Anti-DDoS Pro and Anti-DDoS Premium are proxy-based mitigation services provided by Alibaba Cloud to mitigate DDoS attacks. These services can be used to protect Internet servers against volumetric DDoS attacks. To protect servers against volumetric and resource exhaustion DDoS attacks, Anti-DDoS Pro and Anti-DDoS Premium forward traffic to the Alibaba Cloud anti-DDoS network by using DNS resolution.

How Anti-DDoS Pro and Anti-DDoS Premium work

You can connect your services to Anti-DDoS Pro or Anti-DDoS Premium by using domain names or ports. The domain names or service IP addresses are mapped to the IP addresses or CNAMEs of Anti-DDoS Pro or Anti-DDoS Premium instances based on the forwarding rules that you configured. This way, traffic is rerouted to the instances.

Inbound traffic passes through the anti-DDoS data center. Malicious traffic is scrubbed and filtered in the traffic scrubbing center and non-malicious traffic is forwarded back to the origin server by using forwarding ports. This ensures stable access to the origin servers.

Anti-DDoS Pro and Anti-DDoS Premium

Alibaba Cloud provides the following two services based on the region where your servers are deployed:
  • Anti-DDoS Pro: is suitable for the scenarios in which your servers are deployed in the Chinese mainland. Anti-DDoS Pro uses eight Border Gateway Protocol (BGP) lines at the Tbit/s level to protect servers against volumetric DDoS attacks.
  • Anti-DDoS Premium: is suitable for the scenarios in which your servers are deployed outside the Chinese mainland. Backed by the world-leading distributed near-origin traffic scrubbing capabilities, Anti-DDoS Premium mitigates DDoS attacks with all the capabilities that are available.

For more information, see Differences between the features of Anti-DDoS Pro and Anti-DDoS Premium.

Benefits

Anti-DDoS Pro and Anti-DDoS Premium are more stable and easier to deploy than traditional DDoS mitigation solutions. These services leverage high-quality BGP networks and intelligent protection technologies to provide strong and precise protection with high availability.

  • Easy deployment

    You can connect your services to Anti-DDoS Pro or Anti-DDoS Premium by using domain names or ports. The process requires up to five minutes. You do not need to install hardware or software or configure routers.

  • Massive protection bandwidth

    Anti-DDoS Pro and Anti-DDoS Premium each can mitigate a minimum of 8 Tbit/s of DDoS attacks in the Chinese mainland, and a minimum of 2 Tbit/s outside the Chinese mainland. These services protect servers against DDoS attacks at the network layer, transport layer, and application layer.

  • Precise protection

    Anti-DDoS Pro and Anti-DDoS Premium provide precise protection against various attacks on transactions, encryption services, Layer 7 applications, smart terminals, and online services.

  • Intelligent protection

    Anti-DDoS Pro and Anti-DDoS Premium automatically optimize protection algorithms and learn service traffic baselines from the protection analysis of volumetric and resource exhaustion DDoS attacks. This enables the services to identify malicious IP addresses, scrub traffic, and filter out attack traffic.

  • Burstable protection

    Anti-DDoS Pro and Anti-DDoS Premium support burstable protection. You can configure this feature in the Anti-DDoS Pro or Anti-DDoS Premium console. The settings take effect within seconds, and you do not need to install additional devices. Your services are not interrupted during the process. Therefore, you do not need to make any adjustments to your services.

  • Origin server security ensured

    Anti-DDoS Pro and Anti-DDoS Premium hide the IP addresses of origin servers. This way, attackers cannot identify the address of your origin server. This increases the security of your origin server.

  • Protection against volumetric DDoS attacks

    Volumetric DDoS attacks at the transport layer congest networks, leave data centers unavailable, interrupt your services, or even make the services stop responding. Based on technologies such as proxy, detection, rebound, authentication, blacklist, whitelist, and packet compliance, Anti-DDoS Pro and Anti-DDoS Premium implement IP reputation investigation, near-origin traffic scrubbing, and in-depth packet analysis of network fingerprints, user behavior, and content characteristics. These technologies block and filter out threats based on custom rules. This enables the protected services to provide external services even under continuous attacks.

