Anti-DDoS:FAQ

Why doesn't Anti-DDoS Basic protect my ECS instance against a 20 Mbit/s attack?

Anti-DDoS Basic is a free service with a minimum scrubbing threshold of 100 Mbit/s. When attack traffic exceeds your instance's bandwidth but stays below 100 Mbit/s, the service detects the attack but does not trigger traffic scrubbing, leaving the instance exposed.

For attacks below 100 Mbit/s, take these steps in order:

1. Optimize your server. Tune your application to handle higher connection loads and reduce resource exhaustion under stress.

2. Install a host-based firewall. Tools like Yunsuo let you block malicious IPs and rate-limit connections at the host level.

3. Upgrade to a paid protection tier. Purchase an Anti-DDoS Proxy instance for higher scrubbing thresholds and dedicated mitigation capacity. See Purchase an Anti-DDoS Proxy instance.

Why can't I manually deactivate blackhole filtering for an Anti-DDoS Basic instance?

Blackhole filtering runs on Internet Service Provider (ISP) networks, not on Alibaba Cloud infrastructure directly. Once triggered, it discards attack traffic at the ISP level to protect the broader network—including other tenants sharing the same infrastructure. ISPs set strict limits on how often blackhole filtering can be lifted, so Alibaba Cloud cannot immediately override it on your behalf.

The Alibaba Cloud security team uses intelligent algorithms to determine when it is safe to lift blackhole filtering. In most cases, it lasts 30 minutes to 24 hours. If attacks recur frequently, the duration extends automatically—lifting blackhole filtering before attacks stop triggers a new blackhole event, which resets the clock and affects other tenants on the shared network.

Even if you deactivate blackhole filtering, DDoS attacks cannot be mitigated. Frequent flapping due to blackhole filtering affects network stability.

To avoid repeated blackhole events, use a service with dedicated mitigation capacity. Anti-DDoS Origin provides always-on protection for Alibaba Cloud resources. Anti-DDoS Proxy proxies traffic through high-capacity scrubbing centers.

Can I use ACLs to mitigate DDoS attacks and prevent blackhole filtering?

No, you cannot use access control lists (ACLs) to mitigate DDoS attacks or prevent blackhole filtering. ACLs only take effect at the edge of the Alibaba Cloud network where your server resides. By that point, a DDoS attack launched from multiple botnets has already consumed upstream bandwidth—the volume reaching the network edge far exceeds what ACLs can absorb.

Effective DDoS mitigation requires scrubbing centers deployed at ISP backbone networks. DDoS attacks are scrubbed in the scrubbing center closest to the location where the attacks are initiated, filtering malicious traffic before it reaches your infrastructure. Cloud providers offer this as a Software as a Service (SaaS) model, so scrubbing infrastructure is shared across users, keeping per-user costs manageable. ACLs cannot replicate this upstream defense.

Why does the traffic data in the Anti-DDoS Origin console differ from CloudMonitor?

The Anti-DDoS Origin console almost always shows higher traffic than CloudMonitor during an attack. This is expected behavior caused by four differences in how each service collects data:

For example: if a DDoS attack triggers scrubbing at 2.5 Gbit/s, CloudMonitor may show an inbound bandwidth of only 1.2 Gbit/s—the legitimate traffic remaining after scrubbing.