All Products
Search
Document Center

Anti-DDoS:What is Anti-DDoS Origin?

Last Updated:Dec 09, 2024

Anti-DDoS Origin is a security service that enhances mitigation against DDoS attacks for Alibaba Cloud services. Anti-DDoS Origin directly protects Alibaba Cloud resources. You do not need to change the IP addresses of the resources that you want to protect or consider the limits on the number of Layer 4 ports or Layer 7 domain names. You need to only add the IP address of an asset to an Anti-DDoS Origin instance for protection. This topic describes how Anti-DDoS Origin works, the mitigation capabilities of Anti-DDoS Origin, and the details of each Anti-DDoS Origin edition.

How Anti-DDoS Origin works

Anti-DDoS Origin protects your resources against Layer 3 and Layer 4 volumetric attacks. When the traffic exceeds the default traffic scrubbing threshold of Anti-DDoS Origin, traffic scrubbing is automatically triggered to mitigate DDoS attacks.

Anti-DDoS Origin adopts passive scrubbing as a major mitigation approach and active blocking as an auxiliary approach to mitigate DDoS attacks. Anti-DDoS Origin uses conventional technologies such as reverse detection, blacklists, whitelists, and packet compliance. This way, your asset that is protected by Anti-DDoS Origin can work as expected even when an attack is ongoing. Anti-DDoS Origin deploys a DDoS attack detection and traffic scrubbing system at the egress of an Alibaba Cloud data center. This system is deployed in bypass mode.

Why choose Anti-DDoS Origin

  • Anti-DDoS Origin starts to protect your service immediately after you purchase an instance. Anti-DDoS Origin supports quick deployment within at least one minute. Anti-DDoS Origin directly protects your cloud services. This eliminates the need to deploy mitigation plans and switch IP addresses.

  • Anti-DDoS Origin provides burstable protection. When your assets experience volumetric DDoS attacks, Anti-DDoS Origin uses all resources in a region to provide best-effort protection.

  • Anti-DDoS Origin adopts Alibaba Cloud Border Gateway Protocol (BGP) bandwidth resources across different Internet service providers (ISPs). The ISPs include China Telecom, China Unicom, China Mobile, China Education and Research Network (CERNET), and Great Wall Broadband Network. You can obtain fast access to the networks of the ISPs by using only one IP address.

  • Anti-DDoS Origin provides protection bandwidth as required. This can ensure service stability and security for big promotions, event releases, and important services.

  • Anti-DDoS Origin supports protection capacity sharing among multiple IP addresses. This enhances protection for multiple IP addresses.

Editions

  • Anti-DDoS Origin 1.0: Anti-DDoS Origin 1.0 Enterprise. You must select a region when you purchase an Anti-DDoS Origin 1.0 Enterprise instance. The instance can protect only the assets that reside in the same region as the instance.

  • Anti-DDoS Origin 2.0 (Subscription): Anti-DDoS Origin 2.0 of Inclusive Edition for Small and Medium Enterprises and Anti-DDoS Origin 2.0 Enterprise.

    • Anti-DDoS Origin 2.0 of Inclusive Edition for Small and Medium Enterprises: You can select any region when you purchase an instance of Anti-DDoS Origin 2.0 of Inclusive Edition for Small and Medium Enterprises. However, the instance can only protect assets in one region within the current Alibaba Cloud account.

    • Anti-DDoS Origin 2.0 Enterprise: You need to only purchase an instance to protect assets in all regions within the current Alibaba Cloud account.

    Note

    We recommend that you purchase an Anti-DDoS Origin 2.0 Enterprise instance instead of an Anti-DDoS Origin 1.0 Enterprise instance.

  • Anti-DDoS Origin 2.0 (Pay-as-you-go): You can add a regular Alibaba Cloud service to an Anti-DDoS Origin 2.0 (Pay-as-you-go) instance for protection. You can also purchase an Anti-DDoS Origin 2.0 (Pay-as-you-go) instance and then purchase an elastic IP address (EIP) with Anti-DDoS (Enhanced) enabled.

    Note
    • Regular Alibaba Cloud service: If you do not specify a DDoS mitigation capability when you purchase an Alibaba Cloud service, only the basic DDoS mitigation capability from 500 Mbit/s to 5 Gbit/s is provided.

    • EIP with Anti-DDoS (Enhanced) enabled: The Elastic IP addresses (EIPs) for which Security Protection is set to Anti-DDoS (Enhanced) when you purchase the EIPs are supported.

Mitigation capabilities

Anti-DDoS Origin provides best-effort protection, which defends against DDoS attacks based on the network capacity of the cloud data center. The level of best-effort protection is dynamic, improving as Alibaba Cloud enhances its network infrastructure. However, during times of high demand on data center resources, the protection level may be reduced. Anti-DDoS Origin is available in editions 1.0 and 2.0, with edition 1.0 no longer available for new purchases. The table below shows only the reference mitigation capabilities of Anti-DDoS Origin 2.0.

Note

If a blackhole filtering event is triggered due to insufficient protection capabilities, you can contact your account manager to unsubscribe from the Anti-DDoS Origin instance. For subscription instances, Alibaba Cloud will refund the remaining subscription fee. For pay-as-you-go instances, Alibaba Cloud will decommission the instance in advance. To ensure that mitigation capabilities consistently remain above a certain level, we recommend purchasing an Anti-DDoS Proxy instance. For more information, see What is Anti-DDoS Proxy?

