Alibaba Cloud Anti-DDoS Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Security

1. Introduction

Alibaba Cloud Anti-DDoS is a Security service designed to help you keep internet-facing applications online when they are targeted by distributed denial-of-service (DDoS) attacks. It focuses on absorbing and filtering malicious traffic so your legitimate users can still reach your services.

In simple terms: Anti-DDoS helps your public IPs and services survive traffic floods (for example, SYN floods, UDP floods, reflection/amplification attacks) that would otherwise saturate bandwidth, exhaust connection tables, or overwhelm network devices.

Technically, Anti-DDoS uses traffic monitoring, anomaly detection, and upstream scrubbing/mitigation capacity in Alibaba Cloud’s network to filter attack traffic before it reaches your origin (ECS, SLB, EIP, etc.). Depending on the edition and protection mode, this can include baseline protection that comes with many Alibaba Cloud public endpoints and higher-capacity, feature-rich paid protection.

The core problem Anti-DDoS solves is availability under attack: DDoS events can take down your website, API, game server, or business portal even if the application itself is healthy—simply because the network path is overwhelmed. Anti-DDoS addresses this by mitigating attacks at the network edge and/or via dedicated scrubbing resources (depending on the product/edition you use).

Naming note (verify in official docs): Alibaba Cloud uses Anti-DDoS as a product name and also markets DDoS Protection on some international pages. In practice, you may see multiple related offerings (such as baseline protection and higher-tier protection). This tutorial uses Anti-DDoS as the primary service name, and calls out edition-specific capabilities where applicable.

2. What is Anti-DDoS?

Official purpose (what it’s for)
Anti-DDoS is an Alibaba Cloud Security service that helps protect internet-facing assets against DDoS attacks by detecting abnormal traffic and applying mitigation (scrubbing/filtering/traffic shaping) to maintain availability.

Core capabilities (what it does) – Detects common DDoS patterns (volumetric and protocol-based attacks). – Mitigates attack traffic upstream so less malicious traffic reaches your origin. – Helps prevent prolonged downtime by reducing the chance that your public IP is forced into “blackhole”/null-routing due to sustained attacks (capability depends on edition and thresholds). – Provides visibility into attack events (dashboards, attack analysis, alerts—exact features depend on edition).

Major components (how it’s packaged in Alibaba Cloud) Because Alibaba Cloud offers multiple DDoS-related products and editions, the “Anti-DDoS” experience often includes: – Baseline DDoS protection for many Alibaba Cloud public IP assets (often referred to as basic protection). This is typically enabled by default for certain services (verify coverage and thresholds in official docs for your region and asset type). – Paid Anti-DDoS editions with higher mitigation capacity and more controls/visibility (names and tiers vary by market and time; verify the exact current editions in the Alibaba Cloud console and official product pages). – Optional DDoS protection products that may be separate SKUs in the console (for example, proxy-based protection for applications, or globally distributed protection). If you see these as separate services in your console, treat them as related products rather than “the same thing.”

Service type – Managed network security service (DDoS mitigation). – Control plane via Alibaba Cloud Console and APIs (availability of APIs/features varies; verify in docs).

Scope – Typically account-scoped (your Alibaba Cloud account owns the Anti-DDoS configuration and protected assets). – Protection attaches to public-facing assets (for example, EIP/public IP/SLB public address), and mitigation is performed in Alibaba Cloud’s network. – Regional behavior can vary: attack traffic enters through the nearest network edge; mitigation capacity and product availability can be region-dependent. Verify in official docs for the regions where you operate.

How it fits into the Alibaba Cloud ecosystem Anti-DDoS is usually part of a layered Security and availability strategy: – ECS / EIP / SLB / ALB / NAT Gateway: common origins and entry points that need DDoS resilience. – CDN: offloads cacheable traffic and can reduce origin exposure; not a replacement for Anti-DDoS for volumetric attacks against the origin IP. – WAF: protects against Layer 7 (HTTP/HTTPS) attacks; complements Anti-DDoS rather than replacing it. – Cloud Firewall: policy enforcement and traffic control; complements DDoS protection. – ActionTrail / CloudMonitor / Log Service (SLS): operations, audit, monitoring, and observability for Security events (exact integration depends on product/edition; verify).

3. Why use Anti-DDoS?

Business reasons

Reduce downtime risk: DDoS outages directly impact revenue, customer trust, and brand reputation.
Protect critical events: launches, campaigns, ticket sales, and game tournaments attract both legitimate spikes and adversarial traffic.
Lower incident cost: faster mitigation reduces engineering hours and incident severity.

