Anti-DDoS Pro and Anti-DDoS Premium are proxy-based mitigation services provided by Alibaba Cloud to mitigate DDoS attacks. These services can be used to protect Internet servers against volumetric DDoS attacks. To protect servers against volumetric and resource exhaustion DDoS attacks, Anti-DDoS Pro and Anti-DDoS Premium forward traffic to the Alibaba Cloud anti-DDoS network by using DNS resolution.
How Anti-DDoS Pro and Anti-DDoS Premium work
You can connect your services to Anti-DDoS Pro or Anti-DDoS Premium by using domain names or ports. The domain names or service IP addresses are mapped to the IP addresses or CNAMEs of Anti-DDoS Pro or Anti-DDoS Premium instances based on the forwarding rules that you configured. This way, traffic is rerouted to the instances.
Inbound traffic passes through the anti-DDoS data center. Malicious traffic is scrubbed and filtered in the traffic scrubbing center and non-malicious traffic is forwarded back to the origin server by using forwarding ports. This ensures stable access to the origin servers.
Anti-DDoS Pro and Anti-DDoS Premium
- Anti-DDoS Pro: is suitable for the scenarios in which your servers are deployed in the Chinese mainland. Anti-DDoS Pro uses eight Border Gateway Protocol (BGP) lines at the Tbit/s level to protect servers against volumetric DDoS attacks.
- Anti-DDoS Premium: is suitable for the scenarios in which your servers are deployed outside the Chinese mainland. Backed by the leading distributed near-origin traffic scrubbing capabilities, Anti-DDoS Premium mitigates DDoS attacks with all the capabilities that are available.
For more information, see Differences between the features of Anti-DDoS Pro and Anti-DDoS Premium.
Benefits
Anti-DDoS Pro and Anti-DDoS Premium are more stable and easier to deploy than traditional DDoS mitigation solutions. These services leverage high-quality BGP networks and intelligent protection technologies to provide strong and precise protection with high availability.
- Easy deployment
You can connect your services to Anti-DDoS Pro or Anti-DDoS Premium by using domain names or ports. The process requires up to five minutes. You do not need to install hardware or software or configure routers.
- Massive protection bandwidth
Anti-DDoS Pro and Anti-DDoS Premium each can mitigate a minimum of 8 Tbit/s of DDoS attacks in the Chinese mainland, and a minimum of 2 Tbit/s outside the Chinese mainland. These services protect servers against DDoS attacks at the network layer, transport layer, and application layer.
- Precise protection
Anti-DDoS Pro and Anti-DDoS Premium provide precise protection against various attacks on transactions, encryption services, Layer 7 applications, smart terminals, and online services.
- Intelligent protection
Anti-DDoS Pro and Anti-DDoS Premium automatically optimize protection algorithms and learn service traffic baselines from the protection analysis of volumetric and resource exhaustion DDoS attacks. This enables the services to identify malicious IP addresses, scrub traffic, and filter out attack traffic.
- Burstable protection
Anti-DDoS Pro and Anti-DDoS Premium support burstable protection. You can configure this feature in the Anti-DDoS Pro or Anti-DDoS Premium console. The settings take effect within seconds, and you do not need to install additional devices. Your services are not interrupted during the process. Therefore, you do not need to make any adjustments to your services.
- Origin server security ensured
Anti-DDoS Pro and Anti-DDoS Premium hide the IP addresses of origin servers. This way, attackers cannot identify the address of your origin server. This increases the security of your origin server.
- Protection against volumetric DDoS attacks
Volumetric DDoS attacks at the transport layer congest networks, leave data centers unavailable, interrupt your services, or even make the services stop responding. Based on technologies such as proxy, detection, rebound, authentication, blacklist, whitelist, and packet compliance, Anti-DDoS Pro and Anti-DDoS Premium implement IP reputation investigation, near-origin traffic scrubbing, and in-depth packet analysis of network fingerprints, user behavior, and content characteristics. These technologies block and filter out threats based on custom rules. This enables the protected services to provide external services even under continuous attacks.