  • Protection against resource exhaustion DDoS attacks (HTTP flood attacks)
    Anti-DDoS Pro and Anti-DDoS Premium integrate intelligent protection engines to protect against resource exhaustion DDoS attacks when application-layer services are interrupted under attacks. Anti-DDoS Pro and Anti-DDoS Premium also support URL-level threat filtering at custom frequencies to improve the protection success rate, protection efficiency, and work efficiency of O&M personnel. Intelligent protection engines provide effective protection by:
    • Learning your traffic to obtain traffic characteristics.
    • Dynamically generating normal service baselines.
    • Quickly discovering unusual traffic and characteristics.
    • Automatically participating in the analysis of attack characteristics.
    • Automatically generating a combination of multi-dimensional policies.
    • Dynamically executing or canceling protection policy instructions.
  • Stability and high availability
    • Anti-DDoS Pro and Anti-DDoS Premium use high-availability network protection clusters to prevent single point of failures and redundancy. The processing capabilities of Anti-DDoS Pro and Anti-DDoS Premium can be scaled up. They also offer automatic detection and attack policy matching to provide real-time protection and a scrubbing service availability of up to 99.99%.
    • Anti-DDoS Pro and Anti-DDoS Premium monitor the inbound traffic of traffic scrubbing centers and the CPU and memory resources of all servers in the traffic scrubbing centers. This helps ensure the availability of the traffic scrubbing centers. They also monitor the availability of server engines and have automatic disconnection and recovery mechanisms of the servers.
    • Anti-DDoS Pro and Anti-DDoS Premium monitor the availability of back-to-origin links, and automatically switch to secondary links when primary links are unstable. This ensures link availability.
    • Anti-DDoS Pro and Anti-DDoS Premium perform health checks on protected origin servers. If an origin server is not running at optimal capacity, the service traffic is forwarded to another origin server. They also monitor the HTTP status codes of origin servers and initiate back-to-origin or switchover operations when errors are detected.
  • Traffic scheduling

    Anti-DDoS Pro and Anti-DDoS Premium schedule traffic based on cloud service-specific security events and DNS resolution. If no DDoS attacks occur, they are dormant, and service traffic is directly forwarded to the origin server. If DDoS attacks occur, they automatically enable DDoS mitigation. You can customize the scheduling templates of Anti-DDoS Pro and Anti-DDoS Premium to automatically schedule DDoS mitigation based on your business requirements.

Scenarios

Anti-DDoS Pro and Anti-DDoS Premium are suitable for finance websites, e-commerce websites, portal websites, Internet egresses of public service networks, portals, and open platforms. They provide DDoS mitigation for important live streaming events and sales promotions. Anti-DDoS Pro and Anti-DDoS Premium protect against attacks and ransom-driven attacks, and prevent mobile applications from spam user registration, brushing, and fraudulent traffic.

We recommend that you use Anti-DDoS Pro and Anti-DDoS Premium in the following scenarios when security risks occur in the preceding industries:
  • Ransom-driven DDoS attacks occur.
  • DDoS attacks make your services inaccessible, and urgent protection is required to recover your services.
  • DDoS attacks occur frequently. Continuous protection against DDoS attacks is required to ensure service stability.

Differences between the features of Anti-DDoS Pro and Anti-DDoS Premium

The following table describes the features that are supported by Anti-DDoS Pro and Anti-DDoS Premium. The features that are not listed in the table are supported by both Anti-DDoS Pro and Anti-DDoS Premium.

Notice The table allows you to distinguish between Anti-DDoS Pro and Anti-DDoS Premium. We recommend that you choose Anti-DDoS Pro for servers deployed in the Chinese mainland and Anti-DDoS Premium for servers deployed outside the Chinese mainland.

A tick (√) indicates that the feature is supported and a cross (×) indicates that the feature is not supported.