Technical reasons

Upstream mitigation: filtering closer to the network edge helps even when your origin is bandwidth-limited.
Protect shared infrastructure dependencies: DDoS can overwhelm load balancers, NAT gateways, or internet links before application-level protections can help.
Defense-in-depth: DDoS protection complements WAF, rate limiting, and application hardening.

Operational reasons

Central visibility into attack events and mitigation status.
Alerting to SOC/operations teams when attacks occur.
Repeatable configuration across assets (especially with paid editions).

Security/compliance reasons

Availability is a core part of security (CIA triad: confidentiality, integrity, availability).
Some regulated industries require documented controls for resilience and incident response.

Scalability/performance reasons

Handles volumetric floods beyond what a single region or single ISP link can tolerate.
Helps maintain baseline performance during attack conditions.

When teams should choose Anti-DDoS

You run public-facing services on Alibaba Cloud that must remain available.
You have experienced attacks or operate in a high-risk sector (finance, gaming, e-commerce, public services).
You need higher mitigation thresholds than baseline protection provides.
You need better reporting/alerting/operational controls than baseline.

When teams should not choose it (or should choose something else too)

You only need application-layer protections (SQLi, XSS, bots) → add WAF.
Your service is not internet-facing (private VPC-only) → DDoS risk is different; focus on internal controls and upstream exposure.
You need global anycast front-door and optimized global routing; Anti-DDoS alone might not satisfy global acceleration needs (consider architecture with CDN/GA-like services—verify Alibaba Cloud offerings for your region).
You cannot tolerate any potential blackholing at extreme attack levels; you still need multi-region failover, alternative providers, and a broader resilience plan.

4. Where is Anti-DDoS used?

Industries

E-commerce & retail: checkout APIs, payment gateways, flash sales.
Gaming: UDP-based game traffic and matchmaking services are common DDoS targets.
FinTech & banking: customer portals and API endpoints.
Media & streaming: content portals and live event pages.
Education: admissions portals and online exam platforms.
SaaS: public APIs and login endpoints.
Government/public services: citizen portals, tax filing, public information sites.

Team types

Security engineering / SOC
SRE / platform engineering
Network engineering
DevOps teams running internet-facing apps
Operations/IT teams managing production services

Workloads

Web applications (HTTP/HTTPS)
Public APIs
Game servers (often TCP/UDP)
VPN gateways / bastion endpoints (note: consider restricting exposure)
Public DNS authoritative endpoints (specialized patterns—verify)

Architectures and deployment contexts

Single-region internet-facing apps behind SLB/ALB and/or EIP.
Multi-tier VPC apps with a public load balancer and private application tiers.
Hybrid setups where some components are on-premises but exposed through cloud front doors.
Production workloads are the primary target; dev/test environments should be protected too if exposed, but cost/controls may differ.

Production vs dev/test usage

Production: Anti-DDoS should be designed with clear RTO/RPO and incident procedures; consider paid editions if baseline is insufficient.
Dev/test: avoid exposing endpoints publicly when not needed; rely on baseline where possible; use access control (security groups, VPN) to reduce exposure rather than paying for higher tiers for noncritical assets.

5. Top Use Cases and Scenarios

Below are realistic Anti-DDoS use cases. Exact controls and workflows can differ by edition—verify in official docs for the edition you use.

1) Protect a public website behind SLB

Problem: Volumetric attacks overwhelm the public endpoint and make the site unreachable.
Why Anti-DDoS fits: Mitigates malicious traffic upstream and helps keep the SLB reachable.
Scenario: An e-commerce storefront behind a public SLB gets hit with a SYN flood during a sale; Anti-DDoS absorbs the flood so real users can browse and purchase.

2) Protect an API with an EIP

Problem: Attackers flood a public API with connection requests, saturating bandwidth/conntrack.
Why it fits: Network-layer mitigation reduces junk traffic before it reaches your ECS/API gateway.
Scenario: A mobile app API server with an EIP experiences repeated UDP floods; Anti-DDoS reduces impact and keeps API latency stable.

3) Protect a game server (UDP/TCP)

Problem: UDP floods and reflection attacks disrupt real-time gameplay.
Why it fits: DDoS services commonly include protection against UDP flood patterns (capability depends on edition and protocols supported).
Scenario: A multiplayer game’s lobby service is attacked; Anti-DDoS keeps the public endpoint reachable.

4) Reduce blackhole risk for business-critical IPs

Problem: When attack traffic exceeds baseline thresholds, the provider may blackhole the IP to protect the network.
Why it fits: Higher-tier Anti-DDoS often increases mitigation thresholds and provides more control/visibility.
Scenario: A payment callback endpoint cannot be down; the team upgrades protection to reduce blackhole probability during attacks.

