This topic provides answers to some frequently asked questions about pre-sales of Alibaba Cloud Anti-DDoS.

Does Alibaba Cloud Anti-DDoS provide free services?

Yes, Alibaba Cloud Anti-DDoS provides free services. Anti-DDoS Origin Basic is activated for every Alibaba Cloud user. Anti-DDoS Origin Basic mitigates DDoS attacks of up to 5 Gbit/s free of charge. You do not need to purchase, activate, or configure this service. For more information, see What is Anti-DDoS Origin?.

Alibaba Cloud does not provide unlimited protection free of charge. Bandwidth resources are essential to DDoS attack mitigation. Bandwidth usage takes the highest proportion in mitigation service billing. Alibaba Cloud pays for bandwidth resources provided by Internet Service Providers (ISPs), such as China Telecom, China Unicom, and China Mobile. The bandwidth costs include bandwidth charges incurred from mitigating DDoS attacks. Anti-DDoS Origin Basic mitigates DDoS attacks of up to 5 Gbit/s free of charge. When the volume of the DDoS attacks exceeds 5 Gbit/s, Anti-DDoS Origin Basic blocks all traffic to the victim to avoid additional mitigation fees.

Can Anti-DDoS Pro and Anti-DDoS Premium be billed only when they mitigate DDoS attacks?

No, Anti-DDoS Pro and Anti-DDoS Premium are still billed when they are not working. Anti-DDoS Pro and Anti-DDoS Premium are billed on a subscription basis. You must purchase Anti-DDoS Pro or Anti-DDoS Premium instances and complete the payment before you can use the instances to mitigate DDoS attacks. The protection takes effect for the duration of your subscription.

Does Anti-DDoS have trial mitigation plans?

  • Anti-DDoS Origin: Anti-DDoS Origin Basic is a free mitigation plan and provides up to 5 Gbit/s protection for public IP addresses of Alibaba Cloud resources. Anti-DDoS Origin Enterprise is a paid mitigation plan, and no free trials are provided.
    Notice We recommend that you use Anti-DDoS Origin Basic to test the mitigation capability of Anti-DDoS Origin and then upgrade your service to Anti-DDoS Origin Enterprise. The upgrade process is completely transparent and does not affect your network and connections.
  • Anti-DDoS Pro and Anti-DDoS Premium: Anti-DDoS Pro and Anti-DDoS Premium rely on dedicated data centers to provide traffic scrubbing services. This incurs high costs. No free trials are provided.

Can Anti-DDoS Pro and Anti-DDoS Premium protect servers that are not deployed on Alibaba Cloud?

Yes, Anti-DDoS Pro and Anti-DDoS Premium can protect servers that are not deployed on Alibaba Cloud. Anti-DDoS Pro and Anti-DDoS Premium can protect servers that are assigned public IP addresses. If your service uses a public IP address and is accessible over the Internet, you can use Anti-DDoS Pro or Anti-DDoS Premium to protect your service. For more information, see What are Anti-DDoS Pro and Anti-DDoS Premium?.

Can Anti-DDoS Pro and Anti-DDoS Premium protect servers that are not deployed on Alibaba Cloud but have domain names registered with Alibaba Cloud?

Yes, Anti-DDoS Pro and Anti-DDoS Premium can protect servers that are not deployed on Alibaba Cloud but have domain names registered with Alibaba Cloud. If you want to use Anti-DDoS Pro to protect the domain names, you must ensure that Internet Content Provider (ICP) filing is completed for the domain names.

Is ICP filing required for domain names that you want Anti-DDoS Pro or Anti-DDoS Premium to protect?

If you use Anti-DDoS Pro to protect domain names, you must complete ICP filing for the domain names. If you use Anti-DDoS Premium to protect domain names, ICP filing is not required. However, your service must be legal.

For more information, see ICP filing application overview.

What are the regions supported by Anti-DDoS Pro and Anti-DDoS Premium?

  • Anti-DDoS Pro: protects servers deployed in the Chinese mainland.
  • Anti-DDoS Premium: protects servers deployed outside the Chinese mainland, including servers deployed in Hong Kong (China).

Do Anti-DDoS Pro and Anti-DDoS Premium have limits on the number of protected domains?

Yes, Anti-DDoS Pro and Anti-DDoS Premium have limits on the number of protected domains.
  • By default, each Anti-DDoS Pro instance supports a maximum of 50 domains, only 5 of which can be second-level domains.
  • By default, each Anti-DDoS Premium instance can protect up to 10 domain names, including subdomains and wildcard domains. The subdomains and wildcard domains must not belong to more than one top-level domain.
Note You can increase the number of domains when you purchase an Anti-DDoS Pro or Anti-DDoS Premium instance. Each Anti-DDoS Pro or Anti-DDoS Premium instance supports a maximum of 200 domains. For more information, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance.

Do Anti-DDoS instances support wildcard domains?

Yes, Anti-DDoS Pro and Anti-DDoS Premium support wildcard domains. You can add wildcard domains on the Website Config page. For more information, see Add a website.

A wildcard DNS record is specified by using an asterisk (*) as the leftmost part of a domain name. The record resolves all matching subdomains to the domain. For example, when you specify *.aliyundoc.com as a DNS record, all subdomains that match *.aliyundoc.com are resolved to www.aliyundoc.com.

What are the limits for the ports that can be added to Anti-DDoS Pro?

No limits are imposed on the ports that can be added to Anti-DDoS Pro. You can add web services by using ports that range from 80 to 65535 to Anti-DDoS Pro instances that use the Enhanced function plan. For more information, see Specify custom ports.

However, security risks may be caused by vulnerable ports, and ISPs block service traffic that is destined for the vulnerable ports. Vulnerable TCP ports include ports 42, 135, 137, 138, 139, 445, 593, 1025, 1434, 1068, 3127, 3128, 3129, 3130, 4444, 5554, 5800, 5900, and 9996.

If your website that is protected by Anti-DDoS Pro uses the preceding vulnerable ports, your website may be inaccessible in some regions. Therefore, before you add your web service to Anti-DDoS Pro, make sure that the website does not use the vulnerable ports.

What are the prerequisites for activating Anti-DDoS Premium?

If you want to use Anti-DDoS Premium to protect a website, you must add the domain name of the website to Anti-DDoS Premium. ICP filing is not required for the domain name but your website must be legal. If you want to use Anti-DDoS Premium to protect a non-website service, you need only to add the service port to your Anti-DDoS Premium instance.

Does the basic protection bandwidth provided by Anti-DDoS Pro apply to all traffic or only attack traffic?

The basic protection bandwidth provided by an Anti-DDoS Pro instance is the guaranteed bandwidth for handling both normal and attack traffic of the workloads protected by the instance. All traffic must first pass through the Anti-DDoS traffic scrubbing centers. Attack traffic is filtered out, and only normal traffic is forwarded to the origin server.