When your services face or are expected to face large-scale DDoS attacks, purchasing an Anti-DDoS Proxy instance is a critical step to ensure business continuity. Anti-DDoS Proxy diverts traffic to scrubbing centers, filters out malicious DDoS attack traffic, and forwards legitimate traffic to your origin server. This protects against terabit-level DDoS attacks and keeps your services stable.
Select an edition
Edition overview
Product Type | Instance Edition | Core Features and Differences | Notes |
Anti-DDoS Proxy (Chinese Mainland) | Profession | Provides an exclusive IP address, multi-line Border Gateway Protocol (BGP) protection, and supports both basic and burstable protection. | - |
Advanced | Provides two advanced mitigation sessions per month (resets monthly). | Contact your account manager to activate this edition. | |
Anti-DDoS Proxy (Outside Chinese Mainland) | Insurance and Unlimited |
| - |
Sec-CMA 2.0 | Provides access acceleration for users in the Chinese mainland and application-layer DDoS protection. After you select a specific number of DDoS mitigation sessions, it gains the capability to defend against large-volume DDoS attacks from China Telecom, China Unicom, and China Mobile lines. | None | |
Sec-CMA 2.0 (Insurance) and Sec-CMA 2.0 (Unlimited) | Features are mostly the same as Sec-CMA 2.0. You can disable the Metering Method of 95th Percentile Burstable Clean Bandwidth and 95th Percentile Burstable QPS modes. | The features have been migrated to Sec-CMA 2.0. We do not recommend purchasing new instances. This option is only for existing instances. | |
Chinese Mainland Acceleration and Sec-CMA 1.0 | Legacy versions that do not support China Mobile lines. | We do not recommend purchasing new instances. We recommend that you upgrade to Sec-CMA 2.0. Contact your account manager to activate the upgrade. |
Common scenarios and selection guidance
Select an Anti-DDoS Proxy instance based on where your servers are deployed and where your users are located. Choose the best edition for your scenario below.
Server location | User Source | Business requirements | Recommended edition |
The Chinese mainland | the Chinese mainland and outside the Chinese mainland | General-purpose DDoS protection. | Anti-DDoS Proxy (Chinese Mainland) - Profession |
Outside the Chinese mainland | Outside the Chinese mainland only | No cross-border acceleration needed. | Anti-DDoS Proxy (Outside Chinese Mainland) -Insurance or Unlimited |
Outside the Chinese mainland | the Chinese mainland | Requires cross-border acceleration to ensure low latency and stability. | Anti-DDoS Proxy (Outside Chinese Mainland)-Sec-CMA 2.0 |
Outside the Chinese mainland | the Chinese mainland and outside the Chinese mainland | Must meet cross-border acceleration needs without migrating servers, while also supporting access from outside the Chinese mainland. | Combined purchase:
|
Outside the Chinese mainland | within and outside the Chinese mainland | Servers can be migrated by user region to enable cross-border access. After migration, users in different regions access services hosted in their respective regions and protected by matching editions. |
|
Purchase Anti-DDoS Pro or Anti-DDoS Premium instance
Open the purchase page
Visit the or the Anti-DDoS Proxy (Chinese Mainland) international purchase page, or visit the or the Anti-DDoS Proxy (Outside Chinese Mainland) international purchase page.
Select Protection Instance and Protection Parameters
Refer to the Purchasing Guide, and select Product Type and DDoS Plan.
Anti-DDoS Proxy (Chinese Mainland)-Profession
Professional Description
Connection type: DNS diversion.
Resource reservation: 1 exclusive IP address.
Bandwidth type: Multi-line BGP.
Mitigation capability: Basic protection (subscription) plus burstable protection (pay-as-you-go).
Mitigation parameters
Endpoint Type: The IP protocol type supported by Anti-DDoS Pro or Anti-DDoS Premium instances. Valid values: IPv4 or IPv6. For more information, see Function Introduction.
ImportantAn IPv6 Anti-DDoS Proxy instance forwards requests from IPv6 clients, with these limits:
Website Config supports IPv4 origin servers only.
Port Config supports IPv4 or IPv6 origin servers.
Basic Protection: The DDoS attack traffic threshold that can be defended against.
