Alibaba Cloud has integrated security technologies and years of experience in DDoS mitigation to develop various commercial anti-DDoS solutions. You can select an anti-DDoS solution based on your business requirements. This topic describes how to select a suitable anti-DDoS solution.
Video tutorial
Anti-DDoS solutions
Anti-DDoS mitigation solutions include Anti-DDoS Basic, Anti-DDoS Origin, and Anti-DDoS Proxy. Anti-DDoS Basic is provided free of charge. The following table describes these solutions. We recommend you to view What is Anti-DDoS Origin? and What is Anti-DDoS Proxy? before you choose a solution.
To obtain a tailored security solution, such as solutions for ultra-large specification and UDP reflection attack mitigation at the application layer, you can contact Alibaba Cloud security architects by telephone. For more information, see Contact us.
Architecture | Anti-DDoS Basic | Anti-DDoS Origin | Anti-DDoS Proxy | |
Regular Alibaba Cloud service | Enhanced Alibaba Cloud service | |||
Solution overview | Anti-DDoS Origin uses the native protection network of Alibaba Cloud to mitigate DDoS attacks at the network and transmission layers without changing the IP addresses of origin servers. Note Only Elastic IP Address (EIP) is supported for enhanced Alibaba Cloud services. If you want to use Anti-DDoS Origin to protect the asset of a regular Alibaba Cloud service, you must add the asset to Anti-DDoS Origin for protection. However, if you want to use Anti-DDoS Origin to protect an EIP, you must select Anti-DDoS (Enhanced) for the Security Protection parameter when you purchase the EIP. Make sure that you already purchased an Anti-DDoS Origin instance before you purchase the EIP. | Anti-DDoS Proxy can route network traffic to the global traffic scrubbing centers of Alibaba Cloud by using DNS resolution, mitigate DDoS attacks at the network, transmission, and application layers, and hide the IP addresses of origin servers. | ||
Mitigation capability | Low. The mitigation capability is provided by Alibaba Cloud and ranges from 500 Mbit/s to 5 Gbit/s. For more information, see View the thresholds that trigger blackhole filtering in Anti-DDoS Origin Basic. | Relatively high. The mitigation capability is provided by Alibaba Cloud and can reach up to hundreds of Gbit/s. For more information, see What is Anti-DDoS Origin? | High. The mitigation capability is provided by the global traffic scrubbing centers of Alibaba Cloud and can reach up to Tbit/s. | High. The mitigation capability is provided by the global traffic scrubbing centers of Alibaba Cloud and can reach up to Tbit/s. |
Objects that can be protected | Assets of specific Alibaba Cloud services. The assets include Elastic Compute Service (ECS) instances, Server Load Balancer (SLB) instances, EIPs, EIPs that are associated with NAT gateways, IPv6 gateways, simple application servers, Web Application Firewall (WAF) instances, and Global Accelerator (GA) instances. | Assets of specific Alibaba Cloud services. The assets include ECS instances, SLB instances, EIPs, EIPs that are associated with NAT gateways, IPv6 gateways, simple application servers, WAF instances, and GA instances. | Assets of specific Alibaba Cloud services. Only EIPs with Anti-DDoS (Enhanced) enabled are supported. | All assets that are assigned public IP addresses. |
Scenarios | Anti-DDoS Basic is automatically activated after you purchase an Alibaba Cloud service. |
|
|
|
Remarks | Free of charge. |
| The pay-as-you-go billing method is supported. For more information, see Anti-DDoS Origin 2.0 (Pay-as-you-go). | You can select a mitigation plan of Anti-DDoS Proxy based on the following descriptions:
|
DDoS attack types
Symbol description:
√: indicates that mitigation is supported.
x: indicates that mitigation is not supported.
