All Products
Search
Document Center

Anti-DDoS:What is Anti-DDoS Proxy?

Last Updated:Aug 06, 2024

Anti-DDoS Proxy is a proxy-based service that is provided by Alibaba Cloud to mitigate volumetric and resource exhaustion DDoS attacks. Anti-DDoS Proxy can protect servers that are deployed on Alibaba Cloud, on third-party clouds, and in data centers. If volumetric DDoS attacks are launched against your service that is added to Anti-DDoS Proxy, Anti-DDoS Proxy forwards traffic to the anti-DDoS scrubbing centers by using DNS resolution for scrubbing and forwards only service traffic to the origin server. This topic describes the working principle, scenarios, and mitigation plans of Anti-DDoS Proxy.

How Anti-DDoS Proxy works

You can add your services to Anti-DDoS Proxy for protection by using domain names or ports. The domain names or service IP addresses are mapped to the IP addresses or CNAMEs of Anti-DDoS Proxy instances based on the forwarding rules that you configured. This way, traffic is rerouted to the instances.

Inbound traffic from the Internet passes through the anti-DDoS scrubbing centers. Malicious traffic is scrubbed and filtered out in the anti-DDoS scrubbing centers, and non-malicious traffic is forwarded back to the origin server by using forwarding ports. This ensures stable access to the origin servers.

image

Scenarios

Anti-DDoS Proxy is suitable for finance websites, e-commerce websites, portal websites, Internet egresses of public service networks, portals, and open platforms. Anti-DDoS Proxy provides DDoS mitigation for important live streaming events and sales promotions. Anti-DDoS Proxy protects against attacks, including ransom-driven attacks, and prevents mobile applications from encountering issues such as spam user registration, brushing, and fraudulent traffic.

When security risks occur in the preceding industries, we recommend that you use Anti-DDoS Proxy in the following scenarios:

  • Ransom-driven DDoS attacks occur.

  • Your services become inaccessible due to DDoS attacks, and urgent protection is required to recover your services.

  • DDoS attacks frequently occur. Continuous protection against DDoS attacks is required to ensure service stability.

Types

Alibaba Cloud provides the following services based on the region where your servers are deployed:

Anti-DDoS Proxy (Chinese Mainland)

Anti-DDoS Proxy (Chinese Mainland) is suitable for scenarios in which your servers are deployed in the Chinese mainland. Anti-DDoS Proxy (Chinese Mainland) uses eight Border Gateway Protocol (BGP) lines at the Tbit/s level to protect servers against volumetric DDoS attacks. Anti-DDoS Proxy (Chinese Mainland) provides Anti-DDoS Proxy (Chinese Mainland) instances of the Profession and Advanced mitigation plans. For more information, see Billing of Anti-DDoS Proxy (Chinese Mainland).

  • Profession mitigation plan: The mitigation capabilities are based on the basic protection bandwidth and burstable protection bandwidth that you specify when you purchase an instance.

  • Advanced mitigation plan: The basic protection bandwidth is 5 Gbit/s, and 2 advanced mitigation sessions are provided each calendar month.

    Note
    • Advanced mitigation leverages the anti-DDoS scrubbing centers of Alibaba Cloud in the current region to protect your services against DDoS attacks.

    • If the advanced mitigation sessions that are provided per calendar month are exhausted, you can purchase global advanced mitigation sessions. For more information, see Billing of advanced mitigation sessions.

Anti-DDoS Proxy (Outside Chinese Mainland)

Anti-DDoS Proxy (Outside Chinese Mainland) is suitable for scenarios in which your servers are deployed outside the Chinese mainland. Anti-DDoS Proxy (Outside Chinese Mainland) mitigates DDoS attacks by using distributed near-origin traffic scrubbing capabilities and all available mitigation capabilities. Anti-DDoS Proxy (Outside Chinese Mainland) provides the following mitigation plans. For more information, see Billing of Anti-DDoS Proxy (Outside Chinese Mainland).