Burstable Protection Bandwidth: A pay-as-you-go protection feature that automatically enables burstable protection when attack traffic exceeds the Basic Protection, to keep your business running without interruption. For pricing information, see Billing method for elastic protection capability.
NoteIf you set the Burstable Protection Bandwidth and Basic Protection to the same value, burstable protection will not be triggered.
Protection Cluster:
You can select a protection node only when the Endpoint Type is IPv4. The available options are Default, North China, North China (Beijing), or East China (Hangzhou).
Choose a node based on both mitigation capabilities and access latency. For more information, see How to choose a protection node.
NoteExample: If your origin server is in China (Hangzhou), choose the China (Hangzhou) node for the lowest access latency. Choose the default node for the highest mitigation capabilities.
Anti-DDoS Proxy (Outside Chinese Mainland)-Insurance and Unlimited
Mitigation plan description:
WarningIf you use the Insurance or Unlimited alone, users in the Chinese mainland will experience significantly increased latency or access failures. We recommend that you use Sec-CMA 2.0 in combination with these plans to optimize access quality.
Access Mode: Traffic steering via DNS parsing.
Resource reservation: 1 exclusive Anycast IP address.
Mitigation sessions:
Insurance: 2 advanced mitigations per month (refreshed monthly)
Unlimited: unlimited advanced mitigation
Mitigation parameters
IP Registration Address: Select the IP geolocation based on your actual business needs. Supported locations: Singapore, China (Hong Kong), Japan, US West, US East, United Kingdom, Germany, Malaysia, and Indonesia.
NoteThe Indonesia protection node is available only if the IP geolocation is Indonesia.
The Malaysia node is available only if the IP geolocation is Malaysia.
Anti-DDoS Proxy (Outside Chinese Mainland)-Sec-CMA 2.0
Mitigation plan description:
Connection type: DNS diversion.
Resource reservation: 1 exclusive Sec-CMA IP address.
Mitigation capability: Designed for acceleration of access from the Chinese mainland, plus application-layer DDoS protection, including intelligent protection, global mitigation policy, blacklist/whitelist, geo-blocking, and HTTP flood mitigation.
Line support: China Telecom, China Unicom, and China Mobile lines.
Mitigation parameters
Mitigation Sessions: The number of advanced mitigation sessions. After you purchase a quantity, you can use additional high-volume DDoS advanced mitigation capabilities on China Telecom, China Unicom, and China Mobile lines. If you select No, only the access acceleration capability for the Chinese mainland is provided.
NoteOne session counts for every 24 hours of continuous protection after a DDoS attack starts. The quota resets every calendar month.
IP Registration Address: Select the IP registration location based on your actual business requirements. Supported registration locations: Singapore, Japan.
Anti-DDoS Proxy (Outside Chinese Mainland)-Chinese Mainland Acceleration
Protection Plan Description
Connection type: DNS diversion.
Resource reservation: 1 exclusive accelerated IP address.
ImportantFor use only to accelerate access in the Chinese mainland, lacks DDoS mitigation capability, and we recommend that you upgrade to Sec-CMA 2.0.
Anti-DDoS Proxy (Outside Chinese Mainland) - Sec-CMA1.0
Mitigation plan description:
Connection type: DNS diversion.
Resource reservation: 1 exclusive Sec-CMA IP address.
Mitigation sessions: 2 advanced mitigation sessions per month (refreshed monthly).
NoteYou can purchase a global advanced mitigation session to get more sessions.
Mitigation capability: Acceleration for access from the Chinese mainland, plus DDoS protection over China Telecom and China Unicom lines (no China Mobile).
NoteTo support Anti-DDoS protection for access from outside the Chinese mainland, you can use the Insurance and Unlimited .
Line support: China Telecom and China Unicom lines only.
ImportantIf you need support for mobile lines, upgrade to Sec-CMA 2.0.
Configure extended service specifications
Clean Bandwidth: The guaranteed base bandwidth capacity used to accommodate normal service traffic.
NoteIf the guaranteed clean bandwidth is insufficient, the system defaults to billing you for the burstable clean bandwidth. To avoid these pay-as-you-go bills, you can upgrade the guaranteed clean bandwidth. For more information, see Upgrade Instance.
How to choose: Refer to the following guidelines.
Selection principle
If your services run on Alibaba Cloud ECS, view peak traffic in instance monitoring information.
