All Products
Search

This Product

    Anti-DDoS:Pre-sales FAQ

    Document Center

    Anti-DDoS:Pre-sales FAQ

    Last Updated:Mar 03, 2026

    This topic lists frequently asked questions about Alibaba Cloud Anti-DDoS products before purchase.

    Does Alibaba Cloud Anti-DDoS offer a free service?

    Yes. Alibaba Cloud enables Anti-DDoS Origin (Basic Edition) by default for all users at no cost. This service provides basic DDoS mitigation capability of up to 5 Gbps. You do not need to purchase, enable, or configure this free service. For more information, see What is Anti-DDoS Origin?.

    Alibaba Cloud cannot defend against unlimited DDoS attacks for free. DDoS mitigation incurs costs, primarily bandwidth expenses. Alibaba Cloud purchases bandwidth from carriers such as China Telecom, China Unicom, and China Mobile. These carriers charge for all bandwidth used, including DDoS attack traffic. Alibaba Cloud provides free protection against DDoS attack traffic up to 5 Gbps. If attack traffic exceeds 5 Gbps, Alibaba Cloud blocks all traffic to the targeted IP address to prevent unexpected charges.

    Does Anti-DDoS Proxy offer a plan that charges only when my service is under attack?

    No. Anti-DDoS Proxy uses a subscription billing method. You must purchase an Anti-DDoS Proxy instance and pay upfront to use the service during the subscription period.

    Do Alibaba Cloud Anti-DDoS products support free trials?

    • Anti-DDoS Origin: The Basic Edition (free) is enabled by default for assets assigned public IP addresses purchased from Alibaba Cloud. This edition provides basic DDoS mitigation capability of up to 5 Gbps. Anti-DDoS Origin Enterprise Edition is a paid service and does not offer a free trial.

      Important

      The Enterprise Edition provides transparent protection based on the Alibaba Cloud network. When you upgrade from the Basic Edition to the Enterprise Edition, network quality, latency, and connection type remain unchanged. We recommend using the Basic Edition for network testing.

    • Anti-DDoS Proxy: This service relies on dedicated data centers for traffic scrubbing, which involves high costs. Therefore, a free trial is not available.

    Which Anti-DDoS Proxy solution should I choose if my servers are deployed outside the Chinese mainland?

    Scenario

    Anti-DDoS solution

    Servers are deployed outside the Chinese mainland and mainly serve users outside the Chinese mainland.

    Purchase an Anti-DDoS Premium Insurance or Unlimited mitigation plan.

    Servers are deployed outside the Chinese mainland and mainly serve users in the Chinese mainland.

    • Option 1

      If your service is sensitive to network latency, such as a game server, migrate your servers to the Chinese mainland. Then, purchase an Anti-DDoS Pro instance to mitigate DDoS attacks.

    • Option 2

      If you cannot migrate your servers to the Chinese mainland, purchase an Anti-DDoS Premium Insurance or Unlimited mitigation plan. Also, purchase the Chinese Mainland Acceleration (CMA) feature. This ensures smooth access for users in the Chinese mainland when there are no DDoS attacks. For more information about how to configure the CMA feature for Anti-DDoS Premium, see Configure the CMA feature for an Anti-DDoS Premium instance.

    • Option 3

      If your business servers cannot be migrated to the Chinese mainland, you can purchase an Anti-DDoS Proxy (Outside Chinese Mainland) instance that offers the Insurance or Unlimited mitigation plan and leverages a Secure Chinese Mainland Acceleration (Sec-CMA) line to accelerate cross-border traffic and provide DDoS mitigation capabilities. You do not need to switch to the IP address of the Anti-DDoS Proxy instance during an attack, which reduces latency and packet loss. For more information about how to configure the Secure Chinese Mainland Acceleration (Sec-CMA) line, see Configure Secure Chinese Mainland Acceleration for Anti-DDoS Proxy (Outside Chinese Mainland).

    Servers are deployed outside the Chinese mainland and serve users both in and outside the Chinese mainland.

    • Option 1

      Deploy your servers in different regions. Use servers in the Chinese mainland to serve users in the Chinese mainland. Use servers outside the Chinese mainland to serve users outside the Chinese mainland. Purchase an Anti-DDoS Pro instance to protect your services in the Chinese mainland. Purchase an Anti-DDoS Premium Insurance or Unlimited mitigation plan to protect your services outside the Chinese mainland.

    • Option 2

      If you cannot migrate your servers to the Chinese mainland, purchase an Anti-DDoS Premium Insurance or Unlimited mitigation plan. Also, purchase the Chinese Mainland Acceleration (CMA) feature. This ensures smooth access for users in the Chinese mainland when there are no DDoS attacks. For more information about how to configure the CMA feature for Anti-DDoS Premium, see Configure the CMA feature for an Anti-DDoS Premium instance.