Attack type | Attack subtype | Anti-DDoS Origin | Anti-DDoS Proxy | |
Regular Alibaba Cloud service | Enhanced Alibaba Cloud service | |||
Network-layer DDoS attack | This type of attack includes fragmented flood, smurf, stream flood, land flood, malformed IP packet, malformed TCP packet, and malformed UDP packet. | √ | √ | √ |
Transport-layer DDoS attack | This type of attack includes SYN flood, Ack flood, UDP flood, Internet Control Message Protocol (ICMP) flood, reset (RST) flood, Network Time Protocol (NTP) reflection attack, Simple Service Discovery Protocol (SSDP) reflection attack, and Domain Name Service (DNS) reflection attack. | √ | √ | √ |
HTTP and HTTPS application-layer DDoS attack | This type of attack is also called application-layer HTTP flood attack on website services, including HTTP flood attack, HTTPS flood attack, and slow HTTP attack that targets HTTP services, such as websites, API operations, and WebSocket-compliant website services. The slow HTTP attack can be launched by using Low Orbit Ion Cannon (LOIC), High Orbit Ion Cannon (HOIC), Slowloris, PyLoris, and XOIC. | × | × | √ |
TCP application-layer DDoS attack except for HTTP and HTTPS | This type of attack is also called application-layer flood attack on non-website services, including TCP flood attack, TCP-based empty connection flood, and TCP connection-based resource exhaustion attack that targets non-HTTP services, such as services that use proprietary protocols, MySQL, Message Queuing Telemetry Transport (MQTT), and Real-Time Messaging Protocol (RTMP). | × | √ This feature is in public preview and available only in the China (Hangzhou) region. If you want to enable this feature, submit a ticket to contact your account manager. | √ |
UDP application-layer DDoS attack | This type of attack includes UDP flood attack and DNS flood attack against UDP services, such as network services, UDP-based gaming services, and UDP-based voice calls. Note If you want to defend against HTTP flood attacks that target UDP services, you must purchase Managed Security Service (MSSP). Otherwise, you cannot use this feature. | √ DNS flood attacks against non-network services can be mitigated. If you want to protect network services, enable DNS protection. For more information, see DNS protection. | √ DNS flood attacks against non-network services can be mitigated. If you want to protect network services, enable DNS protection. For more information, see DNS protection. | √ DNS flood attacks against non-network services can be mitigated. If you want to protect DNS servers from DNS floods, enable DNS protection. For more information, see DNS protection. |
Mitigation effect description
The mitigation components, architecture, and mitigation capabilities of different anti-DDoS solutions are not completely consistent due to the continuous updates of various DDoS attacks. Many factors may also affect the final mitigation effect of DDoS attacks. We recommend that you take note of the following scenarios and factors that may affect the mitigation effect, and improve the mitigation capabilities based on the attack and defense experience accumulated by technical experts.
After you add your service to Anti-DDoS, the intelligent protection feature requires some time to learn the characteristics of service traffic. If your service receives DDoS attacks or HTTP flood attacks immediately after you add the service to Anti-DDoS, the attack traffic of the first attack may be instantaneously and transparently transmitted to your origin server. We recommend that you increase the capability of your origin server to handle higher workloads and complete the following configurations:
After you add your service to Anti-DDoS Origin, the default mitigation policy is used. During the protection process, the system automatically improves mitigation capabilities based on the attack characteristics in real time. Intelligent protection is also delivered. Before intelligent protection takes effect, the attack traffic may be instantaneously and transparently transmitted to your origin server. We recommend that you configure IP-specific and port-specific mitigation policies in advance to improve the mitigation effect. For more information, see Use the mitigation settings feature (previous version).
If the attack traffic does not exceed the default traffic scrubbing threshold, the attack traffic may be transparently transmitted to your origin server. If a bandwidth plan is bound to an EIP, the default traffic scrubbing threshold may be high. We recommend that you specify an appropriate traffic scrubbing threshold based on service traffic. For more information, see Configure a traffic scrubbing threshold.
To improve the mitigation effect, we recommend that you configure custom mitigation policies or HTTP flood mitigation based on your business requirements. For more information, see Create custom mitigation policies for specific scenarios and Configure the HTTP flood mitigation feature.