NoteThis traffic refers to legitimate service traffic and excludes attack traffic.
If you deploy multiple origin servers, sum up their legitimate service traffic.
Selection example
You protect three websites. Each has an outbound traffic peak under 50 Mbps. Total traffic does not exceed 150 Mbps. Choose clean bandwidth greater than 150 Mbps.
Metering Method of 95th Percentile Burstable Clean Bandwidth: The Daily 95th Percentile is enabled by default and provides pay-as-you-go mitigation capabilities. When service traffic exceeds the base Clean Bandwidth, the instance uses burstable clean bandwidth by default to ensure that your services are not interrupted. For more information about billing, see Burstable Clean Bandwidth Billing.
WarningStarting from 10:00:00 on March 6, 2026 (UTC+8), you will no longer be able to use the Monthly 95th Percentile billing method for burstable clean bandwidth for new purchases. You will also no longer be able to manually adjust related configurations for burstable clean bandwidth in the console, such as disabling or enabling the feature, changing the billing method, or changing bandwidth specifications. For more information, see [Update] Adjustment to the Anti-DDoS Burstable Billing Feature on March 6, 2026.
Formula: Elastic Bandwidth Peak = min(Base Clean Bandwidth × 10, Elastic Bandwidth Upper Limit).
NoteThe elastic peak represents the default upper limit of allocated elastic resources. When actual business usage exceeds the elastic peak, the product continues to provide service to the best of its ability, and you will incur elastic pay-as-you-go charges based on actual usage. However, packet loss may occur during the cluster scale-out period. We recommend that you promptly upgrade your guaranteed clean bandwidth.
Burstable bandwidth limit:
Anti-DDoS Proxy (Chinese Mainland): Profession (20,000 Mbps), Advanced (20,000 Mbps)
Anti-DDoS Proxy (Outside Chinese Mainland):Insurance(5,000 Mbps), Unlimited (5,000 Mbps), Sec-CMA 2.0 (1,500 Mbps), Chinese Mainland Acceleration (1,000 Mbps), Sec-CMA 1.0 (500 Mbps)
QPS: The maximum rate of concurrent requests that an Anti-DDoS Pro/Premium instance can process when no attacks occur. This includes HTTP and HTTPS requests. For more information about the relationship between Clean QPS and connection specifications, see QPS specifications and connection limits.
NoteIf Clean QPS is insufficient, the system uses burstable QPS and bills accordingly. You can also upgrade your Clean QPS to avoid pay-as-you-go charges. For more information, see Upgrade an instance.
In the Chinese mainland: The maximum QPS is 100,000.
Regions outside the Chinese mainland: The maximum QPS is 150,000.
95th Percentile Burstable QPS: By default, the Daily 95th Percentile is enabled, providing pay-as-you-go mitigation capabilities. When the actual Clean queries per second (QPS) exceeds the guaranteed baseline QPS, the instance automatically uses burstable protection to ensure uninterrupted service. For more information, see burstable QPS billing instructions and QPS specifications and corresponding connection limits.
WarningStarting from 10:00:00 UTC+8 on March 6, 2026, new customers can no longer enable the monthly 95th percentile billing mode for burstable QPS. You also cannot manually adjust burstable QPS settings in the console, including enabling or disabling the feature, changing the billing mode, or modifying the specification. For more information, see [Update] Announcement on changes to the burstable billing feature for Anti-DDoS on March 6, 2026.
Formula: Burstable QPS peak = min(Clean QPS × 3, Burstable QPS limit).
NoteThe elastic peak is the upper limit for the elastic resources allocated by default. If your actual usage exceeds the elastic peak, the service is provided on a best-effort basis and you are charged for the elastic resources that you use on a pay-as-you-go basis. However, there is a risk of throttling. To ensure resource reservation beyond the burstable peak, upgrade the clean QPS in advance or contact your account manager for capacity expansion.
Burstable QPS limit:
The Chinese mainland:
IPv4 Anti-DDoS Proxy instance: maximum burstable QPS is 300,000.
IPv6 Anti-DDoS Proxy instance: maximum burstable QPS is 100,000.
Outside the Chinese mainland: maximum burstable QPS is 150,000.
