A decision guide for selecting the right Anti-DDoS product to protect your business against DDoS attacks.
Use this guide to understand core DDoS protection concepts and select the right Anti-DDoS product for your scenario. Alibaba Cloud offers a tiered DDoS protection product matrix to safeguard your business against various types of DDoS attacks and ensure service continuity and stability.
Core concepts
Understanding the following core concepts is essential for making the right selection decisions.
Key terms
Term | Description |
DDoS attack | Short for Distributed Denial of Service attack, a common cybersecurity attack method. It exhausts network or network device resources through malicious traffic, preventing websites from operating normally or online services from being delivered. For more information, see DDoS attack overview. |
Blackhole | A traffic scrubbing mechanism. When attack traffic targeting an IP exceeds its basic protection capacity, the carrier discards all traffic to that IP (including legitimate traffic) to protect overall Alibaba Cloud network stability. This causes business on that IP to be completely interrupted for a period. Purchasing Anti-DDoS Proxy provides higher-capacity protection that prevents your IP from entering blackhole state. |
Traffic scrubbing | Through a series of detection and identification algorithms, malicious attack traffic is separated from normal business traffic and discarded. Only clean business traffic is forwarded back to the origin server, ensuring service availability. |
Product definitions
Anti-DDoS Basic: A free basic protection service provided for select Alibaba Cloud services. It can defend against small-scale attacks but has limited protection capacity (500 Mbps to 5 Gbps). When attack traffic exceeds the threshold, the targeted IP enters blackhole state, causing business interruption.
Anti-DDoS Native: A security service that directly enhances the DDoS defense capability of Alibaba Cloud services. It is simple to deploy without requiring network architecture changes or business IP changes. It primarily defends against Layer 3 and Layer 4 volumetric DDoS attacks.
Anti-DDoS Proxy: A proxy-based protection service that routes business traffic through DNS resolution to global scrubbing centers for mitigation. It effectively hides origin server IPs and provides comprehensive defense against network layer, transport layer, and application layer (including HTTP/HTTPS CC) DDoS attacks.
Protection strategy details
If you need a customized security solution (such as ultra-high capacity or application-layer UDP protection), contact your account manager.
Product comparison
Dimension | Anti-DDoS Basic | Anti-DDoS Native | Anti-DDoS Proxy |
Applicable scenarios |
|
| |
Billing | Free. |
| |
Core mechanism | Built into cloud services. Automatically discards traffic (blackhole) when traffic exceeds the threshold to ensure cloud provider network stability. | Associates with cloud resources without changing business IPs. Performs traffic scrubbing when attacks exceed the threshold. | |
Access method | Automatically enabled. No manual action required. | Associate protected objects in the console. | |
Protected objects | Select Alibaba Cloud services, including ECS, SLB, EIP, and more. |
| |
Protection capacity | Low. Based on on-cloud defense, 500 Mbps to 5 Gbps. For details, see Thresholds That Trigger Blackhole Filtering in Anti-DDoS Basic. |
For details, see What Is Anti-DDoS Native?. |
Comparison of DDoS attack types defended
Attack type | Description | Anti-DDoS Native | Anti-DDoS Proxy | |
Standard cloud products | Enhanced cloud product | |||
Network layer DDoS attacks | Includes Frag Flood, Smurf, Stream Flood, Land Flood, malformed IP packets, malformed TCP packets, malformed UDP packets, and more. | |||
Transport layer DDoS attacks | Includes SYN Flood, ACK Flood, UDP Flood, ICMP Flood, RST Flood, NTP reflection, SSDP reflection, DNS reflection, and more. | |||
Application layer DDoS attacks (HTTP/HTTPS) | Also known as web application-layer Challenge Collapsar (CC) attacks. Includes HTTP/HTTPS CC and HTTP slow-rate attacks (LOIC/HOIC/Slowloris/Pyloris/XOIC) targeting HTTP-based services such as websites, API endpoints, and WebSocket. | |||
Application layer DDoS attacks (non-HTTP/HTTPS TCP application-layer protocols) | Also known as non-web application-layer CC attacks. Includes TCP CC, TCP empty connections, and TCP connection resource exhaustion attacks targeting non-HTTP TCP-based services such as private protocols, MySQL, MQTT, and RTMP. |
| In public preview, currently only supported in the China (Hangzhou) region. | |
Application layer DDoS attacks (UDP-based application-layer protocols) | CC attacks targeting UDP-based services, such as UDP-CC and DNS-Flood attacks against authoritative DNS services, DNS authoritative services, UDP gaming services, and UDP voice calling services. UDP business CC protection requires an additional purchase of Managed Security Service; otherwise, it is not supported. | Supports scrubbing DNS attacks targeting non-authoritative DNS services. To protect authoritative DNS services, use DNS Security. | ||
Protection effectiveness notes
The DDoS protection solution uses an intelligent AI engine that continuously learns from normal business traffic patterns to accurately identify evolving attacks.
When a business experiences DDoS or CC attacks immediately after boarding, attacks may not be fully mitigated during the initial baseline learning period. The following protection configurations are available to improve protection effectiveness:
Anti-DDoS Native:
Pre-configure various protection strategies such as inline protection, port protection, and trigger-based protection to improve protection effectiveness. For more information, see Mitigation Settings.
Adjust the scrubbing threshold based on your business traffic. For more information, see Set Traffic Scrubbing Thresholds.