All Products
Document Center

Anti-DDoS:Best practices for mitigating DDoS attacks

Last Updated:Apr 11, 2024

A distributed denial of service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.

The following list describes common DDoS attacks:

  • Network layer attacks

    UDP amplification attacks, such as Network Time Protocol (NTP) flood attacks, fall under this category. These attacks send a wave of traffic to a network. This high volume of traffic congests the network, consumes the network bandwidth, and makes the network unresponsive.

  • Transport layer attacks

    Synchronize Sequence Numbers (SYN) flood attacks and connection flood attacks fall under this category. These attacks consume the connection pool resources of a server to achieve DoS.

  • Session layer attacks

    SSL flood attacks fall under this type of attack. These attacks consume the SSL session resources of a server to achieve DoS.

  • Application layer attacks

    Typical types of application layer attacks include Domain Name System (DNS) flood, HTTP flood, and dummy attacks. These attacks occupy application processing resources and consume the computing resources of a server to achieve DoS.

Best practices

You can mitigate attacks against your assets on Alibaba Cloud by using the following methods:

  • Reduce your attack surface and isolate resources and irrelevant services.

    • Configure a security group

      You can configure security groups to open only the ports that are necessary for your services. This prevents access requests that are irrelevant to the service and protects your system against malicious scanning or unexpected exposure.

      For more information about security groups, see Create a security group.

    • Use a VPC

      You can use a virtual private cloud (VPC) to implement logical isolation within your network and prevent attacks from zombies in internal networks.

      For more information about a VPC, see What is a VPC?

  • Optimize the service architecture and use the public cloud to implement auto scaling and failover for your system.

    • Evaluate the performance of the service architecture

      In the early stages of service deployment or during the operations, the technical team must perform a stress test on the service architecture to evaluate its throughput capability and provide detailed technical guidance for DDoS mitigation.

    • Use an elastic and redundant architecture

      You can use load balancing or an active geo-redundancy architecture to avoid single points of failure (SPOFs). If you deploy your services on Alibaba Cloud, you can use Server Load Balancer (SLB) to concurrently process access requests on multiple servers and balance the user access traffic among the servers. This reduces the workload on a single server and improves the throughput capability, which in turn helps mitigate DDoS attacks at the connection layer.

      For more information about SLB, see Overview.

    • Deploy Auto Scaling

      Auto Scaling automatically scales your computing resources based on your service demands and policies. After you deploy Auto Scaling, the system mitigates session layer attacks and application layer attacks and automatically adds servers when your services are under attack. This improves the processing performance and avoids severe impact on your services.

      For more information about ESS, see What is Auto Scaling?

    • Optimize DNS resolution

      You can use intelligent DNS resolution to mitigate DNS attacks. In addition, we recommend that you host your services on multiple DNS service providers and optimize DNS resolution in the following ways:

      • Do not allow unsolicited DNS responses.

      • Drop quick retransmission packets.

      • Enable Transistor-Transistor Logic (TTL).

      • Drop DNS queries and responses that are anomalous.

      • Drop unexpected or unsolicited DNS queries.

      • Enable authentication for the DNS client.

      • Cache responses.

      • Use access control lists (ACLs).

      • Use ACLs, BCP38, and IP reputation.

    • Purchase additional bandwidth

      Test server performance to evaluate the bandwidth and the number of requests that your server can handle in normal business scenarios. Make sure that you purchase additional bandwidth than you need. This helps avoid any influence on users if the attack bandwidth is greater than the normal bandwidth.

  • Enhance server security and improve server performance, such as connections.

    Harden the operating system and software to reduce the attack surface and increase the costs of attacks in the following ways:

    • Make sure that system files on the server are up-to-date, and install system patches in a timely manner.

    • Check all servers to know the sources of visitors.

    • Disable services and ports that you do not need. For example, enable only port 80 for web servers, or configure policies for the firewall to block requests.

    • Limit the number of SYN semi-joins that are enabled at a single time, shorten the timeout period for SYN semi-joins, and limit SYN and Internet Control Message Protocol (ICMP) traffic.

    • Check logs for network devices and server systems. If vulnerabilities are detected on a server or the system time of a server changes, the server may be under attack.

    • Restrict file sharing outside the firewall. This reduces the opportunities that attackers intercept system files. If an attacker replaces a file with a trojan, the file transfer feature becomes unavailable.

    • Make full use of network devices to protect network resources. You must consider such policy configurations when you configure a router as traffic control, packet filtering, semi-join timeout, garbage packet discarding, discarding of forged source data packets, SYN threshold, disabling ICMP, or disabling UDP broadcasts.

    • Restrict new TCP connections and control the transmission rate of suspicious malicious IP addresses by using software firewalls such as iptables.

  • Monitor your services and prepare an emergency response plan.

    • Focus on alert notifications that are sent from Anti-DDoS Basic

      If your services suffer from DDoS attacks, Anti-DDoS Basic sends alert notifications by text message or email. We recommend that you handle alerts at the earliest opportunity.

      For more information about how to configure alert notification recipients, see Configure alert notifications for DDoS attack events.

    • Use CloudMonitor

      CloudMonitor can be used to collect and obtain monitoring metrics or custom monitoring metrics for Alibaba Cloud resources. These metrics are then used to test the availability of services and configure alerts.

      For more information about CloudMonitor, see What is CloudMonitor?

    • Develop an emergency response plan

      Develop an emergency response plan in advance based on your technical service architecture and human resources. If necessary, conduct technical drills in advance to test the response plan.

  • Select an optimal commercial security solution. Alibaba Cloud provides Anti-DDoS Basic free of charge and paid security solutions.

    • WAF

      Web Application Firewall (WAF) protects against transport layer attacks, session layer attacks, and application layer attacks for web applications, such as HTTP flood attacks.

      For more information about WAF, see What is WAF?

    • Anti-DDoS Origin

      Anti-DDoS Origin provides shared and best effort protection against DDoS attacks for cloud services that use public IP addresses. Anti-DDoS Origin immediately takes effect after you purchase an instance.

      For more information about Anti-DDoS Origin Enterprise, see What is Anti-DDoS Origin?

    • Anti-DDoS Proxy

      We recommend that you use Anti-DDoS Proxy to protect against volumetric DDoS attacks.

      For more information about Anti-DDoS Proxy, see What is Anti-DDoS Proxy?


DDoS attacks are a major concern due to its widespread negative impacts. DDoS attacks on Internet service providers (ISPs) can impact downstream customers.

Computer networks are shared environments. The stability must be maintained by each party. The behavior of one party may affect the whole network and the networks of other tenants. Therefore, you must pay attention to the following items:

  • Do not establish a DDoS mitigation platform by using Alibaba Cloud services, which include but are not limited to Object Storage Service (OSS), Alibaba Cloud DNS, Elastic Compute Service (ECS), SLB, and Elastic IP Address (EIP).

  • Do not release instances for which blackhole filtering is triggered.

  • Do not continuously replace, unbind, or add IP addresses, such as SLB IP addresses, EIPs, or NAT gateway addresses to servers for which blackhole filtering is triggered.

  • Do not establish an IP address pool or allocate attack traffic over a large number of IP addresses to defend against attacks.

  • Do not use Alibaba Cloud services such as CDN and OSS to protect servers that are vulnerable to attacks because these services are not designed to provide protection.

  • Do not bypass the above-mentioned security rules by using multiple accounts.