    • Option 3

      If your business servers cannot be migrated to the Chinese mainland, you can purchase an Anti-DDoS Proxy (Outside Chinese Mainland) instance that offers the Insurance or Unlimited mitigation plan and leverages a Secure Chinese Mainland Acceleration (Sec-CMA) line to accelerate cross-border traffic and provide DDoS mitigation capabilities. You do not need to switch to the IP address of the Anti-DDoS Proxy instance during an attack, which reduces latency and packet loss. For more information about how to configure the Secure Chinese Mainland Acceleration (Sec-CMA) line, see Configure Secure Chinese Mainland Acceleration for Anti-DDoS Proxy (Outside Chinese Mainland).

    Can I use Anti-DDoS Proxy for servers not hosted on Alibaba Cloud?

    Yes, you can use Anti-DDoS Proxy. Anti-DDoS Proxy (Chinese Mainland) and Anti-DDoS Proxy (Outside Chinese Mainland) protect servers that have public IP addresses. If your business uses an external public IP address and is reachable over Alibaba Cloud’s public network, you can use Anti-DDoS Proxy. For more information, see What is Anti-DDoS Proxy.

    Can I enable Anti-DDoS Proxy if my servers are not on Alibaba Cloud but my domain name is?

    Yes. To enable Anti-DDoS Pro to protect the domain name, you must have an ICP filing for the domain name.

    Do I need an ICP filing for my domain name to use Alibaba Cloud Anti-DDoS Proxy?

    To protect your domain name with Anti-DDoS Proxy (Chinese Mainland), you must complete ICP filing. To protect your domain name with Anti-DDoS Proxy (Outside Chinese Mainland), ICP filing is not required, but your services must be legal and compliant.

    For more information about ICP filing, see ICP filing process.

    Which regions does Anti-DDoS Proxy support?

    • Anti-DDoS Pro: Use this service if your servers are deployed in the Chinese mainland.

    • Anti-DDoS Premium: Use this service if your servers are deployed in regions outside the Chinese mainland, including Hong Kong (China).

    Does Anti-DDoS Proxy limit the number of domain names that can be added?

    Yes. The limits are as follows:

    • Each Anti-DDoS Pro instance supports up to 50 website configurations by default. You can use a maximum of 5 different root domain names (sites).

    • Each Anti-DDoS Premium instance supports up to 10 website configurations by default. You can use a maximum of 1 root domain name (site).

    Note

    You can increase the Number of protected domain names when you purchase an Anti-DDoS Proxy instance. A single Anti-DDoS Pro or Anti-DDoS Premium instance can support up to 200 website configurations. For more information, see Purchase an Anti-DDoS Proxy instance.

    Does Anti-DDoS Proxy support wildcard domain names?

    Yes. Anti-DDoS Proxy supports wildcard domain names in the Website Config configuration. For more information, see Add a website configuration.

    A wildcard domain name uses an asterisk (*) as a subdomain to resolve all subdomains to the same IP address. For example, if you configure a wildcard domain name for www.aliyundoc.com, requests to access *.aliyundoc.com are resolved to the IP address of the wildcard domain name.

    Are there any port restrictions for Anti-DDoS Proxy?

    Anti-DDoS Proxy does not have port restrictions. It supports web services on any port from 80 to 65535. For more information, see Customize server ports.

    However, based on current network access tests, Internet carriers may block service traffic on some vulnerable ports due to security risks. These vulnerable TCP ports include 42, 135, 137, 138, 139, 445, 593, 1025, 1434, 1068, 3127, 3128, 3129, 3130, 4444, 5554, 5800, 5900, and 9996.

    If your web service uses one of these vulnerable ports, it may become inaccessible from some regions after you add it to Anti-DDoS Proxy. Before adding your web service to Anti-DDoS Proxy, ensure it uses a port that is not on the vulnerable list.

    What are the requirements for enabling Anti-DDoS Premium?

    To enable Anti-DDoS Premium to protect a website, you need a domain name. An ICP filing is not required, but the service must be lawful and compliant. To protect non-website services, you can use the Port Config feature, which has no special requirements.

    Does the minimum bandwidth commitment for Anti-DDoS Pro cover all traffic or only attack traffic?

    The minimum bandwidth commitment for Anti-DDoS Pro covers all service traffic routed to the Anti-DDoS Pro instance. This includes both normal service traffic and attack traffic. All traffic passes through the Anti-DDoS Pro instance for traffic scrubbing. Normal service traffic is forwarded to your origin server, and attack traffic is blocked.