Feature Description Anti-DDoS Pro Anti-DDoS Premium References
Instances -

Mainland China Acceleration (MCA)

MCA must be used with Anti-DDoS Premium of the Insurance or Unlimited mitigation plan. If your server is deployed outside the Chinese mainland, you can purchase an MCA instance to accelerate access to your services for users in the Chinese mainland. × Billing methods of the MCA mitigation plan

Configure Anti-DDoS Premium MCA

Instances -

Secure Mainland China Acceleration (Sec-MCA)

Anti-DDoS Premium supports Sec-MCA. This allows you to accelerate access from users in the Chinese mainland to services in regions outside the Chinese mainland. × Sec-MCA billing methods

Configure Anti-DDoS Premium Sec-MCA

Instances -

Global Advanced Mitigation

Global advanced mitigation must be used with Anti-DDoS Premium of the Insurance mitigation plan that provides two advanced mitigation sessions free of charge. If the two advanced mitigation sessions are exhausted, you can purchase more global advanced mitigation sessions. × Billing methods of global advanced mitigation sessions

Purchase global advanced mitigation sessions

Website Config -

Enable HTTP/2

In the Enter Site Information step, you can add a domain name and turn on Enable HTTP/2. × Add a website
Website Config -

Cname Reuse

In the Enter Site Information step, you can turn on CNAME Reuse. × Use the CNAME reuse feature
Sec-Traffic Manager -

Network Acceleration

You can select Network Acceleration when you add a rule on the General tab in the console. × Overview
Sec-Traffic Manager -

Sec-MCA

You can select Sec-MCA when you add a rule on the General tab in the console. × Overview
Protection for Infrastructure -

Diversion from Origin Server

The Diversion from Origin Server policy blocks traffic transmitted from regions outside the Chinese mainland over China Telecom or China Unicom lines. × Configure diversion from the origin server
Protection for Infrastructure -

Deactivate Blackhole Status

You can manually deactivate blackhole filtering in the console to recover services. × Deactivate blackhole filtering
Investigation -

Operation Logs

You can view the logs within the last 30 days on the Operation Logs page. × View operations logs
Investigation -

Adv. Mitigation Logs

You can view the logs within the last 30 days on the Adv. Mitigation Logs page. × Query advanced mitigation logs

Differences between the features of Anti-DDoS Pro instances that use IPv4 addresses and Anti-DDoS Pro instances that use IPv6 addresses

Anti-DDoS Pro instances can use IPv4 addresses or IPv6 addresses to forward access requests. The following table describes the features of Anti-DDoS Pro instances that use IPv4 addresses and Anti-DDoS Pro instances that use IPv6 addresses. The features that are not listed in the table are supported by both Anti-DDoS Pro instances that use IPv4 addresses and Anti-DDoS Pro instances that use IPv6 addresses.

A tick (√) indicates that the feature is supported and a cross (×) indicates that the feature is not supported.

Feature Anti-DDoS Pro instances that use IPv4 addresses Anti-DDoS Pro instances that use IPv6 addresses References
Blacklist and whitelist Configure the IP address blacklist and whitelist for an Anti-DDoS Pro or Anti-DDoS Premium instance

Configure blacklists and whitelists for domain names

UDP reflection attack mitigation × Use the feature of UDP Reflection Attacks Protection
Diversion from origin server × Configure diversion from the origin server
Location blacklist for Layer-4 requests × Configure blocked regions
Blocked region configuration for domain names Configure blocked regions for domain names
Blackhole filtering deactivating × Deactivate blackhole filtering
Connection to an ECS instance for which blackhole filtering is triggered Connect to an ECS instance for which blackhole filtering is triggered
Intelligent protection Use the intelligent protection feature
Accurate access control Configure accurate access control rules
Frequency control Configure frequency control
Global mitigation policy Configure the global mitigation policy
Intelligent protection × Configure intelligent protection
Anti-DDoS policies (Detection of DDoS attacks initiated from forged IP addresses, detection of requests that attempt to establish null sessions, and throttling for source IP addresses and destination IP addresses) √ (Throttling for source IP addresses is not supported. Other features are supported.) Create an anti-DDoS protection policy
Sec-Traffic Manager × Overview
Attack analysis × View information on the Attack Analysis page

DDoS cost protection

Anti-DDoS Pro and Anti-DDoS Premium support DDoS cost protection. These services safeguard against costs incurred due to the usage spikes on the protected Elastic Compute Service (ECS) or Server Load Balancer (SLB) instances caused by DDoS attacks. If the costs of any protected resources increase due to DDoS attacks, you can submit a ticket to obtain a voucher.