All Products
Search

This Product

    Anti-DDoS:FAQ

    Document Center

    Anti-DDoS:FAQ

    Last Updated:Aug 29, 2024

    This topic provides answers to some frequently asked questions about Anti-DDoS Origin.

    What is the difference between the billing method for best-effort protection of Anti-DDoS Origin and the billing method for the burstable protection bandwidth feature of Anti-DDoS Proxy?

    • Anti-DDoS Origin provides best-effort protection. For more information, see best-effort protection (Anti-DDoS Origin). When attacks occur, Anti-DDoS Origin automatically schedules the maximum anti-DDoS capability in the region where your Anti-DDoS Origin instance resides to provide best-effort protection. Best-effort protection is included in the Anti-DDoS Origin instance that you purchase, and no additional fee is generated for best-effort protection.

    • Anti-DDoS Proxy (Chinese Mainland) provides the burstable protection bandwidth feature. You are charged based on the daily peak inbound bandwidth. For more information, see Billing of the burstable protection bandwidth feature.

    What do I do if blackhole filtering is triggered for the IP address that is protected by Anti-DDoS Origin?

    Anti-DDoS Origin supports blackhole filtering deactivation.

    What do I do if I select an incorrect region when I purchase an Anti-DDoS Origin instance?

    If the IP address that you want to protect is not in the same region as your Anti-DDoS Origin instance, contact technical support to request a refund and purchase an Anti-DDoS Origin instance in the region of the IP address.

    What do I do if the number of IP addresses protected by my Anti-DDoS Origin instance exceeds the specification that I purchase?

    If the number of IP addresses that you want to protect exceeds the IP Addresses specification of your Anti-DDoS Origin instance, you can increase the IP Addresses specification or purchase another Anti-DDoS Origin instance. For more information, see Upgrade an Anti-DDoS Origin instance and Purchase an Anti-DDoS Origin instance.

    What do I do if the error message "The IP address does not belong to your account" is displayed when I add an IP address to Anti-DDoS Origin for protection?

    To troubleshoot the issue, perform the following steps:

    1. Verify that you have entered the correct IP address.

    2. Verify that the region of the cloud service whose IP address you want to add to the Anti-DDoS Origin instance for protection is the same as the region of the Anti-DDoS Origin instance.

    3. If you want to add the IP address of a Web Application Firewall (WAF) instance to the Anti-DDoS Origin instance for protection, verify that Anti-DDoS Origin supports the region of the WAF instance. For more information about regions that are supported by Anti-DDoS Origin, see What is Anti-DDoS Origin?

    How do I add my asset protected by an instance of a member to an instance of the management account after I enable the multi-account management feature?

    You can add an asset that is assigned a public IP address to only one instance for protection. If you want to add your asset protected by an instance of a member to an instance of the management account, you must remove the asset from the instance that belongs to the member and then add the asset to the instance that belongs to the management account. For more information about how to remove or add an object for protection, see Add an object for protection.

    How do I use WAF together with Anti-DDoS Origin to protect my website that supports IPv6?

    We recommend the following solution:

    1. Add your website to your WAF instance and enable the IPv6 traffic protection feature with a few clicks. For more information, see Overview.

      This feature protects your website against attacks that originate from IPv6 sources. After you enable IPv6 traffic protection, two-channel resolution is automatically implemented in WAF.

    2. Purchase an Anti-DDoS Origin instance and add the IP address of the WAF instance to the Anti-DDoS Origin instance. For more information, see Add an object for protection.

      When your website is under DDoS attack, traffic scrubbing is triggered to discard attack traffic and forward service traffic to your origin server.

    When is Anti-DDoS Proxy required to protect the services that are added to Anti-DDoS Origin for protection?

    Anti-DDoS Origin protects public IP addresses of Alibaba Cloud services, such as Elastic Compute Service (ECS), Server Load Balancer (SLB), WAF, and Elastic IP Address (EIP), against DDoS attacks. Compared with Anti-DDoS Proxy, Anti-DDoS Origin provides the following advantages: IP address changes for protected assets are not required. No limits are imposed on the number of Layer 4 ports or Layer 7 domain names. An Anti-DDoS Origin instance can be easily deployed. You need to only add the IP address of an asset to an Anti-DDoS Origin instance for protection. IPv6 is supported.

    But Anti-DDoS Origin has the following limits: Anti-DDoS Origin protects your assets against only Layer 3 and Layer 4 volumetric attacks. Best-effort protection of Anti-DDoS Origin defends against DDoS attacks based on the overall network capacity of Alibaba Cloud. If attack traffic exceeds the overall network capacity of Alibaba Cloud or HTTP flood attacks occur, Anti-DDoS Origin may not meet the security protection requirements. In this case, you need to use Anti-DDoS Proxy to improve the protection capability.

    You can also use Anti-DDoS Origin together with Anti-DDoS Proxy. Sec-Traffic Manager of Anti-DDoS Proxy allows you to create interaction rules to implement tiered protection. This ensures business continuity and enhances DDoS mitigation capabilities. If the volume of DDoS attacks that occur on your cloud service does not exceed the mitigation capabilities of your Anti-DDoS Origin instance, service traffic is automatically forwarded to your cloud service, and no latency occurs. If the volume of DDoS attacks that occur on your cloud service exceeds the mitigation capabilities of your Anti-DDoS Origin instance and blackhole filtering is triggered, Sec-Traffic Manager switches the service traffic from your Anti-DDoS Origin instance to your Anti-DDoS Proxy instance to mitigate the volumetric DDoS attacks. In this case, the latency is about 20 ms. After the DDoS attacks stop, Sec-Traffic Manager switches the service traffic back to your cloud service based on the switchover waiting time.

    What are the core technical benefits of EIPs with Anti-DDoS (Enhanced) enabled? What scenarios are EIPs with Anti-DDoS (Enhanced) enabled suitable for?

    Alibaba Cloud provides anti-DDoS solutions such as Anti-DDoS Origin and Anti-DDoS Proxy. Anti-DDoS Proxy can mitigate Tbit/s-level attack traffic, but latency increases. Anti-DDoS Origin is suitable for the scenarios in which multiple IP addresses, ports, and domain names require protection, the service bandwidth is large, and low latency is required. However, Anti-DDoS Origin provides relatively limited mitigation capabilities.

    EIPs with Anti-DDoS (Enhanced) enabled support the transparent proxy mode. In this mode, service traffic is first forwarded to the traffic scrubbing centers of Anti-DDoS Proxy on the edge of the network and then forwarded to your origin server by using EIPs and Internet Shared Bandwidth instances. EIPs with Anti-DDoS (Enhanced) enabled offer the following benefits: low latency, protection of all assets, and mitigation against Tbit/s-level attack traffic.

    EIPs with Anti-DDoS (Enhanced) enabled support volumetric attack mitigation that is available in Anti-DDoS Proxy and support mitigation with low latency that is available in Anti-DDoS Origin. EIPs with Anti-DDoS (Enhanced) enabled are suitable for the scenarios in which protection of all assets and multiple ports is required, low latency is required, and volumetric attacks may occur. For example, EIPs with Anti-DDoS (Enhanced) enabled are suitable for high-quality games and game distributors.