Activate and configure DDoS edge security protection - Edge Security Acceleration

If an accelerated domain name experiences a DDoS attack, it may be added to a sandbox, which causes service interruptions. You can enable the DCDN DDoS mitigation feature for important domain names or those that are at risk of attacks. After you enable the feature, DCDN accelerates your services and provides real-time detection, a fast response, and automatic protection against DDoS attacks.

Important

Alibaba Cloud DCDN plans to gradually stop offering the DDoS mitigation feature to new users on May 1, 2025 at 00:00 (UTC+8). This change does not affect existing users.

If you require this feature, you can upgrade to the Edge Security Acceleration (ESA) service. The DDoS mitigation feature of Edge Security Acceleration (ESA) uses deep learning to provide better protection.

Feature description

During normal service access, traffic is accelerated by the nearest DCDN Points of Presence (POPs) without passing through a scrubbing center. If the domain name is under a DDoS attack, traffic is quickly diverted to the nearest DDoS scrubbing center. After traffic scrubbing, the clean traffic is routed back to DCDN for secure acceleration.

Benefits

Provides DDoS mitigation capabilities worldwide.
Mitigates terabit-level DDoS attacks.
Intelligently switches between maximum performance and protection to ensure both security and acceleration.
Simple configuration. You do not need to enable and configure multiple acceleration and security products.
The DCDN DDoS mitigation feature includes intelligent AI-powered protection against Layer 7 CC attacks.

Limits

The DDoS mitigation feature is not available for services if the normal service traffic, excluding attack traffic, exceeds a peak of 10 Gbps or 100,000 queries per second (QPS). The peak service traffic is the sum of the bandwidth or QPS of all domain names for which the DDoS mitigation feature is enabled at the same time.
For example, if the peak bandwidth of domain name A, 1.example.com, is 8 Gbps and the peak bandwidth of domain name B, 2.example.com, is 3 Gbps, you can enable the feature for only one of the domain names. If you enable DDoS mitigation for both domain names at the same time, your services may be interrupted.
The DDoS mitigation feature is not available for accelerated domain names in the following scenarios:
- Domain names that use free HTTPS certificates. For more information, see How do I check whether a domain name uses a free certificate?
- Domains for which you cannot enable the IPv6 protocol.
- Domain names that use Layer 4 acceleration (IP Application Accelerator).
- Domain names for which standalone DDoS mitigation is enabled in Alibaba Cloud Anti-DDoS Pro or Anti-DDoS Premium.

Procedure

Configure mitigation rules

On the Add Domain Name page, click Add Domain Name.

In the Add Domain Name dialog box, configure the mitigation rules.

Parameter	Description
Protected Domain Names	The accelerated domain name that you want to protect.
Health Check	The path for origin health checks. To ensure that the access link to the DDoS scrubbing center is available during an attack, specify the URI of a file that can be accessed. A 200 OK status code indicates that the link is available. `/` represents the root directory of the domain name. Example: `/test.json`. Important DCDN periodically probes the health check path that you configure. If an anomaly is detected, traffic is not diverted for DDoS mitigation during an attack. Traffic is diverted only when the health check path is normal. The IP addresses 47.97.249.17 and 47.244.XX.XXX are used to probe your origin server. If your origin server uses an IP address whitelist, add these two IP addresses to the whitelist to ensure that monitoring probes work as expected.
Cleansing Conditions	Intelligent Cleansing (Recommended): DCDN intelligently analyzes and determines when to divert traffic to a scrubbing center. For small-scale attacks, DCDN POPs mitigate the attacks to improve acceleration performance. For large-scale attacks, traffic is diverted to the nearest scrubbing center for centralized scrubbing to improve protection. If you select this mode, intelligent CC attack protection (Medium) and the global mitigation policy (Medium) are automatically enabled to block attacks. Custom QPS Threshold: This option is suitable for testing. You can quickly test whether the access link is normal after traffic is diverted to a DDoS scrubbing center. If the specified threshold is exceeded, traffic is diverted to a DDoS scrubbing center. Value range: 2000 to 50000 Default value: 20000

Click OK.

Modify or disable DDoS mitigation

On the Domain Names page, find the domain name for which you want to modify or disable DDoS mitigation. In the Actions column, click Manage or Disable DDoS Mitigation. The changes take effect immediately.

FAQ

References

If DDoS mitigation is not enabled for your domain name, DCDN may add the domain name to a sandbox if a DDoS attack causes a surge in bandwidth or QPS. For more information, see Introduction to sandboxes.
For information about DDoS attacks and their impact, see What is a DDoS attack?
Anti-DDoS Pro and Anti-DDoS Premium provide a CDN or DCDN interaction feature. For more information, see Use the CDN or DCDN interaction feature.