If your services are experiencing or are expected to experience large-scale DDoS attacks, you can purchase an Anti-DDoS Proxy instance to ensure business continuity. Anti-DDoS Proxy diverts your service traffic to scrubbing centers. Malicious attack traffic is filtered out, and legitimate traffic is forwarded to your origin server. This process effectively defends against terabit-level DDoS attacks and ensures service stability.
Purchase guide
Edition introduction
Product Type | Instance Edition | Core Features and Differences | Notes |
Anti-DDoS Proxy (Chinese Mainland) | Profession | Provides an exclusive IP address, multi-line Border Gateway Protocol (BGP) protection, and supports both basic and burstable protection. | - |
Advanced | Provides two advanced mitigation sessions per month (resets monthly). | Contact your account manager to activate this edition. | |
Anti-DDoS Proxy (Outside Chinese Mainland) | Insurance and Unlimited |
| - |
Sec-CMA 2.0 | Provides access acceleration for users in the Chinese mainland and application-layer DDoS protection. After you select a specific number of DDoS mitigation sessions, it gains the capability to defend against large-volume DDoS attacks from China Telecom, China Unicom, and China Mobile lines. | None | |
Sec-CMA 2.0 (Insurance) and Sec-CMA 2.0 (Unlimited) | Features are mostly the same as Sec-CMA 2.0. You can disable the Metering Method of 95th Percentile Burstable Clean Bandwidth and 95th Percentile Burstable QPS modes. | The features have been migrated to Sec-CMA 2.0. We do not recommend purchasing new instances. This option is only for existing instances. | |
Chinese Mainland Acceleration and Sec-CMA 1.0 | Legacy versions that do not support China Mobile lines. | We do not recommend purchasing new instances. We recommend that you upgrade to Sec-CMA 2.0. Contact your account manager to activate the upgrade. |
Use cases and purchase recommendations
The right Anti-DDoS Proxy instance for you depends on your server deployment region and user source. Select the most suitable product edition based on the following use cases.
Server deployment region | User source | Service requirements | Recommended edition |
The Chinese mainland | The Chinese mainland and outside the Chinese mainland | General DDoS protection. | Anti-DDoS Proxy (Chinese Mainland) - Profession |
Outside the Chinese mainland | Outside the Chinese mainland | Cross-border access acceleration is not required. | Anti-DDoS Proxy (Outside Chinese Mainland) - Insurance or Unlimited |
Outside the Chinese mainland | The Chinese mainland | Cross-border access acceleration is required to ensure low latency and stability. | Anti-DDoS Proxy (Outside Chinese Mainland) - Sec-CMA 2.0 |
Outside the Chinese mainland | The Chinese mainland and outside the Chinese mainland | You need to accelerate cross-border access and serve users from outside the Chinese mainland without migrating your servers. | Combined purchase:
|
Outside the Chinese mainland | The Chinese mainland and outside the Chinese mainland | You can migrate your service to different servers based on the user source to enable access across borders. After migration, users from different regions are served by servers and protection editions located in their respective regions. |
|
Purchase an Anti-DDoS Proxy instance
Go to the purchase page
Go to the Anti-DDoS Proxy (Chinese mainland) purchase page or the Anti-DDoS Proxy (outside the Chinese mainland) purchase page.
Select an instance and protection parameters
See the Purchase Guide to select a Product Type and a Mitigation Plan.
Anti-DDoS Proxy (Chinese Mainland) - Profession
Professional Description:
Connection type: DNS redirection.
Resource reservation: 1 exclusive IP address.
Bandwidth type: Multi-line BGP.
Mitigation capability: Basic protection (subscription) + Burstable protection (pay-as-you-go).
Protection parameters
IP Version: The IP protocol of the Anti-DDoS Proxy instance. Valid values: IPv4 and IPv6. For more information, see Function Introduction.
ImportantAn Anti-DDoS Proxy instance that uses an IPv6 address can forward requests from IPv6 clients, but the following limits apply to the connection type:
Website Config supports only IPv4 origin servers.
Port Config supports IPv4 or IPv6 origin servers.