- Protection against resource exhaustion DDoS attacks (HTTP flood attacks) Anti-DDoS Pro and Anti-DDoS Premium integrate intelligent protection engines to protect against resource exhaustion DDoS attacks when application-layer services are interrupted under attacks. Anti-DDoS Pro and Anti-DDoS Premium also support URL-level threat filtering at custom frequencies to improve the protection success rate, protection efficiency, and work efficiency of O&M personnel. Intelligent protection engines provide effective protection by:
- Learning your traffic to obtain traffic characteristics.
- Dynamically generating normal service baselines.
- Quickly discovering unusual traffic and characteristics.
- Automatically participating in the analysis of attack characteristics.
- Automatically generating a combination of multi-dimensional policies.
- Dynamically executing or canceling protection policy instructions.
- Stability and high availability
- Anti-DDoS Pro and Anti-DDoS Premium use high-availability network protection clusters to prevent single point of failures and redundancy. The processing capabilities of Anti-DDoS Pro and Anti-DDoS Premium can be scaled up. They also offer automatic detection and attack policy matching to provide real-time protection and a scrubbing service availability of up to 99.99%.
- Anti-DDoS Pro and Anti-DDoS Premium monitor the inbound traffic of traffic scrubbing centers and the CPU and memory resources of all servers in the traffic scrubbing centers. This helps ensure the availability of the traffic scrubbing centers. They also monitor the availability of server engines and have automatic disconnection and recovery mechanisms of the servers.
- Anti-DDoS Pro and Anti-DDoS Premium monitor the availability of back-to-origin links, and automatically switch to secondary links when primary links are unstable. This ensures link availability.
- Anti-DDoS Pro and Anti-DDoS Premium perform health checks on protected origin servers. If an origin server is not running at optimal capacity, the service traffic is forwarded to another origin server. They also monitor the HTTP status codes of origin servers and initiate back-to-origin or switchover operations when errors are detected.
- Traffic scheduling
Anti-DDoS Pro and Anti-DDoS Premium schedule traffic based on cloud service-specific security events and DNS resolution. If no DDoS attacks occur, they are dormant, and service traffic is directly forwarded to the origin server. If DDoS attacks occur, they automatically enable DDoS mitigation. You can customize the scheduling templates of Anti-DDoS Pro and Anti-DDoS Premium to automatically schedule DDoS mitigation based on your business requirements.
Scenarios
Anti-DDoS Pro and Anti-DDoS Premium are suitable for finance websites, e-commerce websites, portal websites, Internet egresses of public service networks, portals, and open platforms. They provide DDoS mitigation for important live streaming events and sales promotions. Anti-DDoS Pro and Anti-DDoS Premium protect against attacks and ransom-driven attacks, and prevent mobile applications from spam user registration, brushing, and fraudulent traffic.
- Ransom-driven DDoS attacks occur.
- DDoS attacks make your services inaccessible, and urgent protection is required to recover your services.
- DDoS attacks occur frequently. Continuous protection against DDoS attacks is required to ensure service stability.
Differences between the features of Anti-DDoS Pro and Anti-DDoS Premium
The following table describes the features that are supported by Anti-DDoS Pro and Anti-DDoS Premium. The features that are not listed in the table are supported by both Anti-DDoS Pro and Anti-DDoS Premium.
A tick (√) indicates that the feature is supported and a cross (×) indicates that the feature is not supported.
