Anti-DDoS Basic monitors inbound traffic in real time and triggers traffic scrubbing when it detects a DDoS attack. This topic explains how traffic scrubbing thresholds work and how to configure them for your assets.
How it works
Traffic scrubbing filters out malicious traffic during a DDoS attack while allowing normal traffic through to maintain service availability.
Anti-DDoS Basic combines two signals before triggering scrubbing:
AI-based intelligent analysis — The system uses Alibaba Cloud's big data capabilities to learn your traffic patterns and detect attacks algorithmically.
Threshold check — Inbound traffic must reach the BPS or PPS threshold you set.
Scrubbing triggers only when both conditions are met. This dual-check approach prevents false positives caused by normal traffic spikes — for example, a sudden burst of legitimate traffic during a product launch does not trigger scrubbing unless an attack is also detected.
Scrubbing threshold types
Anti-DDoS Basic supports two threshold modes: default and custom.
Default scrubbing threshold
In default mode, Alibaba Cloud automatically sets and adjusts the threshold based on two factors:
Instance type and public bandwidth — For cloud products such as Elastic Compute Service (ECS) and NAT Gateway, the threshold is calculated from the instance type and configured public bandwidth. See Cloud product specifications and scrubbing thresholds for details.
Overall platform stability and resource allocation — Alibaba Cloud accounts for platform-wide resource usage and historical attack data to ensure fair scrubbing capacity across all users.
The default threshold is automatically adjusted based on your cloud product's traffic — no manual tuning is required. It also typically represents the maximum value you can set when configuring a custom threshold; you can only lower it from there.
Custom scrubbing threshold
Set a custom threshold when the default does not match your traffic profile or security requirements. You can tune the BPS and PPS thresholds based on your business needs and network environment.
Threshold value and scrubbing sensitivity:
A lower threshold triggers scrubbing more readily (higher sensitivity). A higher threshold requires more traffic before scrubbing starts (lower sensitivity). In other words: lower threshold = triggers sooner = more protective. Getting this balance right matters:
Too high — Scrubbing may not activate in time during low-volume attacks.
Too low — Scrubbing may activate during normal traffic spikes, disrupting legitimate access.
When to lower the threshold:
| Scenario | Rationale |
|---|---|
| Financial services with high security requirements | Low-volume, targeted attacks are common; early detection matters |
| Critical government information systems | Risk tolerance is low; conservative thresholds reduce exposure |
| Small websites that have experienced low-frequency, high-intensity attacks | Historical attack data suggests heightened vigilance; consider lowering during periods of stable traffic |
When to raise the threshold:
| Scenario | Rationale |
|---|---|
| Website promotions with expected traffic spikes | Prevents false positives during legitimate surges |
| Major gaming events | High concurrent user load is normal, not an attack |
| Peak streaming hours on ApsaraVideo Live | Burst traffic is expected; scrubbing should not interrupt streams |
Behavior after instance changes
When you upgrade or downgrade a cloud product instance, the scrubbing threshold behaves as follows:
Upgrade: The custom threshold takes precedence and remains unchanged.
Downgrade:
If the new default threshold is lower than your custom threshold, the threshold reverts to the default and your custom setting is discarded. Subsequent upgrades or downgrades use the default.
If the new default threshold is higher than your custom threshold, your custom threshold takes precedence and remains unchanged.
Scrubbing thresholds cannot be configured for assets on the CIDR block of Data Center or Private Addresses tabs.
Set the threshold for a single asset
Go to the Assets page of the Traffic Security console. In the top navigation bar, select the region of your asset.
Click the tab for the target cloud product, such as ECS.
In the IP asset list, click the target IP address. In the IP Address Details panel, click Traffic Scrubbing Settings.
In the Traffic Scrubbing Settings panel, set the Traffic Scrubbing Threshold and click OK. For Manual mode, the allowed ranges are:
Scrubbing Threshold (BPS): 60 Mbps to 1.5 times the public bandwidth of the instance
Scrubbing Threshold (PPS): 12,000 pps to 1.5 times the PPS specification of the instance
Option Description Default The threshold is automatically adjusted based on the cloud product's traffic. Manual Set custom values for Scrubbing Threshold (BPS) and Scrubbing Threshold (PPS).
Adjust thresholds for multiple assets in batch
Batch threshold adjustment is available only in Anti-DDoS Origin, not Anti-DDoS Basic.
Go to the Protected Objects page of the Traffic Security console.
In the top navigation bar, select the resource group and region:
Anti-DDoS Origin 1.0 (Subscription): Select the region where the instance resides.
Anti-DDoS Origin 2.0 (Subscription) and Anti-DDoS Origin 2.0 (Pay-as-you-go): Select All Regions.
Select an Anti-DDoS Origin instance and click Batch Adjust Traffic Scrubbing Thresholds.
On the Traffic Scrubbing Threshold tab, select the asset IP addresses and set the BPS and PPS thresholds. After saving, a confirmation message indicates whether the configuration succeeded. If any assets fail, follow the on-screen instructions.
Scrubbing Threshold (BPS): 60 Mbps to 1.5 times the public bandwidth of the instance
Scrubbing Threshold (PPS): 12,000 pps to 1.5 times the PPS specification of the instance
Elastic IP addresses (EIPs) with Anti-DDoS Proxy Enabled cannot be updated in batch. Configure these individually on the Assets page.
Batch adjustment supports up to 500 IP addresses at a time.
All selected assets must belong to the same cloud product.