and Anti-DDoS Pro or Anti-DDoS Premium to achieve the following effects:
  • Anti-DDoS Origin Enterprise protects your services from low-volume DDoS attacks. Service traffic is directly forwarded to the origin server without increasing latency.
  • If volumetric DDoS attacks are detected, Anti-DDoS Pro or Anti-DDoS Premium takes effect. Anti-DDoS Pro or Anti-DDoS Premium scrubs service traffic and forwards normal traffic to the origin server.
Create a tiered protection rule
CDN/DCDN InteractionYour websites use Alibaba Cloud CDN or DCDN and are protected by Anti-DDoS Pro or Anti-DDoS Premium to achieve the following effects:
  • If no DDoS attacks occur, the nearest CDN or DCDN node is used for acceleration.
  • If DDoS attacks occur, Anti-DDoS Pro or Anti-DDoS Premium automatically takes effect.
Use the CDN or DCDN interaction feature
Network AccelerationYour services are protected by Anti-DDoS Premium Insurance or Unlimited plan and MCA to achieve the following effects:
  • If no DDoS attacks occur, the IP address that network acceleration provides is used to speed up service access.
  • If DDoS attacks occur, Anti-DDoS Premium automatically takes effect.
Note Network acceleration is suitable for the scenarios in which services are deployed outside the Chinese mainland and users of services come from the Chinese mainland. For more information, see Use an Anti-DDoS Premium instance of the MCA mitigation plan.
×Create a network acceleration rule
Sec-MCAYour services are protected by Anti-DDoS Premium Insurance or Unlimited plan and Sec-MCA to achieve the following effects:
  • The traffic from Internet service providers (ISPs) in the Chinese mainland, excluding China Mobile, is redirected to the IP address of the Anti-DDoS Premium Sec-MCA instance.
  • The traffic from China Mobile and ISPs outside the Chinese mainland is redirected to the IP address of the Anti-DDoS Premium instance.
Note Sec-MCA accelerates access of users in the Chinese mainland to services in regions outside the Chinese mainland. It also mitigates volumetric DDoS attacks on the networks of ISPs in the Chinese mainland, excluding China Mobile. For more information, see Configure Anti-DDoS Premium Sec-CMA.
×Create a Sec-MCA rule