| Feature | Description | Anti-DDoS Pro | Anti-DDoS Premium | References |
|---|---|---|---|---|
| Instances - Chinese Mainland Acceleration (CMA) | CMA must be used with Anti-DDoS Premium of the Insurance or Unlimited mitigation plan. If your server is deployed outside the Chinese mainland, you can purchase a CMA instance to accelerate access to your services for users in the Chinese mainland. | × | √ | Billing of Anti-DDoS Premium of the CMA mitigation plan Use an Anti-DDoS Premium instance of the MCA mitigation plan |
| Instances - Secure Chinese Mainland Acceleration (Sec-CMA) | Anti-DDoS Premium supports Sec-CMA. This allows you to accelerate access from users in the Chinese mainland to services in regions outside the Chinese mainland. | × | √ | Billing of Anti-DDoS Premium of the Sec-CMA mitigation plan |
| Instances - Global Advanced Mitigation | Global advanced mitigation must be used with Anti-DDoS Premium of the Insurance mitigation plan that provides two advanced mitigation sessions free of charge. If the two advanced mitigation sessions are exhausted, you can purchase more global advanced mitigation sessions. | × | √ | Billing of advanced mitigation sessions |
| Website Config - Enable HTTP/2 | In the Enter Site Information step, you can add a domain name and turn on Enable HTTP/2. | √ | √ | Add a website |
| Website Config - Cname Reuse | In the Enter Site Information step, you can turn on CNAME Reuse. | × | √ | Use the CNAME reuse feature |
| Sec-Traffic Manager - Network Acceleration | You can select Network Acceleration when you add a rule on the General tab in the console. | × | √ | Overview |
| Sec-Traffic Manager - Sec-CMA | You can select Sec-CMA when you add a rule on the General tab in the console. | × | √ | Overview |
| Protection for Infrastructure - Diversion from Origin Server | The Diversion from Origin Server policy blocks traffic transmitted from regions outside the Chinese mainland over China Telecom or China Unicom lines. | √ | × | Configure diversion from the origin server |
| Protection for Infrastructure - Deactivate Blackhole Status | You can manually deactivate blackhole filtering in the console to recover services. | √ | × | Deactivate blackhole filtering |
| Investigation - Operation Logs | You can view the logs within the last 30 days on the Operation Logs page. | √ | √ | Query operation logs |
| Investigation - Adv. Mitigation Logs | You can view the logs within the last 30 days on the Adv. Mitigation Logs page. | × | √ | Query advanced mitigation logs |
Differences between the features of Anti-DDoS Pro instances that use IPv4 addresses and Anti-DDoS Pro instances that use IPv6 addresses
Anti-DDoS Pro instances can use IPv4 addresses or IPv6 addresses to forward access requests. The following table describes the features of Anti-DDoS Pro instances that use IPv4 addresses and Anti-DDoS Pro instances that use IPv6 addresses. The features that are not listed in the table are supported by both Anti-DDoS Pro instances that use IPv4 addresses and Anti-DDoS Pro instances that use IPv6 addresses.
A tick (√) indicates that the feature is supported and a cross (×) indicates that the feature is not supported.
| Feature | Anti-DDoS Pro instances that use IPv4 addresses | Anti-DDoS Pro instances that use IPv6 addresses | References |
|---|---|---|---|
| Blacklist and whitelist | √ | √ | Configure the IP address blacklist and whitelist for an Anti-DDoS Pro or Anti-DDoS Premium instance |
| UDP reflection attack mitigation | √ | × | Use the feature of UDP Reflection Attacks Protection |
| Diversion from origin server | √ | × | Configure diversion from the origin server |
| Location blacklist for Layer-4 requests | √ | × | Configure blocked regions |
| Blocked region configuration for domain names | √ | √ | Configure a location blacklist for a domain name |
| Blackhole filtering deactivating | √ | × | Deactivate blackhole filtering |
| Connection to an Elastic Compute Service (ECS) instance for which blackhole filtering is triggered | √ | √ | Connect to an ECS instance for which blackhole filtering is triggered |
| Intelligent protection | Supported | √ | Use the intelligent protection feature |
| Accurate access control | √ | √ | Configure accurate access control rules |
| Frequency control | √ | √ | Configure frequency control |
| Global mitigation policy | √ | √ | Configure the global mitigation policy |
| Intelligent protection | √ | × | Configure intelligent protection |
| Anti-DDoS policies (Detection of DDoS attacks initiated from forged IP addresses, detection of requests that attempt to establish null sessions, and throttling for source IP addresses and destination IP addresses) | √ | √ (Throttling for source IP addresses is not supported. Other features are supported.) | Create an anti-DDoS protection policy |
| Sec-Traffic Manager | √ | × | Overview |
| Attack awareness | √ | × | View information on the Attack Analysis page |