Alibaba Cloud has integrated security technologies and years of experience in DDoS mitigation to develop various commercial anti-DDoS solutions. You can select an anti-DDoS solution based on your business requirements. This topic describes how to select anti-DDoS solutions for different scenarios.

Scenarios

Scenario Applicable scope Description Mitigation plan
High-risk DDoS attacks (We recommend that you use Anti-DDoS Pro or Anti-DDoS Premium.)
  • DDoS attacks occur on websites, Internet egresses of public sector networks, portals and open platforms, important live streaming activities, and sales promotions. These websites refer to financial, e-commerce, and portal websites.
  • Ransom-driven DDoS attacks occur.
  • DDoS attacks freeze your services, and you want to recover your services at the earliest opportunity.
  • DDoS attacks frequently occur. Continuous protection against DDoS attacks is required to ensure service stability.
  • Mobile applications encounter spam user registration, brushing, and fraudulent traffic.
Anti-DDoS Pro and Anti-DDoS Premium can protect Alibaba Cloud Elastic Compute Service (ECS) instances and servers that are deployed on third-party public clouds from volumetric DDoS attacks. Anti-DDoS Pro and Anti-DDoS Premium can route network traffic to the global anti-DDoS network of Alibaba Cloud by using DNS resolution, scrub the traffic of volumetric and resource exhaustion attacks, and hide the IP addresses of origin servers. Select a mitigation plan of Anti-DDoS Pro or Anti-DDoS Premium based on the following descriptions:
  • Anti-DDoS Pro Profession: applies to scenarios in which your servers are deployed in the Chinese mainland and your services are provided to users who are located in the Chinese mainland.
  • Anti-DDoS Premium Insurance or Unlimited: applies to scenarios in which your servers are deployed outside the Chinese mainland and your services are provided to users who are located outside the Chinese mainland.
  • Anti-DDoS Premium MCA or Anti-DDoS Premium Sec-MCA: applies to scenarios in which your servers are deployed outside the Chinese mainland and your services are provided to users who are located in the Chinese mainland.
Low-risk DDoS attacks on large-scale services (We recommend that you use Anti-DDoS Origin.)
  • Service resources are deployed on Alibaba Cloud.
  • Large-scale services are running. For example, the clean bandwidth is greater than 1 Gbit/s, and the queries per second (QPS) over HTTP and HTTPS is greater than 5,000.
  • A large number of public IP addresses need to be protected. For example, dozens or even thousands of IP addresses need to be protected.
  • A large number of ports need to be protected. For example, dozens of ports on each server need to be protected.
  • DDoS attacks occasionally occur.
  • IPv6-based access traffic exists.
Anti-DDoS Origin improves the DDoS mitigation capabilities for the Alibaba Cloud services that are assigned with public IP addresses. Anti-DDoS Origin uses the native protection network of Alibaba Cloud to mitigate volumetric DDoS attacks without changing the IP addresses of origin servers.
Select a mitigation plan of Anti-DDoS Origin based on the following descriptions:
  • Anti-DDoS Origin Basic is activated by default.
  • Anti-DDoS Origin Basic mitigates DDoS attacks of up to 5 Gbit/s. If this mitigation capability does not meet your business requirements, we recommend that you use Anti-DDoS Origin Enterprise. For more information, see Anti-DDoS Origin Enterprise.
    • Anti-DDoS Origin Enterprise and SLB: applies to scenarios in which you want to mitigate only DDoS attacks. In these scenarios, you can use SLB to discard traffic whose protocol and port are not specified in the SLB listener to improve protection capabilities.
    • Anti-DDoS Origin Enterprise and WAF: applies to scenarios in which you want to mitigate DDoS attacks, web attacks, and HTTP flood attacks. In these scenarios, you can use WAF to mitigate HTTP flood attacks and Anti-DDoS Origin Enterprise to mitigate volumetric DDoS attacks to improve protection capabilities.
  • If you want to mitigate DDoS attacks at the Tbit/s level, we recommend that you use Elastic IP addresses (EIPs) that have Anti-DDoS (Enhanced Edition) enabled together with EIP bandwidth plans or data transfer plans.
DDoS attacks on mobile applications (We recommend that you use GameShield.)
  • Mobile gaming services are the main scenarios.
  • Services can integrate Alibaba Cloud SDKs.
  • Services require fine-grained protection for real-time data that is transmitted over custom transmission protocols.
  • Services require accelerated network transmission.
  • Services require encrypted network transmission.
  • The sources of DDoS attacks need to be traced.
GameShield can mitigate volumetric DDoS attacks and HTTP flood attacks in the gaming industry. GameShield integrates the lightweight Alibaba Cloud Security SDKs to eliminate DDoS attacks, HTTP flood attacks, and TCP flood attacks that are specific to the gaming industry faced by mobile applications. None

Service types

Service type Anti-DDoS Pro and Anti-DDoS Premium Anti-DDoS Origin GameShield
Websites √ √ ×
UDP-based services √ √ √
Applications √ √ ×
Games √ √ √(Recommended)

DDoS attack types

Symbol description:
  • √: indicates that mitigation is supported
  • ×: indicates that mitigation is not supported
Attack type Anti-DDoS Pro and Anti-DDoS Premium Anti-DDoS Origin GameShield
Malformed packet attacks √ √ √
Transport layer DDoS attacks √ √ √
Domain Name Service (DNS) attacks √

Anti-DDoS Pro and Anti-DDoS Premium scrub DNS attacks. If you want to protect DNS servers from DNS attacks, you must use anti-DDoS technologies that are specific to DNS services.

√

Anti-DDoS Origin scrubs DNS attacks. If you want to protect DNS servers from DNS attacks, you must use anti-DDoS technologies that are specific to DNS services.

×
Connection-based DDoS attacks √ Anti-DDoS Origin will soon be available to mitigate connection-based DDoS attacks. √
Application-layer attacks √ Anti-DDoS Origin will soon be available to mitigate application-layer attacks. ×