Basic Bandwidth: The maximum volume of DDoS attack traffic that the instance can defend against.
Burstable Bandwidth: A pay-as-you-go mitigation capability. If the attack traffic exceeds the Basic Bandwidth, burstable protection is automatically enabled to ensure business continuity. For information about fees, see Billing of burstable protection bandwidth.
NoteIf you set Burstable Bandwidth to the same value as Basic Bandwidth, burstable protection is not triggered.
Protection Node:
You can select a protection node only when IP Version is set to IPv4. The options are Default, North China, China (Beijing), and China (Hangzhou).
Select a node based on a balance of mitigation capability and access latency. For more information, see How to select a protection node.
NoteExample: If your origin server is in the China (Hangzhou) region, select the East China (Hangzhou) node for the lowest access latency. Select the Default node for the highest mitigation capability.
Anti-DDoS Proxy (Outside Chinese Mainland) - Insurance and Unlimited
Protection plan description:
WarningIf you use the Insurance or Unlimited alone, users in the Chinese mainland will experience significantly increased latency or may be unable to access your service. We recommend that you use these plans with Sec-CMA 2.0 to optimize access quality.
Connection type: DNS redirection.
Resource reservation: 1 exclusive Anycast IP address.
Mitigation sessions:
Insurance: two advanced mitigation sessions per month (refreshed monthly)
Unlimited: unlimited advanced mitigation sessions
Protection parameters
IP Registration Address: Select the required IP geolocation. The supported geolocations are Singapore, Hong Kong (China), Japan, US (West), US (East), UK, Germany, Malaysia, and Indonesia.
NoteThe Indonesia protection node is available only if the IP geolocation is Indonesia. Other geolocations are not supported.
The Malaysia node is available only if the IP geolocation is Malaysia. Other geolocations are not supported.
Anti-DDoS Proxy (Outside Chinese Mainland) - Sec-CMA 2.0
Protection plan description:
Connection type: DNS redirection.
Resource reservation: 1 exclusive Sec-MCA IP address.
Mitigation capability: This plan is mainly used to accelerate access from the Chinese mainland. It also provides application-layer DDoS protection, which includes intelligent protection, global mitigation policies, blacklists and whitelists, Location Blacklist, and HTTP flood mitigation.
Line support: Supports China Telecom, China Unicom, and China Mobile lines.
Protection parameters
Mitigation Sessions: The number of advanced mitigation sessions. After you purchase a specific number of sessions, you can mitigate large-volume DDoS attacks over China Telecom, China Unicom, and China Mobile lines. If you select No, only acceleration for access from the Chinese mainland is provided.
NoteOne session is counted for every 24 hours of continuous protection after a DDoS attack starts. The quota is reset every calendar month.
IP Registration Address: Select the required IP geolocation. The supported geolocations are Singapore and Japan.
Anti-DDoS Proxy (Outside Chinese Mainland) - Chinese Mainland Acceleration
Protection plan description:
Connection type: DNS redirection.
Resource reservation: 1 exclusive accelerated IP address.
ImportantThis plan is only for accelerating access from the Chinese mainland and does not provide DDoS mitigation capabilities. We recommend that you upgrade to Sec-CMA 2.0.
Anti-DDoS Proxy (Outside Chinese Mainland) - Sec-CMA 1.0
Protection plan description:
Connection type: DNS redirection.
Resource reservation: 1 exclusive Sec-MCA IP address.
Mitigation sessions: two advanced mitigation sessions per month (refreshed monthly).
NoteYou can purchase a global advanced mitigation session to obtain more mitigation sessions.
Mitigation capability: Accelerates access from the Chinese mainland and provides DDoS mitigation over China Telecom and China Unicom lines, but not China Mobile lines.
NoteTo protect against DDoS attacks from outside the Chinese mainland, use this plan with the Insurance or Unlimited.
Line support: Supports China Telecom and China Unicom lines.
ImportantTo support China Mobile lines, upgrade to Sec-CMA 2.0.
Set extended service specifications
Clean Bandwidth: The basic bandwidth reserved for legitimate service traffic.
