Attacks and traffic abuse can cause unexpected bandwidth spikes that result in bills higher than expected. High bills generated by malicious attacks or data transmission abuse cannot be waived or refunded. This topic explains the billing risks you face during an attack and the controls you can configure to stay protected.
How billing works during attacks
Alibaba Cloud CDN charges you based on resources consumed. When your accelerated domain name is attacked or abused, you are charged for the bandwidth and data transfer regardless of the cause.
Key billing behaviors to understand:
Bills are generated three to four hours after each billing cycle ends (by hour, by day, or by month), so charges may not appear immediately.
If your account balance drops to 0, the service may not stop immediately due to billing delays and billing cycle timing.
Alibaba Cloud provides service suspension protection. When enabled, the service continues running until the grace period ends. The grace period and overdraft limit are determined by your account tier and purchase history, and the overdraft limit resets every month.
If you disable service suspension protection, the service stops immediately after a payment becomes overdue, which limits further charges.
High bill alert: After this feature is enabled, notifications are sent to you by text message if a daily bill reaches a specified amount.
By default, Alibaba Cloud CDN does not provide access control or security protection. If abnormal traffic is detected, Alibaba Cloud evaluates whether to throttle traffic, add the domain name to a sandbox, or take other measures based on normal service traffic and the overall abnormal traffic. See Limits. This does not guarantee availability for your domain.
Protect against unexpected charges
The following sections describe controls you can configure to reduce exposure to unexpected charges.
Enable access control
When traffic spikes occur, analyze real-time logs to identify the cause, then configure the appropriate access control features. See Real-time log delivery.
| Feature | Description |
|---|---|
| Referer blacklist or whitelist | Controls access by validating the Referer header. Requests matching a whitelist are allowed; those matching a blacklist are blocked. Configure a Referer blacklist or whitelist. |
| URL signing | Lets points of presence (POPs) work with your origin servers to protect resources from unauthorized use. Configure URL signing. |
| Remote authentication | Redirects user requests to an authentication server that verifies each request before granting access. Configure remote authentication. |
| IP address blacklist or whitelist | Use real-time log analysis to identify malicious IP addresses, then block them with a blacklist or restrict access with a whitelist. Configure an IP address blacklist or whitelist. |
| User-Agent blacklist or whitelist | Use real-time log analysis to identify malicious User-Agent values, then block matching requests. Configure a User-Agent blacklist or whitelist. |
Manage traffic and set alerts
Use CloudMonitor to configure bandwidth alert rules by service or domain name. When the bandwidth of a domain name reaches a specified threshold, you are notified by text message, email, or DingTalk message. See .
| Feature | Description |
|---|---|
| Bandwidth cap | Sets a hard limit on bandwidth for a domain name. When the limit is reached, Alibaba Cloud CDN disables acceleration for the domain name and resolves it to an invalid address, preventing further charges. Configure bandwidth caps. |
| Traffic throttling for individual requests | Limits downstream speed for all requests sent to POPs, capping the overall peak bandwidth of accelerated domain names. Useful for planned high-traffic events such as game releases. Configure traffic throttling for individual requests. |
| Bandwidth throttling | For domain names with a daily peak bandwidth greater than 10 Gbit/s, submit a ticket to configure bandwidth throttling. See the usage notes below. |
| Real-time monitoring | Use CloudMonitor to monitor peak bandwidth and receive alerts when thresholds are exceeded. Visit the CloudMonitor product page. |
| Spending management and alerts | Configure spending controls in the Alibaba Cloud console: go to Expenses > Expenses and Costs in the top navigation bar. |
Bandwidth throttling usage notes:
Bandwidth throttling applies to the overall bandwidth of all services hosted by the domain name. The bandwidth limit must be greater than or equal to 10 Gbit/s.
After the bandwidth limit is reached, all requests slow down and packet loss may occur.
Bandwidth throttling relies on real-time monitoring data with approximately a 10-minute delay, so throttling starts approximately 10 minutes after the limit is reached. The bandwidth may exceed the limit during this window.
Spending alerts and what to do when you receive one:
Alibaba Cloud CDN issues bills approximately three hours after a billing cycle ends. Charges are deducted from your account balance after the billing cycle closes, not at the moment of consumption. Because CDN is a distributed service, consumption details are not provided in bills. This delay also means that spending alerts reflect recent billing data, not real-time consumption — factor in this lag when setting alert thresholds.
| Alert type | How it works | What to do |
|---|---|---|
| High bill alert | Sends a text message when a daily bill reaches a specified amount. | Review your domain's traffic in the CDN console. Check real-time logs to identify the traffic source. Enable or tighten access control features (Referer blacklist/whitelist, IP address blacklist/whitelist, or URL signing) to block the source. Consider setting a bandwidth cap to hard-limit further consumption. |
| Bandwidth alert | Sends a notification when bandwidth exceeds a configured threshold in CloudMonitor. | Review your domain's traffic in the CDN console. Check real-time logs to identify the traffic source. Enable or tighten access control features to block the source. Consider setting a bandwidth cap. |
| Low balance alert | Sends a text message when your account balance drops below a specified threshold. | Top up your account balance or reduce spending by disabling low-traffic domain names. |
| Service suspension protection | When disabled, the service stops immediately after a payment becomes overdue, limiting overdue charges. | Evaluate whether to keep this enabled based on your tolerance for service interruption versus overdue charges. |
Enable advanced security with ESA
For protection beyond access control and traffic management, use Edge Security Acceleration (ESA). ESA provides native DDoS protection, a web application firewall (WAF), bot management, and security analytics.
| Attack type | Background | ESA capability |
|---|---|---|
| DDoS attack | HTTP/HTTPS DDoS attacks, often called CC attacks (Challenge Collapsar), target web application layers by mimicking legitimate user requests from search engines and web crawlers. High-concurrency attacks on resource-intensive pages can cause denial of service and degrade performance, including web response time, database services, and disk I/O. | ESA provides DDoS protection by default to defend against volumetric DDoS attacks and HTTP flood attacks. Protection capabilities vary by plan and can be adjusted to your needs. ESA aims to minimize any downtime to ensure your website resumes operations as quickly as possible. |
| Traffic theft | Traffic theft involves manipulating and stealing web traffic. Attackers may use high request frequency from a single IP address, invalid redirects, or slow requests at scale. Security systems identify anomalies in response codes, URL request patterns, Referer headers, and User-Agent headers. | ESA is integrated with WAF to protect web servers and block intrusions. ESA bot management includes Smart Mode in all plans and Professional Mode in the Enterprise plan. Security analytics provides visualized analysis of HTTP(S) request traffic from WAF and bot management. |
What's next
FAQ — Common questions on security protection issues and solutions