All Products
Search
Document Center

Elastic Compute Service:What is Anti-DDoS Origin Basic

Last Updated:Apr 21, 2026

Anti-DDoS Origin Basic is a free service that throttles or scrubs inbound traffic to ECS instances when DDoS attacks or traffic anomalies are detected.

Note

Anti-DDoS Origin Basic provides up to 5 Gbit/s of free DDoS mitigation. The actual mitigation capacity varies by instance type. Check your ECS instance's capacity in the Traffic Security console. See What is Security Center and View the thresholds that trigger blackhole filtering in Anti-DDoS Origin Basic.

How Anti-DDoS Origin Basic works

DDoS traffic scrubbing

After Anti-DDoS Origin Basic is activated, inbound traffic to ECS instances is monitored in real time. When suspicious traffic such as DDoS attack traffic is detected, Anti-DDoS Origin Basic redirects traffic to a scrubbing device. The scrubbing device removes malicious traffic and forwards legitimate traffic back to the ECS instances. This process is called traffic scrubbing. See What is Anti-DDoS Origin.

Note

When inbound Internet traffic to an ECS instance exceeds 5 Gbit/s, Anti-DDoS Origin Basic triggers blackhole filtering. All traffic to the instance is dropped and all Internet access is blocked to protect cluster-wide security. See Alibaba Cloud blackhole policy.

Conditions for triggering traffic scrubbing

Traffic scrubbing is triggered when either of the following conditions is met:

  • Traffic pattern: Inbound traffic matches a known attack pattern.

  • Traffic volume: Inbound traffic to an ECS instance exceeds a configured threshold.

Methods of traffic scrubbing

Traffic scrubbing methods include filtering attack packets, throttling bandwidth, and throttling the packet forwarding rate. You can configure traffic scrubbing thresholds for the following metrics:

  • BPS-based scrubbing threshold: Triggers scrubbing when inbound traffic exceeds this value.

  • PPS-based scrubbing threshold: Triggers scrubbing when the inbound packet forwarding rate exceeds this value.

Scrubbing thresholds for ECS instances

Note

Supported regions: China (Heyuan), China (Guangzhou), China (Chengdu), China (Hohhot), China (Ulanqab), China (Hong Kong), UAE (Dubai), UK (London), Germany (Frankfurt), Philippines (Manila), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Japan (Tokyo), US (Virginia), US (Silicon Valley), and Singapore.

The scrubbing threshold of an ECS instance depends on the purchased public bandwidth and instance type.

Purchased public bandwidth (Mbit/s)

Maximum BPS-based scrubbing threshold (Mbit/s)

Maximum PPS-based scrubbing threshold (pps)

≤ 300

Lower of: maximum bandwidth of the instance type, or 450.

Lower of: maximum packet forwarding rate of the instance type, or 100,000.

> 300

Lower of: maximum bandwidth of the instance type, or purchased bandwidth × 1.5.

Lower of: maximum packet forwarding rate of the instance type, or purchased bandwidth × 1,000.

Note

Example: For an ecs.g5.16xlarge instance with 100 Mbit/s purchased public bandwidth, the maximum bandwidth is 20,000 Mbit/s and the maximum packet forwarding rate is 4,000,000. The scrubbing thresholds are calculated as follows:

Purchased public bandwidth (Mbit/s)

Maximum BPS-based scrubbing threshold (Mbit/s)

Maximum PPS-based scrubbing threshold (pps)

100 < 300

20,000 or 450, whichever is smaller.

The result is 450.

4,000,000 or 100,000, whichever is smaller.

The result is 100,000.

The actual scrubbing threshold displayed in the Traffic Security console prevails. See View the Assets page.Assets

References

Anti-DDoS Origin Basic is enabled by default for ECS instances. After you create an ECS instance, you can:

  • Configure traffic scrubbing thresholds. By default, the maximum thresholds for the instance type are used. Adjust thresholds based on your business requirements.

  • (Not recommended) Cancel traffic scrubbing. Scrubbing may affect normal traffic. You can disable it manually, but this is not recommended.

    Warning

    After traffic scrubbing is disabled for an ECS instance, all traffic to the instance is routed to a blackhole when inbound traffic to the instance exceeds 5 Gbit/s. Proceed with caution.

  • For enhanced DDoS protection with BGP network quality, AI-based defense, and higher mitigation capacity, see What is Anti-DDoS Proxy?

  • See Choose the right DDoS protection for your business.