WarningInsufficient clean bandwidth may cause packet loss or affect your services. Upgrade your clean bandwidth or configure burstable clean bandwidth promptly. For more information, see Upgrade an instance.
Plan selection: Refer to the following information to select a suitable specification.
Selection principles
The clean bandwidth must be greater than the peak of the total inbound or outbound traffic of all your services, whichever is greater. Typically, outbound traffic is the primary consideration. If your services are deployed on Alibaba Cloud ECS, you can view the peak traffic. For more information, see View instance monitoring information.
NoteThis traffic refers to legitimate service traffic and does not include attack traffic.
If you have multiple origin servers, calculate the sum of the legitimate service traffic of all origin servers.
Example:
If you are protecting three websites and the peak outbound traffic of each website does not exceed 50 Mbps, the total traffic does not exceed 150 Mbps. In this case, select a clean bandwidth greater than 150 Mbps.
Instance clean bandwidth limit:
Anti-DDoS Proxy (Chinese Mainland): Profession (20,000 Mbps), Advanced (20,000 Mbps)
Anti-DDoS Proxy (Outside Chinese Mainland): Insurance(5,000 Mbps), Unlimited(5,000 Mbps), Sec-CMA 2.0 (1,500 Mbps), Chinese Mainland Acceleration (1,000 Mbps), Sec-CMA 1.0 (500 Mbps)
95th Percentile Burstable Clean Bandwidth: A pay-as-you-go protection capability. When legitimate service traffic exceeds the basic Clean Bandwidth, burstable protection is automatically enabled to ensure business continuity. Metering methods include the Daily 95th Percentile and the Monthly 95th Percentile. For information about fees, see Billing of burstable clean bandwidth.
NoteMaximum burstable bandwidth increase = min(Base Clean Bandwidth × 9, Instance clean bandwidth limit - Base Clean Bandwidth).
Request Rate (Clean QPS): The maximum rate of concurrent requests that an Anti-DDoS Proxy instance can handle when no attacks occur. This includes HTTP and HTTPS requests. For the mapping between Clean QPS and connection specifications, see QPS specifications and corresponding connection limits.
The Chinese mainland: The maximum Request Rate is 100,000.
Outside the Chinese mainland: The maximum Request Rate is 150,000.
WarningInsufficient Clean QPS may cause packet loss or affect your services. Upgrade your Clean QPS specification or enable burstable QPS promptly.
95th Percentile Burstable QPS: A pay-as-you-go protection capability. When the actual service QPS exceeds the Clean QPS, burstable protection is automatically enabled to ensure business continuity. Metering methods include the Daily 95th Percentile and the Monthly 95th Percentile. For more information, see Billing of burstable QPS and QPS specifications and corresponding connection limits.
Formula: Burstable queries per second (QPS) = min(Clean QPS × 3, Burstable QPS limit).
Burstable QPS limit:
The Chinese mainland:
For an Anti-DDoS Proxy instance that uses an IPv4 address, the maximum burstable QPS is 300,000.
For an Anti-DDoS Proxy instance that uses an IPv6 address, the maximum burstable QPS is 100,000.
Outside the Chinese mainland: The maximum burstable QPS is 150,000.
Function Plan: Function plans range from Standard to Enhanced, corresponding to different mitigation capabilities, policy configuration quotas, and performance optimization levels. For more information, see Differences between the Standard and Enhanced function plans.
Standard:
Supports 40 HTTP flood mitigation policy rules.
Supports a maximum of 200 Layer 7 blacklist and whitelist policies.
Enhanced:
Supports enhanced application-layer protection policies to block attacks from non-HTTP/HTTPS application-layer protocols.
Supports 200 HTTP flood mitigation policy rules.
Supports a maximum of 2,000 Layer 7 blacklist and whitelist policies.
Supports the static page caching feature to accelerate website access.
Supports filter interaction between Anti-DDoS Proxy and Alibaba Cloud CDN to provide both acceleration and DDoS protection.
Domains: The number of HTTP/HTTPS domain names that you can add. You can set this to a maximum of 2,000.
The number of root domains (sites) to which all domain names in the domain forwarding configuration belong cannot exceed (Protected Domain Names / 10).
