This topic provides answers to some frequently asked questions about pre-sales of Alibaba Cloud Anti-DDoS.
Does Alibaba Cloud Anti-DDoS provide free services?
Yes, Alibaba Cloud Anti-DDoS provides free services. Anti-DDoS Basic is activated for every Alibaba Cloud user. Anti-DDoS Basic mitigates DDoS attacks of up to 5 Gbit/s free of charge. Anti-DDoS Basic is free of charge. You do not need to purchase, activate, or configure this service. For more information, see What is Anti-DDoS Origin?
Alibaba Cloud does not provide unlimited protection free of charge. Bandwidth resources are essential to DDoS attack mitigation. Bandwidth usage takes the highest proportion in mitigation service billing. Alibaba Cloud pays for bandwidth resources provided by Internet Service Providers (ISPs), such as China Telecom, China Unicom, and China Mobile. The bandwidth costs include bandwidth charges incurred from mitigating DDoS attacks. Anti-DDoS Basic mitigates DDoS attacks of up to 5 Gbit/s free of charge. When the volume of the DDoS attacks exceeds 5 Gbit/s, Anti-DDoS Basic blocks all traffic to the victim to avoid additional mitigation fees.
Can Anti-DDoS Proxy be billed only when they mitigate DDoS attacks?
No, Anti-DDoS Proxy is still billed when it is not working. Anti-DDoS Proxy is billed on a subscription basis. You must purchase Anti-DDoS Proxy instances and complete the payment before you can use the instances to mitigate DDoS attacks. The protection takes effect for the duration of your subscription.
Does Anti-DDoS have trial mitigation plans?
Anti-DDoS Origin: Anti-DDoS Basic is a free mitigation plan and provides up to 5 Gbit/s protection for public IP addresses of Alibaba Cloud resources. Anti-DDoS Origin Enterprise is a paid mitigation plan, and no free trials are provided.
ImportantWe recommend that you use Anti-DDoS Basic to test the mitigation capability of Anti-DDoS Origin and then upgrade your service to Anti-DDoS Origin Enterprise. The upgrade process is completely transparent and does not affect your network and connections.
Anti-DDoS Proxy: Anti-DDoS Proxy relies on dedicated data centers to provide traffic scrubbing services. This incurs high costs. No free trials are provided.
What type of Anti-DDoS Proxy solution do I select if my servers are deployed outside the Chinese mainland?
Scenario | Solution |
Servers are deployed outside the Chinese mainland to serve users outside the Chinese mainland | Purchase an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan. |
Servers are deployed outside the Chinese mainland to serve users in the Chinese mainland |
|
Servers are deployed outside the Chinese mainland to serve users in and outside the Chinese mainland |
|
Can Anti-DDoS Proxy protect servers that are not deployed on Alibaba Cloud?
Yes, Anti-DDoS Proxy can protect servers that are not deployed on Alibaba Cloud. Anti-DDoS Proxy (Chinese Mainland) and Anti-DDoS Proxy (Outside Chinese Mainland) can protect servers that are assigned public IP addresses. If your service uses a public IP address and is accessible over the Internet, you can use Anti-DDoS Proxy to protect your service. For more information, see What is Anti-DDoS Proxy?
Can Anti-DDoS Proxy protect servers that are not deployed on Alibaba Cloud but have domain names registered with Alibaba Cloud?
Yes, Anti-DDoS Proxy can protect servers that are not deployed on Alibaba Cloud but have domain names registered with Alibaba Cloud. If you want to use Anti-DDoS Proxy (Chinese Mainland) to protect the domain names, you must ensure that Internet Content Provider (ICP) filing is completed for the domain names.
Is ICP filing required for domain names that you want Anti-DDoS Proxy to protect?
If you use Anti-DDoS Proxy (Chinese Mainland) to protect domain names, you must complete ICP filing for the domain names. If you use Anti-DDoS Proxy (Outside Chinese Mainland) to protect domain names, ICP filing is not required. However, your service must be legal.
For more information, see ICP filing application overview.
What are the regions supported by Anti-DDoS Proxy?
Anti-DDoS Proxy (Chinese Mainland): protects servers deployed in the Chinese mainland.
Anti-DDoS Proxy (Outside Chinese Mainland): protects servers deployed outside the Chinese mainland, including servers deployed in Hong Kong (China).
Does Anti-DDoS Proxy have limits on the number of protected domains?
Yes, Anti-DDoS Proxy has limits on the number of protected domains.
By default, each Anti-DDoS Proxy (Chinese Mainland) instance supports a maximum of 50 domain names, only 5 of which can be second-level domains.
By default, each Anti-DDoS Proxy (Outside Chinese Mainland) instance can protect up to 10 domain names, including subdomains and wildcard domains. The subdomains and wildcard domains must not belong to more than one top-level domain.
You can increase the number of domains when you purchase an Anti-DDoS Proxy instance. Each Anti-DDoS Proxy instance supports a maximum of 200 domain names. For more information, see Purchase an Anti-DDoS Proxy instance.
Does Anti-DDoS Proxy instances support wildcard domains?
Yes, Anti-DDoS Proxy supports wildcard domains. You can add wildcard domains on the Website Config page. For more information, see Add forwarding rules.
A wildcard DNS record is specified by using an asterisk (*) as the leftmost part of a domain name. The record resolves all matching subdomains to the domain. For example, when you specify *.aliyundoc.com as a DNS record, all subdomains that match *.aliyundoc.com are resolved to www.aliyundoc.com.
What are the limits for the ports that can be added to Anti-DDoS Proxy (Chinese Mainland)?
No limits are imposed on the ports that can be added to Anti-DDoS Proxy (Chinese Mainland). You can add web services by using ports that range from 80 to 65535 to Anti-DDoS Proxy (Chinese Mainland) instances that use the Enhanced function plan. For more information, see Specify custom ports.
However, security risks may be caused by vulnerable ports, and ISPs block service traffic that is destined for the vulnerable ports. The following ports are vulnerable TCP ports: 42, 135, 137, 138, 139, 445, 593, 1025, 1434, 1068, 3127, 3128, 3129, 3130, 4444, 5554, 5800, 5900, and 9996.
If your website that is protected by Anti-DDoS Proxy (Chinese Mainland) uses the preceding vulnerable ports, your website may be inaccessible in some regions. Therefore, before you add your web service to Anti-DDoS Proxy (Chinese Mainland), make sure that the website does not use the vulnerable ports.
What are the prerequisites for using Anti-DDoS Proxy (Outside Chinese Mainland) to protect my service?
If you want to use Anti-DDoS Proxy (Outside Chinese Mainland) to protect a website service, you must add the domain name of the website service to your Anti-DDoS Proxy (Outside Chinese Mainland) instance. ICP filing is not required for the domain name but your website service must be legal. If you want to use Anti-DDoS Proxy (Outside Chinese Mainland) to protect a non-website service, you need to only add the service port to your Anti-DDoS Proxy (Outside Chinese Mainland) instance.
Does the basic protection bandwidth provided by Anti-DDoS Proxy (Chinese Mainland) apply to all traffic or only attack traffic?
The basic protection bandwidth provided by an Anti-DDoS Proxy (Chinese Mainland) instance is the guaranteed bandwidth for handling both normal and attack traffic of the workloads protected by the instance. All traffic must first pass through the Anti-DDoS traffic scrubbing centers. Attack traffic is filtered out, and only service traffic is forwarded to the origin server.