Function Plan: Function plans range from Standard to Enhanced, corresponding to different mitigation capabilities, numbers of policy configurations, and performance optimization levels. For more information, see Differences between Standard and Enhanced function plans.
Standard:
Supports 40 HTTP flood mitigation policy rules.
Supports up to 200 Layer 7 blacklist and whitelist policies.
Enhanced:
Supports enhanced application-layer protection to block non-HTTP/HTTPS application-layer attacks.
Supports 200 HTTP flood mitigation policy rules.
Supports up to 2,000 Layer 7 blacklist and whitelist policies.
Supports static page caching to accelerate website access.
Supports integration with Alibaba Cloud CDN for acceleration and DDoS protection.
Protected Domain Names: The number of HTTP/HTTPS domain names that can be added, with a maximum value of 2000.
For all domain names that are configured for domain forwarding, the number of their associated first-level domains (sites) cannot exceed (Protected Domain Names/10).
When you configure domain forwarding, the total number of domain names (including root domain names, subdomains, and wildcard domain names) must not exceed the Protected Domain Names.
NoteAssume that the purchased Protected Domain Names is 50, and you have configured three domain names: www.abc.com, *.abc.com, and www.xyz.com.
Root domains (sites): 2 (abc.com and xyz.com), which meets the limit of 5 (50/10).
Total domain names: 3, which meets the limit of 50.
Ports: The number of ports supported for protection under TCP and UDP protocols.
Resource Group: The resource group in the Resource Management service to which the instance belongs. The default is Default Resource Group. For more information about resource groups, see Create a resource group.
Quantity: Select the number of instances to purchase.
Duration: The subscription period. If you select Auto-renewal, instances renew automatically before expiration. Auto-renewal cycles follow these rules. For more information, see Renew an instance.
Monthly purchase: 1-month auto-renewal cycle.
Yearly purchase: 1-year auto-renewal cycle.
View instance specifications and activate protection
View specifications
Go to the Instance Management page of the Anti-DDoS Pro console, click the purchased instance ID or the Manage button on the right, and then view all specifications—including baseline/elastic protection capability, clean bandwidth, and QPS—on the product page.
Activate protection
After purchase, protection does not take effect automatically. Complete the following steps to divert your service traffic to the Anti-DDoS Proxy instance.
Log on to the console
Go to the Anti-DDoS Pro console or the .
Add your service:
In Provisioning, complete service provisioning based on your service type, such as Website Config or Port Config. For specific steps, see Add Website Configuration (website services) or Configure Port Forwarding Rules (non-website services such as game and app).
Switch traffic:
Change your service’s DNS record to the CNAME address or IP address assigned by Anti-DDoS Proxy. For instructions, see Use a CNAME or IP address to direct website traffic to an Anti-DDoS Proxy instance and Use a CNAME record to add a non-website service.
Quotas and limits
ICP filing: Websites deployed in the Chinese mainland must have an ICP filing for their domain name.
IPv6 origin server limits: If you purchase an IPv6 Anti-DDoS Proxy instance and use domain-based website service, traffic is forwarded only to IPv4 origin servers.
Overseas access limits:
If you use the Anti-DDoS Proxy (Outside Chinese Mainland)- Insurance or Unlimited edition alone, users in the Chinese mainland will experience significantly increased latency or even be unable to access the service.
NoteWe recommend that you purchase both Anti-DDoS Proxy (Outside Chinese Mainland)–Sec-CMA 2.0 to ensure smooth access for users in the Chinese mainland.
When you use Anti-DDoS Proxy (Outside Chinese Mainland)–Sec-CMA 2.0 by itself, access from regions outside the Chinese mainland is not supported by default.
NoteIf your services are accessed by clients from outside China, we recommend that you also purchase and use Anti-DDoS Proxy (Outside Chinese Mainland)–Insurance or Unlimited. .
Some protection nodes (such as Indonesia and Malaysia) are available only for instances with matching IP geolocations.
Billing
Fees for Anti-DDoS Proxy consist of subscription instance fees and pay-as-you-go burstable fees.
Instance fees (subscription): You pay monthly or yearly based on the specifications you select, such as basic protection bandwidth, clean bandwidth, and queries per second (QPS). For more information, see Billing of Insurance and Unlimited mitigation plans for Anti-DDoS Proxy (outside the Chinese mainland), Billing of CMA for Anti-DDoS Proxy (outside the Chinese mainland), and Billing of Sec-CMA for Anti-DDoS Proxy (outside the Chinese mainland).