The total number of all domain names (including root domains, subdomains, and wildcard domain names) in the domain forwarding configuration cannot exceed the Protected Domain Names.
NoteAssume that you purchase a Protected Domain Names quota of 50 and configure three domain names: www.abc.com, *.abc.com, and www.xyz.com.
The number of root domains (sites) is 2 (abc.com and xyz.com), which meets the limit of ≤ 5 (50/10).
The total number of domain names is 3, which meets the limit of ≤ 50.
Ports: The number of TCP and UDP ports that you can protect.
Resource Group: Select the resource group to which the instance belongs in the Resource Management service. The default value is Default Resource Group. For more information about resource groups, see Create a resource group.
Quantity: Select the number of instances to purchase.
Duration: Select the validity period for the instances. If you select Auto-renewal, the instances are automatically renewed before they expire. The auto-renewal cycle follows these rules. For more information, see Renew an instance.
If you purchase by month, the auto-renewal cycle is one month.
If you purchase by year, the auto-renewal cycle is one year.
View instance specifications and activate protection
View specification information
Go to the Resource Management page of the Anti-DDoS Pro console. Click the ID of the purchased instance or click Manage in the Actions column. On the details page, you can view all specification information, including basic and burstable protection bandwidth, clean bandwidth, and QPS.
Activate protection
After you purchase an instance, protection does not take effect automatically. You must manually complete the following configurations to divert your service traffic to the Anti-DDoS instance and activate protection.
Log on to the console
Go to the Anti-DDoS Pro console
Add your service:
In the Provisioning section, add your service based on its type, such as Website Config or Port Config. For more information, see Add a website (for website services) and Create port forwarding rules (for non-website services such as games and apps).
Switch traffic:
Change the DNS record of your service to the CNAME address or the IP address of the Anti-DDoS Proxy instance allocated by Anti-DDoS Proxy. For more information, see Use a CNAME or IP address to direct website traffic to an Anti-DDoS Proxy instance and Use a CNAME record to add a non-website service.
Quotas and limits
ICP filing: If the service to be protected is a website deployed in the Chinese mainland, its domain name must have an ICP filing.
IPv6 origin server limits: If you purchase an Anti-DDoS instance that has an IPv6 address type and add a website service using a domain name, Anti-DDoS Proxy supports forwarding traffic only to origin servers that use the IPv4 protocol.
Limits on access from outside the Chinese mainland:
If you use the Anti-DDoS Proxy (Outside Chinese Mainland) - Insurance or Unlimited edition alone, users in the Chinese mainland will experience significantly increased latency or may be unable to access your service.
NoteWe recommend that you also purchase Anti-DDoS Proxy (Outside Chinese Mainland) - Sec-CMA 2.0 to ensure smooth access for users in the Chinese mainland.
If you use Anti-DDoS Proxy (Outside Chinese Mainland) - Sec-CMA 2.0 alone, access from regions outside the Chinese mainland is not supported by default.
NoteIf your service needs to be accessed by clients from outside the Chinese mainland, we recommend that you also purchase Anti-DDoS Proxy (Outside Chinese Mainland) - Insurance or Unlimited.
Some protection nodes, such as Indonesia and Malaysia, are available only for instances with specific IP geolocations.
Billing
Fees for Anti-DDoS Proxy consist of subscription instance fees and pay-as-you-go burstable fees.
Instance fees (subscription): You pay monthly or yearly based on the specifications you select, such as basic protection bandwidth, clean bandwidth, and queries per second (QPS). For more information, see Billing of Insurance and Unlimited mitigation plans for Anti-DDoS Proxy (outside the Chinese mainland), Billing of CMA for Anti-DDoS Proxy (outside the Chinese mainland), and Billing of Sec-CMA for Anti-DDoS Proxy (outside the Chinese mainland).
Burstable protection fees (pay-as-you-go): You are charged only when DDoS attack traffic exceeds your basic protection bandwidth. The fee is calculated daily based on the peak attack traffic. For more information, see Metering method of burstable protection bandwidth.
