All Products
Search

This Product

    Edge Security Acceleration:DDoS

    Document Center

    Edge Security Acceleration:DDoS

    Last Updated:Sep 04, 2025

    ESA combines data analytics dashboards, network-layer/transport-layer (L3/L4) and application-layer (L7) protection to defend against Distributed Denial-of-Service (DDoS) attack for your websites.

    What is a DDoS attack

    A DDoS attack is a malicious attempt to disrupt the availability of your applications and services. Unlike attacks that aim to steal data, a DDoS attack's primary goal is to overwhelm your service with a flood of internet traffic, rendering it slow or completely inaccessible to legitimate users.

    How DDoS attacks work

    DDoS attacks are typically executed in three phases:

    1. Building a botnet: Attackers infect a large number of internet-connected devices like computers, servers, and IoT (internet-of-things) devices with malware. This creates a network of compromised machines, known as a botnet, which the attacker can control remotely.

    2. Issuing commands: The attacker uses a Command and Control (C&C) server to send instructions to the botnet, directing all devices to target a specific victim, such as your website's IP address.

    3. Launching the attack: The entire botnet simultaneously sends a massive volume of requests or packets to the target. Because the traffic originates from thousands of distributed sources, it becomes difficult to distinguish malicious traffic from legitimate requests and to block the attack at its source.

    Common types of DDoS attacks

    DDoS attacks are generally categorized by the layer of the Open Systems Interconnection (OSI) model they target:

    • Network-layer/Transport-layer (L3/L4) attacks

      • How they work: They involve sending a high volume of packets using protocols like TCP or UDP. This creates a "traffic jam" that prevents legitimate user traffic from reaching your server.

      • Common examples: SYN Flood, UDP Flood, and ACK Flood.

      • Characteristics: These attacks are simple, brute-force attacks designed to overwhelm network capacity.

    • Application-layer (L7) attacks

      • How they work: These attacks mimic legitimate user behaviors by sending HTTP GET or POST requests to exhaust application-specific resources like CPU, memory, or database connections.

      • Common example: HTTP Flood, also known as a CC (Challenge Collapsar) attack.

      • Characteristics: While not always large in volume, these attacks are complex. Their requests consume significant server resources, and their similarity to legitimate traffic makes mitigation challenging without impacting real users.

    How to identify a DDoS attack

    You may be under a DDoS attack if you observe the following symptoms:

    • Service unavailability: Your website or application becomes extremely slow or completely inaccessible.

    • Network saturation: You see an abnormal and sudden spike in network traffic that far exceeds typical usage patterns. View these activity in the Data Overview on the Overview page of the ESA console.

    • Server overload: Your server's CPU or memory usage consistently stays near or at 100%.

    • Anomalous log entries: Your logs show a massive number of requests originating from a wide and random distribution of IP addresses. Use Security Analytics of Security in ESA to investigate.

    DDoS protection features in ESA

    Category

    Feature

    Description

    Mitigate network-layer/transport-layer (L3/L4) attacks

    Basic Protection

    ESA provides DDoS Basic Protection (platform-level protection) by default for the Entrance, Pro, and Premium plans. DDoS Basic Protection can mitigate DDoS attacks up to 10 Gbps, but a specific protection level is not guaranteed.

    Best-effort Protection

    Enterprise plans support buying the Best-effort protection, which provides terabit-level protection. It also supports protection for Layer 4 proxy services.

    Mitigate application-layer (L7) attacks

    HTTPS DDoS attack mitigation

    Uses general protection rules developed by the Alibaba Cloud anti-DDoS engine based on extensive historical attack and defense data. These general rules can reduce the number of CC attacks that pass through to the origin server.

    Deep learning and protection

    When an attack occurs, the anti-DDoS engine continuously learns the attack characteristics. It then intelligently generates dynamic and targeted mitigation policies. This process usually completes within a few minutes.

    DDoS attack data analytics

    Interpreting the analytics dashboard

    The analytic dashboard classifies DDoS attacks based on the network layer. It provides statistics on peak attack throughput and bandwidth and displays the real-time progress of traffic scrubbing events.

    Review historical attack details

    You can filter the attack data by time range and attack type and see its details.