Alibaba Cloud provides a free Anti-DDoS feature by default for each public IP address. This feature can defend against low-volume DDoS attacks. For services that require high traffic volumes, advanced security features, and highly stable, low-latency communication, purchase Anti-DDoS Origin or Anti-DDoS Pro and Anti-DDoS Premium and configure protected objects and mitigation policies.
Security risks
A distributed denial-of-service (DDoS) attack is one of the most significant security threats on the Internet today. Attackers control many "zombie" hosts to send a massive number of seemingly legitimate requests to a single target, such as your web server or application API. These requests can instantly exhaust your server's system resources, such as bandwidth, CPU, memory, or connections. This causes your server to respond slowly or even crash. As a result, legitimate users cannot access your services, which leads to direct financial losses and damages your brand reputation. Services such as e-commerce, online games, and financial payments are common targets for DDoS attacks. The risk of an attack is higher during promotions or major events.
Alibaba Cloud provides a basic Anti-DDoS service free of charge for each public IP address. The default mitigation capability provides protection of up to 5 Gbps. This basic layer of protection has the following limitations:
Limited mitigation threshold: Modern attacks can reach tens or even hundreds of Gbps, so a 5 Gbps protection limit is easily breached. If the attack traffic exceeds this threshold, the system triggers blackhole filtering to protect the stability of the Alibaba Cloud regional network. Blackhole filtering discards all Internet traffic to your server, including both non-malicious traffic and attack traffic. This causes a complete service disruption.
Limited protection types: The Free Edition primarily scrubs common network-layer and transport-layer attacks, such as UDP reflection attacks and SYN Floods. It cannot defend against application-layer attacks, such as HTTP Floods, also known as CC attacks. CC attacks mimic the behavior of real users and consume a server's CPU and memory resources, which makes them extremely harmful.
No fine-grained policies: The Free Edition uses a one-size-fits-all automated policy. You cannot customize mitigation settings based on your service's needs. You also cannot obtain detailed attack reports and analysis.
Best practices
Reduce Internet exposure
DDoS attacks can occur only when you use public IP addresses and expose services to the Internet. If your services are for internal use only or serve specific user networks, you should avoid exposing them to the Internet. For more information, see Reduce the Internet exposure risk of ECS instances, Access cloud services over an internal network or a leased line, and Use PrivateLink to reduce unnecessary Internet communication.
Use the free Anti-DDoS edition
You can use the basic DDoS traffic scrubbing service without any purchase or configuration. Each public IP address has a traffic scrubbing threshold of 500 Mbps to 5 Gbps. If the attack traffic is below this threshold, the service automatically scrubs the traffic. It filters out attack traffic and allows non-malicious traffic to pass. The free Anti-DDoS edition can scrub only a few types of network-layer and transport-layer attacks, such as UDP reflection attacks, SYN Floods, and ACK Flood attacks. The Free Edition cannot scrub application-layer attacks, such as CC attacks. If the threshold is exceeded, blackhole filtering is triggered. All traffic to the attacked IP address is temporarily discarded. The Free Edition is suitable for defending against low-volume network-layer and transport-layer DDoS attacks.
Go to the Traffic Security - Overview page.
You can view the DDoS attack status of the assets under your account. This helps you determine if your assets are currently under or have previously experienced a DDoS attack.
Go to the Traffic Security - Asset Center page. In the upper-left corner of the top menu bar, select the region where the asset is located.
Select the tab of the cloud product you want to manage, such as ECS.
You can view the security status of specific asset instances, such as ECS instances and EIPs.
Use a paid Anti-DDoS edition
The mitigation capability of the Free Edition is limited. If the attack traffic to a single IP address exceeds 5 Gbps, blackhole filtering is triggered for the attacked IP address, and your services on that IP address are interrupted. The Free Edition also cannot defend against application-layer attacks. If you experience volumetric attacks or application-layer attacks, or if you want more effective advanced mitigation policies, you should select a paid Anti-DDoS edition.
Anti-DDoS Origin: This service integrates natively with your cloud products, such as ECS and SLB. You do not need to change your IP address or DNS settings. When an attack occurs, traffic is automatically diverted to a dedicated traffic scrubbing center on the Alibaba Cloud backbone network. After the attack traffic is filtered out, the clean service traffic is forwarded to your server. The advantages of this service are transparent deployment and extremely low latency. It provides mitigation capabilities of up to hundreds of Gbps or even Tbps and offers fine-grained CC attack mitigation policies. To activate this service, see Purchase an Anti-DDoS Origin instance.
Anti-DDoS Pro and Anti-DDoS Premium: These services use DNS redirection or IP pointing to guide service traffic to globally distributed protection nodes. These nodes have massive bandwidth and powerful traffic scrubbing capabilities, and can effectively defend against large-scale DDoS attacks. After scrubbing, the clean traffic is securely forwarded back to your origin server, regardless of whether the origin server is hosted on Alibaba Cloud. This makes the services especially suitable for scenarios where you need to hide your origin IP address. To activate these services, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance.
View attack status
Public IP addresses are common targets for DDoS attacks. Alibaba Cloud handles more than 100,000 DDoS attacks every day. If you did not consider the threat of DDoS attacks or perform related security hardening when you activated your service, you may find that your network service becomes inaccessible, experiences severe timeouts, or shows significantly degraded performance. If this occurs, go to the Traffic Security - Overview page to view current and historical attack information.
Set DDoS attack alerts
By default, you do not receive notifications when your IP address is under a DDoS attack. You can set alert rules to receive notifications. For more information, see CloudMonitor alerts (Anti-DDoS Origin) and CloudMonitor alerts (Anti-DDoS Pro and Anti-DDoS Premium):
Traffic Alerts: In CloudMonitor, you can set inbound and outbound traffic thresholds for your IP address. An alert is sent when traffic exceeds the threshold. This is effective because DDoS attacks often generate traffic volumes that are significantly higher than non-malicious traffic.
Event Alerts: In CloudMonitor, you can subscribe to Alerts for DDoS blackhole filtering alerts and Alerts on Scrubbing Events. When an Anti-DDoS action is triggered, a notification is sent through the CloudMonitor alert channel.