  • Insurance mitigation plan

    The Insurance mitigation plan provides two advanced mitigation sessions per month and is suitable for scenarios in which your servers and users reside outside the Chinese mainland. The users are less likely to be targeted.

    If the advanced mitigation sessions that are provided per month are exhausted, you can purchase global advanced mitigation sessions. For more information, see Billing of advanced mitigation sessions.

  • Unlimited mitigation plan

    The Unlimited mitigation plan provides unlimited advanced mitigation sessions to continuously protect your services against DDoS attacks and is suitable for scenarios in which your servers and users reside outside the Chinese mainland.

  • Chinese Mainland Acceleration (CMA) mitigation plan

    The CMA mitigation plan only accelerates service access and does not provide DDoS mitigation capabilities. An Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan must be used together with an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan. If no attacks occur, the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan can accelerate service access. If your service is under attack, Anti-DDoS Proxy automatically switches traffic to the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan to mitigate the attacks.

    The CMA mitigation plan is suitable for scenarios in which your servers reside outside the Chinese mainland and your users reside in the Chinese mainland.

  • Secure Chinese Mainland Acceleration (Sec-CMA) mitigation plan

    The Sec-CMA mitigation plan provides DDoS scrubbing capabilities and accelerates service access and is suitable for scenarios in which your servers reside outside the Chinese mainland and your users reside in the Chinese mainland.

The following table describes the recommended Anti-DDoS solutions for servers deployed outside the Chinese mainland.

Scenario

Solution

Servers are deployed outside the Chinese mainland to serve users outside the Chinese mainland

Purchase an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan.

Servers are deployed outside the Chinese mainland to serve users in the Chinese mainland

  • Solution 1

    If your service, such as a gaming service, requires a low network latency, we recommend that you migrate your servers to regions in the Chinese mainland and purchase an Anti-DDoS Proxy (Chinese Mainland) instance to protect against DDoS attacks.

  • Solution 2

    If your servers cannot be migrated to regions in the Chinese mainland, you can purchase an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan and an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan. If no DDoS attacks are detected, the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan ensures smooth access for users in the Chinese mainland. For more information, see Configure an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan.

  • Solution 3

    If your servers cannot be migrated to regions in the Chinese mainland, you can purchase an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan and an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan. This solution can help mitigate DDoS attacks and accelerate cross-border service access. If attacks occur, you do not need to switch traffic between the instances. This helps prevent latency and packet loss. For more information, see Configure an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan.

Servers are deployed outside the Chinese mainland to serve users in and outside the Chinese mainland

  • Solution 1

    Separately deploy servers in regions in the Chinese mainland and outside the Chinese mainland. Servers that are deployed in regions in the Chinese mainland serve users in the Chinese mainland, and servers that are deployed in regions outside the Chinese mainland serve users outside the Chinese mainland. You can purchase an Anti-DDoS Proxy (Chinese Mainland) instance to protect servers that are deployed in regions in the Chinese mainland and purchase an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan to protect servers that are deployed in regions outside the Chinese mainland.

  • Solution 2

    If your servers cannot be migrated to regions in the Chinese mainland, you can purchase an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan and an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan. If no DDoS attacks are detected, the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan ensures smooth access for users in the Chinese mainland. For more information, see Configure an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan.

  • Solution 3

    If your servers cannot be migrated to regions in the Chinese mainland, you can purchase an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan and an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan. This solution can help mitigate DDoS attacks and accelerate cross-border service access. If attacks occur, you do not need to switch traffic between the instances. This helps prevent latency and packet loss. For more information, see Configure an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan.

Network latency

  • Anti-DDoS Proxy (Chinese Mainland): 73 ms to 113 ms for users in the Chinese mainland and about 313 ms for users outside the Chinese mainland

  • Anti-DDoS Proxy (Outside Chinese Mainland):

    • Insurance and Unlimited mitigation plans: 60 ms to 100 ms for users outside the Chinese mainland and about 300 ms for users in the Chinese mainland

    • CMA and Sec-CMA mitigation plans: less than 50 ms

References

For more information about advanced mitigation, see advanced mitigation.