Region

Anti-DDoS Origin 2.0 (Subscription) of Inclusive Edition for Small and Medium Enterprises

Anti-DDoS Origin 2.0 (Subscription) Enterprise

Anti-DDoS Origin 2.0 (Pay-as-you-go)

Regular Alibaba Cloud service

EIP with Anti-DDoS (Enhanced) enabled

Regular Alibaba Cloud service

EIP with Anti-DDoS (Enhanced) enabled

Regular Alibaba Cloud service

EIP with Anti-DDoS (Enhanced) enabled

China (Beijing), China (Shanghai), China (Hangzhou), China (Shenzhen), China (Ulanqab), China (Zhangjiakou), China (Hohhot), and China (Heyuan)

Up to 200 Gbit/s to 400 Gbit/s.

Not supported.

Best-effort protection of up to hundreds of Gbit/s.

Not supported.

Best-effort protection of up to hundreds of Gbit/s.

Best-effort protection of up to Tbit/s. The mitigation capability is provided only for China (Beijing), China (Shanghai), and China (Hangzhou).

China (Chengdu), China (Guangzhou), and China (Qingdao)

Mitigation capability of up to tens of Gbit/s.

Best-effort protection of up to tens of Gbit/s.

Best-effort protection of up to tens of Gbit/s.

Regions outside the Chinese mainland

The maximum mitigation capability is 10 Gbit/s. We recommend that you use EIPs with Anti-DDoS (Enhanced) enabled.

The maximum mitigation capability is 10 Gbit/s. We recommend that you use EIPs with Anti-DDoS (Enhanced) enabled.

The maximum mitigation capability is 10 Gbit/s. We recommend that you use EIPs with Anti-DDoS (Enhanced) enabled.

Best-effort protection of up to Tbit/s.

Feature comparison

The following table describes the features of different editions.

Item

Anti-DDoS Origin 1.0

Anti-DDoS Origin 2.0 (Subscription)

Anti-DDoS Origin 2.0 (Pay-as-you-go)

Enterprise

Inclusive Edition for Small and Medium Enterprises

Enterprise

Enterprise

Objects that can be protected

Alibaba Cloud assets: Elastic Compute Service (ECS) instances, Server Load Balancer (SLB) instances, EIPs, EIPs that are associated with NAT gateways, IPv6 gateways, simple application servers, Web Application Firewall (WAF) instances, and Global Accelerator (GA) instances.

  • Alibaba Cloud assets: ECS instances, SLB instances, EIPs, EIPs that are associated with NAT gateways, IPv6 gateways, simple application servers, WAF instances, and GA instances.

  • EIP with Anti-DDoS (Enhanced) enabled.

Billing methods

Subscription. For more information, see Anti-DDoS Origin 1.0 (Subscription).

Subscription. For more information, see Anti-DDoS Origin 2.0 (Subscription).

Subscription. For more information, see Anti-DDoS Origin 2.0 (Subscription).

Pay-as-you-go. For more information, see Anti-DDoS Origin 2.0 (Pay-as-you-go).

Mitigation sessions

Unlimited.

Two sessions per month.

Unlimited.

Unlimited.

Number of regions that can be protected

Protects assets that are assigned public IP addresses in one region.

Protects assets that are assigned public IP addresses in one region.

Protects assets that are assigned public IP addresses in all regions within the current Alibaba Cloud account.

Protects assets that are assigned public IP addresses in all regions within the current Alibaba Cloud account.

Network types of the assets that can be protected

Either IPv4 assets or IPv6 assets are supported.

Either IPv4 assets or IPv6 assets are supported.

Both IPv4 assets and IPv6 assets are supported.

Both IPv4 assets and IPv6 assets are supported.

Number of IP addresses that can be protected

Unlimited.

Less than 30.

Unlimited.

Unlimited.

Clean bandwidth

Unlimited.

Less than or equal to 1,000 Mbit/s.

Unlimited.

Mitigation logs feature

Supported.

Not supported.

Supported.

Supported.

Multi-account management feature

Not supported.

Not supported.

Supported.

Not supported.

Note

The clean bandwidth that you specify for an instance is shared by all Alibaba Cloud assets protected by the instance. For example, the total clean bandwidth of the three Alibaba Cloud assets that you want to add to an Anti-DDoS Origin instance is 2,000 Mbit/s. You must specify a clean bandwidth that is greater than 2,000 Mbit/s when you purchase the instance.

Limits

You can directly purchase Anti-DDoS Origin instances only in the Chinese mainland. If you want to purchase an Anti-DDoS Origin instance outside the Chinese mainland, contact your account manager. For more information about how to contact the account manager, see Contact us.

How to use an Anti-DDoS Origin instance

  1. Purchase an Anti-DDoS Origin instance. For more information, see Purchase an Anti-DDoS Origin instance.

  2. Add an asset that is assigned a public IP address to the instance. For more information, see Add an object for protection.

  3. Create custom mitigation policies based on your business requirements. For more information, see Use the mitigation settings feature (previous version).

  4. View monitoring data of service traffic. For more information, see Use the service monitoring feature.

  5. Enable the mitigation logs feature. You can use this feature to query and analyze mitigation logs and view mitigation reports. For more information, see Enable mitigation analysis.

  6. View the attack event details after an attack occurred. For more information, see View information on the Attack Analysis page.

  7. View blackhole filtering events and traffic scrubbing events. For more information, see View the Event Center page.