A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.

Common DDoS attack types include:
  • Network layer attacks

    UDP amplification attacks, such as NTP flood attacks, fall under this category. These attacks send a wave of traffic to a network. This high volume of traffic congests the network, consumes the network bandwidth, and makes the network unresponsive.

  • Transport layer attacks

    SYN flood attacks and connection flood attacks fall under this category. These attacks consume the connection pool resources of a server to achieve denial-of-service (DoS).

  • Session layer attacks

    SSL attacks fall under this type of attack. These attacks consume the SSL session resources of a server to achieve DoS.

  • Application layer attacks

    Typical types of application layer attacks include DNS flood, HTTP flood, and dummy attacks. These attacks occupy application processing resources and consume the processing resources of a server to achieve DoS.

Best practices

You can mitigate attacks against your assets on Alibaba Cloud by using the following methods:
  • Reduce your attack surface and isolate resources and irrelevant services.
    • Configure a security group.

      You can configure security groups to open only the ports that are necessary for your services. This prevents access requests that are irrelevant to the service and protects your system against malicious scanning or unexpected exposure.

      For more information about security groups, see Create a security group.

    • Use a VPC.

      You can use a Virtual Private Cloud (VPC) to implement logical isolation within your network and prevent attacks from zombies.

      For more information about VPC, see Create an IPv4 VPC network.

  • Optimize the service architecture and leverage the public cloud to implement auto scaling and failover for your system.
    • Evaluate the performance of the service architecture.

      In the early stages of service deployment or during the operations, the technical team must perform a stress test on the service architecture to evaluate its throughput capability and provide detailed technical guidance for DDoS mitigation.

    • Use an elastic and redundant architecture.

      A single point of failure (SPOF) can be avoided by using load balancing or an active geo-redundancy architecture. If you deploy your services on Alibaba Cloud, you can use Server Load Balancer (SLB) to concurrently process access requests on multiple servers and balance the user access traffic among the servers. This reduces the workload on a single server and improves the throughput capability, which in turn helps mitigate DDoS attacks at the connection layer.

      For more information about SLB, see Overview.

    • Deploy Auto Scaling.

      Auto Scaling automatically scales your computing resources based on your service demands and policies. After you deploy Auto Scaling, the system mitigates session layer and application layer attacks and automatically adds servers when your services are under attack. This improves the processing performance and avoids severe impact on your services.

      For more information about Auto Scaling, see Activate and grant permissions to Auto Scaling.

    • Optimize DNS resolution.

      You can use intelligent DNS resolution to mitigate DNS attacks. In addition, we recommend that you host your services on multiple DNS service providers and optimize DNS resolution in the following ways:

      • Do not allow unsolicited DNS responses.
      • Drop quick retransmission packets.
      • Enable TTL.
      • Drop DNS queries and responses that are anomalous.
      • Drop unexpected or unsolicited DNS queries.
      • Enable authentication for the DNS client.
      • Cache responses.
      • Use ACLs.
      • Use ACLs, BCP38, and IP reputation.
    • Over-provision bandwidth.

      Test server performance to evaluate the bandwidth and the number of requests that your server can handle in normal business scenarios. Make sure that you buy more bandwidth than you need. This helps avoid any influence on normal users if the attack bandwidth is greater than the normal bandwidth.

  • Enhance server security and improve server performance, such as connections.
    Harden the OS and software to reduce the attack surface and increase the costs of attacks in the following ways:
    • Make sure that system files on the server are up-to-date, and update system patches in a timely manner.
    • Check all servers to know the sources of visitors.
    • Disable services and ports that you do not need. For example, enable only port 80 for web servers, or set policies on the firewall.
    • Limit the number of SYN semi-joins that are enabled at a single time, shorten the timeout for SYN semi-joins, and limit SYN and ICMP traffic.
    • Check logs for network devices and server systems. If vulnerabilities are detected on a server or the system time of a server changes, the server may be under attack.
    • Restrict file sharing outside the firewall. This reduces the opportunities that hackers intercept system files. If the attackers replace a file with a Trojan, the file transfer function goes down.
    • Make full use of network devices to protect network resources. You must consider such policy configurations when you configure a router as traffic control, packet filtering, semi-join timeout, garbage packet discarding, forged source data packet discarding, SYN threshold, disabling ICMP, or UDP broadcasts.
    • Restrict new TCP connections and control the transmission rate of suspected malicious IP addresses by using software firewalls such as iptable.
  • Monitor your services and prepare an emergency response plan.
    • Focus on Anti-DDoS Basic monitoring.

      If your services suffer from DDoS attacks, Anti-DDoS Basic sends alert information by using SMS or email. If the services suffer from heavy traffic attacks, it notifies you of alerts by means of phone calls. We recommend that you handle the alert immediately.

      For more information about how to configure alert message recipients and voice alert methods, see Configure DDoS Protection notification settings.

    • Use Cloud Monitor.

      Cloud Monitor can be used to collect and obtain monitoring metrics or custom monitoring metrics for Alibaba Cloud resources. These metrics are then used to test the availability of services and configure alerts.

      For more information about Cloud Monitor, see Overview.

    • Develop an emergency response plan.

      Develop an emergency response plan in advance based on your technical service architecture and human resources. If necessary, conduct technical drills in advance to test the response plan.

  • Select an optimal commercial security solution. Alibaba Cloud provides both free Anti-DDoS Basic and paid security solutions.
    • Web Application Firewall (WAF)

      WAF protects against transport layer attacks, session layer attacks, and application layer attacks for web applications, such as HTTP flood attacks.

      For more information, see What is Alibaba Cloud WAF?.

    • Anti-DDoS Origin

      Anti-DDoS Origin provides shared full protection against DDoS attacks for cloud services that use public IP addresses. Anti-DDoS Origin takes effect immediately after you purchase it.

      For more information about Anti-DDoS Origin, see What is Anti-DDoS Origin?.

    • Anti-DDoS Pro and Anti-DDoS Premium

      We recommend that you use Anti-DDoS Pro or Anti-DDoS Premium to protect against volumetric DDoS attacks.

      For more information about Anti-DDoS Pro and Anti-DDoS Premium, see What are Anti-DDoS Pro and Anti-DDoS Premium?.

    • Game Shield

      Game Shield is an industry solution proposed for the common DDoS attacks and HTTP flood attacks that occur in the gaming industry. Compared with Anti-DDoS Pro and Anti-DDoS Premium, Game Shield provides better protection at a lower cost.

      For more information about Game Shield, see What is Game Shield.


DDoS attacks have become a major concern due to their wide-range of impacts. DDoS attacks on Internet Service Providers (ISPs) can impact downstream customers.

Computer networks are shared environments. The stability must be maintained by each party. The behavior of one party may affect the whole network and the networks of other tenants. Therefore, you need to pay attention to the following items:
  • Do not establish a DDoS mitigation platform by using Alibaba Cloud services.
  • Do not release instances for which blackhole filtering is triggered.
  • Do not continuously replace, unbind, or add IP addresses, such as SLB IP addresses, Elastic IP addresses, or NAT gateway addresses to servers for which blackhole filtering is triggered.
  • Do not establish an IP address pool or allocate attack traffic over a large number of IP addresses to defend against attacks.
  • Do not use non-dedicated security services, such as CDN and OSS, to protect servers that are vulnerable to attacks.
  • Do not bypass the security rules by using multiple accounts.