All Products
Search
Document Center

Edge Security Acceleration:DDoS

Last Updated:Mar 26, 2025

Edge Security Acceleration (ESA) provides DDoS protection by default to defend your website against volumetric DDoS attacks and HTTP flood attacks. Based on different plans, ESA offers DDoS protection services with varying protection capabilities which can be fine-tuned to your needs. ESA aims to minimize any downtime to ensure your website resumes operations as quickly as possible.

How DDoS protection works

DDoS attacks (Distributed Denial of Service) are characterized by generating high traffic volume (Layer 4 attacks) or numerous requests (Layer 7 attacks) to overwhelm your online business. Attackers control multiple computers to launch many data requests against your servers or network resources, causing the servers to be disrupted or even completely interrupted due to overload, ultimately preventing your normal users from accessing your online business.

ESA provides protection levels including basic DDoS Protection and Tbps-level best-effort protection. Integrated with ESA by default, DDoS protection quickly mitigates attack impact through the layered defense system. The edge-native architecture of ESA maximizes acceleration while providing DDoS protection. In addition, if your website is under a DDoS attack, ESA will continue to accelerate and protect your website, unlike some other proxy services that may disable acceleration in such cases. 

image

What is basic DDoS protection

The Entrance, Pro, and Premium plans provide the basic DDoS protection (or platform-level protection) by default. It can protect against DDoS attacks of up to 10 Gbps but does not guarantee specific thresholds or durations for mitigating attack impacts.

When an attack occurs, ESA will defend at point of presence (POP). If the attack continues to increase, it may impact acceleration quality. If your website faces a high risk of DDoS attacks or you want stable protection, contact us to upgrade to the Enterprise plan.

What is best-effort protection

If you are on the Enterprise plan, you can purchase the best-effort protection up to Tbps level. It also provides protection for Layer 4 proxy services.

When large-scale DDoS attacks occur, all ESA POPs can defend against DDoS attacks in real-time. When the DDoS attack bandwidth exceeds the protection limit of specific POPs, incoming requests are redirected to larger ones.

Best-effort protection supports HTTP DDoS attack protection and deep learning and protection.

HTTP DDoS attack protection

Note

Only best-effort protection supports HTTP DDoS attack protection.

What is HTTP DDoS attack protection

When CC attacks (Layer 7 attacks) happen, some attacks may reach your origin server in a short period, consuming your origin server resources and affecting access from your normal users.

HTTP DDoS attack protection leverages mitigation rules developed from the attack and defense experience of Alibaba Cloud's anti-DDoS services to reduce sudden attack traffic directed at your origin server.

By default, protection is enabled at the Normal level, which you can adjust to enhance security or minimize false positives, depending on your risk assessment.

Set up HTTP DDoS attack protection

  1. In the ESA console, choose Websites and click the website name you want to manage.

  2. In the left navigation pane, select Security > DDoS.

  3. On the Protection Settings tab, click Configure in the HTTP DDoS Attack Protection section.

  4. Click OK.

Deep learning and protection

Note

Only best-effort protection supports Deep Learning and Protection.

Billing

HTTP requests blocked by deep learning and protection are not subject to billing and your plan quota.

What is deep learning and protection

HTTP DDoS attack protection uses general rules to immediately reduce the volume of attack requests directed at your origin server. However, these rules may be insufficient against dynamic CC attacks.

In this case, deep learning and protection is a better choice. Deep learning protection continuously analyzes attack characteristics after an incident and generates dynamic strategies, which may take several minutes (with general rules continue to mitigate attacks in real time). While these intelligent strategies enhance protection, they may still result in some false positives.

By default, protection is enabled at the Normal level, which you can adjust to enhance security or minimize false positives, depending on your risk assessment.

Set up deep learning and protection

  1. In the ESA console, choose Websites and click the website name you want to manage.

  2. In the left navigation pane, select Security > DDoS.

  3. On the Protection Settings tab, click Configure in the Deep Learning and Protection section.

  4. Click OK.

Protection capabilities

Protection capabilities vary based on specifications, and the protection for the Chinese mainland is independent of that for regions outside the region.

Important

If the attack exceeds the limit, blackhole filtering will be activated, temporarily blocks all traffic to prevent further damage. This results in service interruption for your website.

For the Chinese mainland

  • Protection capacity of 30–300 Gbit/s: This protection safeguards against attacks of at least 30 Gbps, with a configurable burstable protection bandwidth of up to 300 Gbps (e.g., 200 Gbps). Actual attack bandwidth between 30 and your set limit will be billed at burstable protection pricing.

  • Protection capacity of 60–600 Gbit/s: This protection safeguards against attacks of at least 60 Gbps, with a configurable burstable protection bandwidth of up to 600 Gbps (e.g., 500 Gbps). Actual attack bandwidth between 60 and your set limit will be billed at burstable protection pricing.

Outside the Chinese mainland

  • Protection capacity of up to 300 Gbit/s with Anycast: Protects against attacks of up to 300 Gbit/s with no burstable protection bandwidth fees.

  • Protection capacity of up to 1 Tbit/s with Anycast: Protects against Tbps-level attacks with no burstable protection bandwidth fees.

  • Protection capacity of up to 1 Tbit/s with Anycast (twice per month): Protects against Tbps-level attacks with no burstable protection bandwidth fees. However, only 2 protection sessions are provided per month.

FAQ

How is billing handled when attack bandwidth exceeds my protection limit?

If the attack bandwidth exceeds the protection limit, the attack bandwidth is not included in the bill of burstable protection bandwidth.

  • Example 1: You have purchased best-effort protection with a capability of 30 to 300 Gbps, and the actual incoming attack traffic reached 500 Gbps. ESA executed blackhole filtering. In this case, you will not be charged for the burstable protection bandwidth between 30 Gbps and 300 Gbps.

  • Example 2: You have purchased best-effort protection with a capability of 60 to 600 Gbps. However, ESA implemented blackhole filtering when incoming attack traffic reached 500 Gbps due to insufficient resources from simultaneous large-scale attacks. In this case, you will not be charged for the burstable protection bandwidth between 60 Gbps and 500 Gbps.

What happens if the service location of my website differs from the protection service I purchased?

For example, if your website service location is global but you’ve only purchased a best-effort protection for the Chinese mainland, ESA will route requests to the Chinese mainland for traffic scrubbing during attacks on areas outside the region. However, cross-region protection is not available for websites solely accelerated outside the Chinese mainland to comply to ICP filing regulations.

Availability

Entrance

Pro

Premium

Enterprise

DDoS protection

Basic DDos Protection

Basic DDos Protection

Basic DDos Protection

Best-effort Protection