DCDN identifies and blocks attacks at edge POPs, protecting your websites, APIs, and applications. This FAQ covers DDoS mitigation and WAF.
Does DCDN stop acceleration during a DDoS attack?
No, but performance degrades. During an attack, all traffic routes through Anti-DDoS Proxy scrubbing centers. Only clean traffic returns to DCDN for acceleration.
Does CDN support DDoS attack protection?
No. Migrate your domain from CDN to DCDN and enable DDoS mitigation.
To use CDN with DDoS protection, configure the CDN or DCDN interaction feature with Anti-DDoS Proxy.
Why am I getting domain limit errors?
Two factors limit domain names for DDoS mitigation:
-
Root domain limit: Supported root domains = Purchased protected domains / 10.
-
Subdomain limit: Up to 10 subdomains per root domain.
For example, if you purchase 10 protected domains, you can protect one root domain (10 / 10 = 1), such as aliyundoc.com, and up to 10 subdomains, such as *.aliyundoc.com and *.*.aliyundoc.com.
When is a DDoS mitigation session consumed?
When a DDoS attack reroutes traffic to a scrubbing center, Alibaba Cloud sends a notification. Each notification consumes one mitigation session. The protection window is 24 hours — all attacks within this window consume only one session.
Is attack traffic billed during an attack?
No. During an attack, all traffic routes to a scrubbing center. You are not billed for traffic or bandwidth from intercepted malicious requests.
How is secure traffic billed?
Domains with DDoS mitigation enabled incur a separate secure traffic charge on all outbound traffic, regardless of your billing method (pay-by-traffic or pay-by-peak-bandwidth). Billing of DDoS mitigation.
Do resource plans cover secure traffic?
No. Resource plans do not cover secure traffic. Domains with DDoS mitigation enabled are billed separately for all outbound traffic.
Can I use Anti-DDoS Proxy with DCDN DDoS mitigation?
No. A domain can be protected by either an Anti-DDoS Proxy instance or the DCDN DDoS mitigation feature, but not both.
Resuming acceleration after an attack
Recovery time depends on the attack type:
-
Layer 4 DDoS: acceleration resumes 3 days after the attack stops.
-
Layer 7 CC: acceleration resumes 1 day after the attack stops.
-
If you have special requirements, you can submit a ticket to request expedited restoration.
Why do health checks fail?
-
Health checks probe your origin server from 47.97.249.17 and 47.244.34.181. If your origin server uses an IP allowlist, add these addresses to ensure health checks work.
-
Verify that the health check file path is accessible. When a health check probes a single file, it only verifies that file over the DDoS mitigation path. If the file is moved or deleted, the health check fails.
What happens if I disable DDoS mitigation?
If an unprotected domain is attacked, it may be sandboxed, suspending acceleration. Introduction to sandboxes.
Why do I get the "domain already in Anti-DDoS Proxy" error?
A domain can be protected by either an Anti-DDoS Proxy instance or the DCDN DDoS mitigation feature, but not both.
Remove the domain from the Anti-DDoS Proxy console first. Wait about 5 minutes, then add it to DCDN and enable DDoS mitigation.