Burstable clean bandwidth/QPS fees (pay-as-you-go): You are charged only when your normal service traffic or QPS exceeds your basic specifications. The fee is calculated based on the daily or monthly 95th percentile bandwidth. For more information, see Billing of burstable clean bandwidth and Billing of burstable QPS.
Global advanced mitigation session: You can purchase a global advanced mitigation session for specific instances if required. For more information, see Billing of advanced mitigation sessions.
Unsubscribe from the service
Refunds are not supported after you purchase an instance. Evaluate your service requirements before you make a purchase.
Appendix
QPS specifications and corresponding connection limits
The QPS specifications of an Anti-DDoS Proxy instance correspond to specific connection limits, as shown in the following table. If you enable burstable QPS, refer to the connection limits that correspond to the burstable QPS value.
QPS | New Connections | Concurrent Connections |
0 < QPS ≤ 5,000 | 5,000 | 100,000 |
5,000 < QPS ≤ 10,000 | 10,000 | 200,000 |
10,000 < QPS ≤ 30,000 | 30,000 | 500,000 |
30,000 < QPS ≤ 50,000 | 50,000 | 1,000,000 |
50,000 < QPS ≤ 100,000 | 80,000 | 1,500,000 |
100,000 < QPS ≤ 150,000 | 100,000 | 2,000,000 |
150,000 < QPS ≤ 200,000 Note Supported only by Anti-DDoS Proxy (the Chinese mainland). | 150,000 | 3,000,000 |
200,000 < QPS ≤ 300,000 Note Supported only by Anti-DDoS Proxy (the Chinese mainland). | 200,000 | 4,000,000 |
Protection node details
Select a suitable protection node based on its mitigation capability and access latency, as shown in the following table. / indicates that the node is not recommended.
Origin server location | Protection node | |||
Default | North China | China (Beijing) | China (Hangzhou) | |
China (Beijing) | Strong protection. Mitigation capability of 1 Tbps or higher. | / | Low latency. Mitigation capability of 600 Gbps. | / |
China (Shanghai) | / | Strong protection. Mitigation capability of 1 Tbps or higher. | / | Low latency. Mitigation capability of 600 Gbps. |
China (Chengdu) | / | Strong protection. Mitigation capability of 1 Tbps or higher. | Low latency. Mitigation capability of 600 Gbps. | / |
China (Guangzhou) | Strong protection. Mitigation capability of 1 Tbps or higher. | / | / | Low latency. Mitigation capability of 600 Gbps. |
China (Hangzhou) | Strong protection. Mitigation capability of 1 Tbps or higher. | / | / | Low latency. Mitigation capability of 600 Gbps. |
China (Shenzhen) | Strong protection. Mitigation capability of 1 Tbps or higher. | / | / | Low latency. Mitigation capability of 600 Gbps. |
FAQ
What is a root domain (site)?
The full domain name that a user registers is defined as a "root domain". For example:
aliyun.com is a root domain.
Subdomains (such as www.aliyun.com and abc.aliyun.com) and wildcard domain names (such as *.aliyun.com) are not root domains, but they all belong to the same root domain (site), aliyun.com.
How do Anti-DDoS Proxy differ from Anti-DDoS Origin? Which service should I choose?
The core differences are the connection type and protection scope.
Anti-DDoS Proxy: Uses a proxy-based traffic scrubbing model. It protects services by diverting traffic and supports servers on Alibaba Cloud and outside Alibaba Cloud (such as in data centers or on other clouds). It can mitigate network-layer and application-layer (CC) attacks. This is suitable for use cases that require high mitigation capabilities and service availability.
Anti-DDoS Origin: Uses an enhancement model. It directly increases the default mitigation threshold for Alibaba Cloud assets, such as ECS and SLB. It is easy to connect and does not require DNS changes. It mainly targets network-layer attacks.
Recommendations:
Choose Anti-DDoS Proxy: If your service is a website, needs to defend against CC attacks, is not hosted on Alibaba Cloud, or requires extremely high mitigation capabilities.
Choose Anti-DDoS Origin: If your service is a non-website service on Alibaba Cloud and you want a simplified connection process.