Burstable protection fees (pay-as-you-go): You are charged only when DDoS attack traffic exceeds your basic protection bandwidth. The fee is calculated daily based on the peak attack traffic. For more information, see Metering method of burstable protection bandwidth.
Burstable clean bandwidth/QPS fees (pay-as-you-go): You are charged only when your normal service traffic or QPS exceeds your basic specifications. The fee is calculated based on the daily or monthly 95th percentile bandwidth. For more information, see Billing of burstable clean bandwidth and Billing of burstable QPS.
Global advanced mitigation session: You can purchase a global advanced mitigation session for specific instances if required. For more information, see Billing of global advanced mitigation sessions.
Cancel service
Refunds are not supported after purchase. Evaluate your service requirements before purchasing.
Appendix
QPS specifications and corresponding connection limits
The QPS specifications of an Anti-DDoS Proxy instance correspond to specific connection limits. If you enable burstable QPS, refer to the connection limits that correspond to the burstable QPS value.
QPS | New connections | Concurrent connections |
0 < QPS ≤ 5,000 | 5,000 | 100,000 |
5,000 < QPS ≤ 10,000 | 10,000 | 200,000 |
10,000 < QPS ≤ 30,000 | 30,000 | 500,000 |
30,000 < QPS ≤ 50,000 | 50,000 | 1,000,000 |
50,000 < QPS ≤ 100,000 | 80,000 | 1,500,000 |
100,000 < QPS ≤ 150,000 | 100,000 | 2,000,000 |
150,000 < QPS ≤ 200,000 Note Supported only by Anti-DDoS Proxy (Chinese Mainland). | 150,000 | 3,000,000 |
200,000 < QPS ≤ 300,000 Note Supported only by Anti-DDoS Proxy (Chinese Mainland). | 200,000 | 4,000,000 |
Protection node details
Select a protection node based on mitigation capability and access latency. / indicates the node is not recommended for that origin server location.
Origin server location | Protection node | |||
Default | North China | North China (Beijing) | China East 1 (Hangzhou) | |
China (Beijing) | Strong protection (1 Tbps+). | / | Low latency with mitigation capabilities of up to 600 Gbps. | / |
China (Shanghai) | / | Strong protection (1 Tbps+). | / | Offers low latency and a mitigation capacity of up to 600 Gbps. |
China (Chengdu) | / | Strong protection (1 Tbps+). | Low latency with mitigation capabilities of 600 Gbps. | / |
China (Guangzhou) | Strong protection (1 Tbps+). | / | / | Low latency and 600 Gbps mitigation capabilities. |
China (Hangzhou) | Strong protection (1 Tbps+). | / | / | It features low latency and 600 Gbps mitigation capabilities. |
China (Shenzhen) | Strong protection (1 Tbps+). | / | / | Low-latency protection with mitigation capacity of up to 600 Gbps. |
FAQ
What is a root domain (site)?
A root domain is the full domain name that a user registers. For example:
aliyun.com is a root domain.
Subdomains (such as www.aliyun.com and abc.aliyun.com) and wildcard domain names (such as *.aliyun.com) are not root domains. They all belong to the same root domain (site): aliyun.com.
How do Anti-DDoS Proxy and Anti-DDoS Origin differ? Which should I choose?
The core differences are the connection type and protection scope.
Anti-DDoS Proxy: Proxy-based traffic scrubbing. Protects services by diverting traffic. Supports servers on Alibaba Cloud and outside Alibaba Cloud (such as data centers or other clouds). Mitigates network-layer and application-layer (CC) attacks. Suitable for use cases requiring high mitigation capabilities and service availability.
Anti-DDoS Origin: Enhancement model. Directly increases the default mitigation threshold for Alibaba Cloud assets such as ECS and SLB. Simple setup—no DNS changes required. Targets network-layer attacks primarily.
Selection guidance:
Choose Anti-DDoS Proxy if your service is a website, needs CC attack defense, runs outside Alibaba Cloud, or requires high mitigation capability.
Choose Anti-DDoS Origin if your service is a non-website service on Alibaba Cloud and you want simplified setup.