Anti-DDoS Origin is a security service that enhances protection against DDoS attacks for Alibaba Cloud services. Anti-DDoS Origin directly protects cloud services and imposes no limits, which is different from Anti-DDoS Pro and Anti-DDoS Premium. You do not need to change the IP addresses of the assets that you want to protect. You do not need to consider the limits on the number of Layer 4 ports and the number of Layer 7 domain names. Anti-DDoS Origin is easy to deploy. You need to only add the IP address of an asset to Anti-DDoS Origin for protection. The protection for the resource only requires a few minutes to take effect.

Limits

Anti-DDoS Origin Enterprise instances are available only in the Chinese mainland. If you want to purchase an Anti-DDoS Origin Enterprise instance in a region that is outside the Chinese mainland, submit a ticket to contact a pre-sales business development manager.

Assets that can be protected

You can use Anti-DDoS Origin to protect Elastic Compute Service (ECS) instances, Server Load Balancer (SLB) instances, elastic IP addresses (EIPs), EIPs that are associated with NAT gateways, simple application servers, Web Application Firewall (WAF) instances, and virtual private clouds (VPCs).

How Anti-DDoS Origin works

Anti-DDoS Origin protects the public IP addresses of Alibaba Cloud assets against Layer 3 and Layer 4 volumetric attacks. When the traffic exceeds the default scrubbing threshold of Anti-DDoS Origin, traffic scrubbing is automatically triggered to mitigate DDoS attacks.

Anti-DDoS Origin adopts passive scrubbing as a major protection policy and active blocking as an auxiliary policy to mitigate DDoS attacks. Anti-DDoS Origin uses conventional technologies such as reverse detection, blacklists, whitelists, and packet compliance. This way, your asset that Anti-DDoS Origin protects can work as expected even when an attack is ongoing. Anti-DDoS Origin deploys a DDoS attack detection and scrubbing system at the egress of an Alibaba Cloud data center. This system is deployed in bypass mode.

Scenarios

Anti-DDoS Origin is suitable for applications that are deployed on Alibaba Cloud. It meets the requirements for you when your service scale is large and you are sensitive to network quality. You have a low possibility of exposure to DDoS attacks. However, you may suffer significant economic losses if interruption or compromised response time of services occurs due to DDoS attacks. Anti-DDoS Origin allows you to enhance protection against DDoS attacks at a low cost. It also reduces the potential risk of DDoS attacks that target your services.

Anti-DDoS Origin is suitable for the following resources:
  • Assets that reside on Alibaba Cloud.
  • A large number of public IP addresses.
  • Services that require high clean bandwidth or queries per second (QPS).
  • IPv6-based inbound requests.

Editions

Anti-DDoS Origin is offered in two editions: Anti-DDoS Origin Basic and Anti-DDoS Origin Enterprise.
  • Anti-DDoS Origin Basic provides basic protection against DDoS attacks for public IP addresses of Alibaba Cloud assets free of charge. Anti-DDoS Origin Basic provides a mitigation capability of no more than 5 Gbit/s. For more information, see View the thresholds that trigger blackhole filtering in Anti-DDoS Origin Basic.
  • Anti-DDoS Origin Enterprise provides best effort protection for public IP addresses of Alibaba Cloud resources after you purchase an instance. Best effort protection defends against DDoS attacks based on the total network capacity of Alibaba Cloud. The best effort protection capacity increases with the increase of the overall network capacity of Alibaba Cloud. You do not need to pay extra fees for the increase in capacity.
    • After you purchase an Anti-DDoS Origin Enterprise instance, the instance can protect the public IP addresses of Alibaba Cloud assets. For more information, see Assets that can be protected.
    • Anti-DDoS Origin provides on-demand Anti-DDoS Origin instances to mitigate DDoS attacks for servers in data centers outside the Chinese mainland. You can contact sales personnel to purchase on-demand instances.

    For more information about the billing of Anti-DDoS Origin, see Billing of Anti-DDoS Origin Enterprise.

Benefits

  • Allows you to immediately use the service after you purchase an instance. Supports quick deployment within one minute. Anti-DDoS Origin directly protects your cloud services. This eliminates the need to deploy mitigation plans and switch IP addresses.
  • Provides burstable protection. When your assets experience volumetric DDoS attacks, Anti-DDoS Origin uses all resources that reside in a region to provide best effort protection.
  • Adopts Alibaba Cloud Border Gateway Protocol (BGP) bandwidth resources across different Internet service providers (ISPs). These ISPs include China Telecom, China Unicom, China Mobile, China Education and Research Network (CERNET), and Great Wall Broadband Network. You can obtain fast access to the networks of these ISPs by using only one IP address.
  • Provides protection bandwidth as required. This can ensure service continuity and security for big promotions, event releases, and important services.
  • Supports protection capacity sharing among multiple IP addresses. This enhances protection for multiple IP addresses.
  • Protects IPv6 networks in multiple regions. For more information, see View the thresholds that trigger blackhole filtering in Anti-DDoS Origin Basic.