All Products
Search
Document Center

Anti-DDoS:How to select an Anti-DDoS product

Last Updated:Jun 22, 2026

A decision guide for selecting the right Anti-DDoS product to protect your business against DDoS attacks.

Use this guide to understand core DDoS protection concepts and select the right Anti-DDoS product for your scenario. Alibaba Cloud offers a tiered DDoS protection product matrix to safeguard your business against various types of DDoS attacks and ensure service continuity and stability.

Core concepts

Understanding the following core concepts is essential for making the right selection decisions.

Key terms

Term

Description

DDoS attack

Short for Distributed Denial of Service attack, a common cybersecurity attack method. It exhausts network or network device resources through malicious traffic, preventing websites from operating normally or online services from being delivered. For more information, see DDoS attack overview.

Blackhole

A traffic scrubbing mechanism. When attack traffic targeting an IP exceeds its basic protection capacity, the carrier discards all traffic to that IP (including legitimate traffic) to protect overall Alibaba Cloud network stability. This causes business on that IP to be completely interrupted for a period. Purchasing Anti-DDoS Proxy provides higher-capacity protection that prevents your IP from entering blackhole state.

Traffic scrubbing

Through a series of detection and identification algorithms, malicious attack traffic is separated from normal business traffic and discarded. Only clean business traffic is forwarded back to the origin server, ensuring service availability.

Product definitions

  • Anti-DDoS Basic: A free basic protection service provided for select Alibaba Cloud services. It can defend against small-scale attacks but has limited protection capacity (500 Mbps to 5 Gbps). When attack traffic exceeds the threshold, the targeted IP enters blackhole state, causing business interruption.

  • Anti-DDoS Native: A security service that directly enhances the DDoS defense capability of Alibaba Cloud services. It is simple to deploy without requiring network architecture changes or business IP changes. It primarily defends against Layer 3 and Layer 4 volumetric DDoS attacks.

  • Anti-DDoS Proxy: A proxy-based protection service that routes business traffic through DNS resolution to global scrubbing centers for mitigation. It effectively hides origin server IPs and provides comprehensive defense against network layer, transport layer, and application layer (including HTTP/HTTPS CC) DDoS attacks.

Protection strategy details

Note

If you need a customized security solution (such as ultra-high capacity or application-layer UDP protection), contact your account manager.

Product comparison

Dimension

Anti-DDoS Basic

Anti-DDoS Native

Anti-DDoS Proxy

Applicable scenarios

  • Cost-sensitive

  • Non-critical services that can tolerate brief interruptions

  • Small-scale attacks

  • Large number of IPs or ports

  • High business bandwidth (for example, business bandwidth greater than 1 Gbps, HTTP and HTTPS business queries per second (QPS) greater than 5,000) without the ability to change public-facing IPs

  • Requires ultra-low latency to ensure business continuity during large traffic attacks

  • Occasional DDoS attacks

  • Frequent attacks and evolving attack campaigns

  • Requires defense against sophisticated application-layer CC attacks

  • Requires changing public-facing business IPs

Billing

Free.

  • Instance fee (prepaid): Monthly or annual payment based on the selected basic protection bandwidth, business bandwidth, and QPS.

  • Elastic protection fee (postpaid): Charged daily based on actual attack traffic peaks only when DDoS attack traffic exceeds the basic protection bandwidth.

  • Elastic business bandwidth/QPS fee (postpaid): Charged by daily or monthly 95th percentile only when normal business traffic or QPS exceeds the basic specification.

  • Advanced protection resource plan: Optionally purchase advanced protection resource plans for specific instances.

For more information, see Anti-DDoS Proxy pricing.

Core mechanism

Built into cloud services. Automatically discards traffic (blackhole) when traffic exceeds the threshold to ensure cloud provider network stability.

Associates with cloud resources without changing business IPs. Performs traffic scrubbing when attacks exceed the threshold.

Redirects traffic to dedicated scrubbing centers via DNS modification. All traffic is scrubbed before forwarding to ensure origin server availability.

Access method

Automatically enabled. No manual action required.

Associate protected objects in the console.

Modify DNS resolution to direct traffic to Premium IPs.

Protected objects

Select Alibaba Cloud services, including ECS, SLB, EIP, and more.

  • Standard cloud products: Elastic Compute Service (ECS) instances, Server Load Balancer (SLB) instances, elastic IP addresses (EIPs), EIPs that are associated with a NAT gateway, IPv6 gateways, simple application servers, Web Application Firewall (WAF) instances, Global Accelerator (GA) instances, and Anycast EIPs.

Any public IP address.

Protection capacity

Low. Based on on-cloud defense, 500 Mbps to 5 Gbps. For details, see Thresholds That Trigger Blackhole Filtering in Anti-DDoS Basic.

  • Standard cloud products:Moderate. Based on on-cloud defense, up to hundreds of Gbps.

  • Enhanced cloud product:High. Based on Alibaba Cloud global scrubbing centers, with mitigation capacity exceeding 1 Tbps.

For details, see What Is Anti-DDoS Native?.

High. Based on Alibaba Cloud global scrubbing centers, with mitigation capacity exceeding 1 Tbps.

Comparison of DDoS attack types defended

Attack type

Description

Anti-DDoS Native

Anti-DDoS Proxy

Standard cloud products

Enhanced cloud product

Network layer DDoS attacks

Includes Frag Flood, Smurf, Stream Flood, Land Flood, malformed IP packets, malformed TCP packets, malformed UDP packets, and more.

Supported

Supported

Supported

Transport layer DDoS attacks

Includes SYN Flood, ACK Flood, UDP Flood, ICMP Flood, RST Flood, NTP reflection, SSDP reflection, DNS reflection, and more.

Supported

Supported

Supported

Application layer DDoS attacks (HTTP/HTTPS)

Also known as web application-layer Challenge Collapsar (CC) attacks. Includes HTTP/HTTPS CC and HTTP slow-rate attacks (LOIC/HOIC/Slowloris/Pyloris/XOIC) targeting HTTP-based services such as websites, API endpoints, and WebSocket.

Unsupported

Unsupported

Supported

Application layer DDoS attacks (non-HTTP/HTTPS TCP application-layer protocols)

Also known as non-web application-layer CC attacks. Includes TCP CC, TCP empty connections, and TCP connection resource exhaustion attacks targeting non-HTTP TCP-based services such as private protocols, MySQL, MQTT, and RTMP.

Unsupported

Supported

In public preview, currently only supported in the China (Hangzhou) region.

Supported

Application layer DDoS attacks (UDP-based application-layer protocols)

CC attacks targeting UDP-based services, such as UDP-CC and DNS-Flood attacks against authoritative DNS services, DNS authoritative services, UDP gaming services, and UDP voice calling services. UDP business CC protection requires an additional purchase of Managed Security Service; otherwise, it is not supported.

Supported

Supports scrubbing DNS attacks targeting non-authoritative DNS services. To protect authoritative DNS services, use DNS Security.

Protection effectiveness notes

  • The DDoS protection solution uses an intelligent AI engine that continuously learns from normal business traffic patterns to accurately identify evolving attacks.

  • When a business experiences DDoS or CC attacks immediately after boarding, attacks may not be fully mitigated during the initial baseline learning period. The following protection configurations are available to improve protection effectiveness:

    • Anti-DDoS Native:

      • Pre-configure various protection strategies such as inline protection, port protection, and trigger-based protection to improve protection effectiveness. For more information, see Mitigation Settings.

      • Adjust the scrubbing threshold based on your business traffic. For more information, see Set Traffic Scrubbing Thresholds.

    • Anti-DDoS Proxy: