ESA protects against Distributed Denial-of-Service (DDoS) attacks by combining a DDoS data analytics dashboard with network-layer/transport-layer (L3/L4) and application-layer (L7) protection.
What is a DDoS attack
A Distributed Denial-of-Service (DDoS) attack does not aim to steal data. Instead, its goal is to exhaust your resources and paralyze your services. A DDoS attack is typically carried out in three steps:
Build a botnet: An attacker infects and controls a large number of internet-connected devices using methods such as viruses, trojans, and vulnerability exploits. These compromised devices form a massive, command-driven network known as a botnet.
Issue attack commands: The attacker uses a command and control (C&C) server to send attack commands to all compromised machines, specifying a target, such as an IP address or domain name.
Launch a concentrated attack: After receiving the commands, compromised machines distributed across the globe simultaneously send a massive volume of requests to your server, creating a flood of malicious traffic that overwhelms your service.
Because the attack originates from a large number of globally distributed sources, tracing and blocking the attack sources is extremely difficult.
Common types of DDoS attacks
DDoS attacks are categorized into two types based on the network layer they target:
Network-layer/transport-layer (L3/L4) attack
How it works: This type of attack primarily targets network infrastructure. It sends a large number of crafted TCP or UDP packets to quickly exhaust server bandwidth or connection tables, preventing legitimate user requests from reaching the server.
Common types: SYN Flood, UDP Flood, ACK Flood, etc.
Characteristics: High-volume, brute-force attacks designed to overwhelm the target with sheer traffic volume.
Application-layer (L7) attack
How it works: This type of attack mimics legitimate user behavior by sending a large number of seemingly valid requests, such as HTTP GET/POST, to the target application. Unlike attacks that congest the network, this method is designed to exhaust the server's application processing resources, such as CPU and memory.
Common type: HTTP Flood, also known as a CC attack (Challenge Collapsar).
Characteristics: Traffic volume is not necessarily large, but the requests are complex and designed to consume significant server resources. Attack traffic is mixed with legitimate user traffic, making it difficult to distinguish and mitigate.
How to identify a DDoS attack
Your service may be under a DDoS attack if you observe one or more of the following symptoms:
Your website or application suddenly becomes inaccessible or responds very slowly.
Network traffic surges abnormally, far exceeding normal peak business levels. You can observe this change in the Data Overview report on the Overview page of the ESA console.
Server CPU or memory usage spikes and remains at or near 100% for an extended period.
Logs show a massive number of requests, typically from a wide range of random IP addresses. You can use the Security Analytics feature under Security in the ESA console to quickly investigate.
DDoS protection in ESA
Category | Feature | Description |
Mitigate network-layer/transport-layer (L3/L4) attacks | ESA provides Basic DDoS Protection (platform-level protection) by default for the Entrance, Pro, and Premium plans, which defends against DDoS attacks of up to 10 Gbps but does not guarantee a specific value. | |
With Enterprise, you can purchase additional Best-Effort Protection of up to the Tbps level and simultaneously protect Layer 4 proxy services. | ||
Mitigate application-layer (L7) attacks | HTTP DDoS Attack Protection relies on general protection rules developed by the Alibaba Cloud anti-DDoS engine based on extensive historical attack and defense experience. These rules reduce the number of CC attacks that pass through to the origin server at the onset of an attack. | |
When an attack occurs, the protection engine continuously learns the attack characteristics and intelligently generates dynamic, more targeted protection policies. This process improves blocking effectiveness and typically completes within minutes. | ||
DDoS attack data analysis | ESA classifies DDoS attacks based on the network layer, provides statistics on attack peaks and bandwidth, and displays the real-time progress of traffic scrubbing events. | |
The Attack Details tab provides a forensic log of detected and mitigated DDoS attacks. You can filter this log by time and attack type to investigate specific incidents. This view is useful for: |
Protection levels
Service region | Protection level | Description |
Chinese mainland | Guaranteed 30 Gbps, max 300 Gbps protection | Provides guaranteed protection for attacks up to 30 Gbps. You can also flexibly set a protection bandwidth up to 300 Gbps. For example, if you set it to 200 Gbps, attack bandwidth between 30 Gbps and 200 Gbps will be billed at the elastic protection price. If an attack exceeds your configured elastic protection bandwidth, a black hole is triggered, interrupting your site's services. |
Guaranteed 60 Gbps, max 600 Gbps protection | Provides guaranteed protection for attacks up to 60 Gbps. You can also flexibly set a protection bandwidth up to 600 Gbps. For example, if you set it to 500 Gbps, attack bandwidth between 60 Gbps and 500 Gbps will be billed at the elastic protection price. If an attack exceeds your configured elastic protection bandwidth, a black hole is triggered, interrupting your site's services. | |
Global (excluding Chinese mainland) | Maximum 300 Gbps | Protects against attacks up to 300 Gbps. If an attack exceeds 300 Gbps, a black hole is triggered, interrupting your site's services. |
Terabit-level Anycast unlimited protection (2 times/month) | Protects against attacks up to 1 Tbps and provides 2 protection instances per month. If an attack exceeds 1 Tbps, a black hole is triggered, interrupting your site's services. Note Only network-layer attacks with a peak of over 20 Gbps consume a protection instance. Application-layer CC attacks do not consume instances. A network-layer attack event counts as one consumed instance approximately half an hour after it completely ends, at which point the counter resets. | |
Terabit-level Anycast unlimited protection (unlimited instances) | Protects against attacks up to 1 Tbps. If an attack exceeds the 1 Tbps protection limit, a black hole is triggered, interrupting your site's services. |
When attack traffic exceeds the protection threshold and triggers the black hole mechanism, the elastic attack bandwidth for this event is not billed.
Example 1: You purchase Best-Effort Protection with a guaranteed 30 Gbps and a maximum elastic protection of 300 Gbps. If the actual incoming attack traffic reaches 500 Gbps and ESA ultimately triggers a black hole, the elastic protection bandwidth from 30 Gbps to 300 Gbps for this event will not be billed.
Example 2: For example, assume that you purchased Best-Effort Protection with a guaranteed bandwidth of 60 Gbps and a maximum elastic protection of 600 Gbps. If the ESA platform has insufficient protection resources due to multiple concurrent large-scale attacks, and ESA prematurely triggers a black hole when inbound attack traffic to your online services reaches 500 Gbps, you will not be billed for the elastic protection bandwidth used between 60 Gbps and 500 Gbps.
Protection for the Chinese mainland is independent of protection for Global (excluding Chinese mainland) regions. For example, if your site is accelerated globally but you have purchased only the maximum elastic 600 Gbps Best-Effort Protection for the Chinese mainland, ESA will make a best effort to route requests to the Chinese mainland for traffic scrubbing when a region outside the Chinese mainland comes under attack. Due to issues such as ICP filing, cross-region protection is not currently supported for sites that are accelerated globally (excluding the Chinese mainland).
For information on elastic protection pricing, please contact us.
Feature availability by plan
Feature category | Detailed feature | Entrance (0 USD/month) | Pro (15 USD/month) | Premium (249 USD/month) | Enterprise (contact sales for custom pricing) |
Basic DDoS protection | |||||
Unlimited protection | Contact sales for custom pricing | ||||
HTTP DDoS attack protection | |||||
Deep Learning and Protection | |||||
Scenario policies |