5) Protect multiple services with consistent policy

Problem: Many public IPs across environments have inconsistent protection and monitoring.
Why it fits: Centralized asset management and alerting improves operational consistency.
Scenario: A SaaS company standardizes DDoS monitoring across 30 public endpoints.

6) Protect a marketing campaign landing page

Problem: Attackers attempt to disrupt a high-visibility event, causing reputational damage.
Why it fits: Anti-DDoS provides upstream capacity beyond a single region’s bandwidth.
Scenario: A product launch site is hit with HTTP connection floods plus volumetric traffic; Anti-DDoS helps keep the endpoint reachable (add WAF for L7 patterns).

7) Secure a public login endpoint (availability)

Problem: Login endpoint becomes unavailable due to packet floods, preventing customers from accessing accounts.
Why it fits: Protects the network/transport layers; combine with WAF/bot management for credential stuffing.
Scenario: A B2B portal faces both DDoS and brute-force attempts; Anti-DDoS maintains availability while WAF handles app-layer attacks.

8) Protect a public webhook receiver

Problem: Webhook endpoint is flooded to cause downstream backlogs and failures.
Why it fits: DDoS mitigation reduces useless traffic and helps maintain stable ingress.
Scenario: An order processing webhook used by partners receives an attack; Anti-DDoS stabilizes ingress while rate limiting is applied at the app layer.

9) Mitigate attack spillover to dependent systems

Problem: Attacks saturate NAT gateways, shared internet links, or upstream limits, impacting unrelated services.
Why it fits: Filtering upstream reduces blast radius.
Scenario: A single attacked service shares VPC egress paths; Anti-DDoS reduces congestive collapse.

10) Protect a public DNS/edge endpoint (availability focus)

Problem: Volumetric UDP floods degrade DNS responsiveness.
Why it fits: DDoS mitigation can help at the network layer (DNS-specific protection may require specialized services; verify).
Scenario: An internet-facing service’s supporting endpoints are attacked; Anti-DDoS is part of a broader edge strategy.

11) Improve incident response with attack visibility

Problem: During an attack, teams need evidence, timelines, and metrics.
Why it fits: Dashboards and reports support forensics and post-incident reviews.
Scenario: Security team uses attack reports to document events for management and compliance.

12) Meet customer availability requirements (SLA-driven)

Problem: Enterprise customers require proof of DDoS mitigation measures.
Why it fits: Anti-DDoS provides a formal control that can be referenced in security questionnaires.
Scenario: A SaaS vendor includes Anti-DDoS in its security architecture to satisfy procurement.

6. Core Features

Feature availability varies significantly by edition and by the type of protected asset (EIP, SLB, public IP, etc.). Treat the items below as a capability map and confirm details for your exact Anti-DDoS offering in official docs.

6.1 Baseline DDoS protection for public-facing Alibaba Cloud assets

What it does: Provides default, always-on DDoS mitigation for certain public endpoints.
Why it matters: Many attacks are opportunistic; baseline protection reduces the risk of trivial downtime.
Practical benefit: You get protection without deploying appliances.
Limitations/caveats: Thresholds and visibility are limited; extreme attacks can still trigger blackholing. Coverage depends on asset type and region—verify.

6.2 DDoS detection and automated mitigation (scrubbing)

What it does: Detects abnormal traffic patterns and applies filtering/scrubbing.
Why it matters: Manual response is too slow for high-volume attacks.
Practical benefit: Reduces malicious packets reaching your origin, preserving bandwidth and connection resources.
Limitations/caveats: No service can guarantee mitigation of every attack type/size; application-layer attacks may require WAF and app tuning.

6.3 Traffic diversion and cleaning (network-level)

What it does: Routes suspicious traffic through mitigation capacity to remove attack traffic.
Why it matters: Origin bandwidth and state tables are easy to exhaust.
Practical benefit: Keeps your application reachable even during floods.
Limitations/caveats: Diversion behavior is provider-controlled; in some models, this is transparent; in others, you may need to bind assets or configure endpoints (paid editions). Verify how diversion works for your SKU.

6.4 Protection for common DDoS attack types (L3/L4)

What it does: Mitigates floods like SYN floods, UDP floods, ICMP floods, reflection/amplification patterns, and malformed packets (exact list varies).
Why it matters: Most real-world DDoS volume is at L3/L4.
Practical benefit: Protects TCP/UDP services that WAF cannot cover.
Limitations/caveats: If your workload uses unusual protocols/ports, confirm support and tuning options.

6.5 Higher mitigation capacity and dedicated protection (paid editions)

What it does: Increases mitigation thresholds/capacity and may offer dedicated resources and richer operational features.
Why it matters: Baseline protection may not be enough for popular brands, gaming, finance, or recurring attacks.
Practical benefit: Lower probability of blackholing and better control during sustained attacks.
Limitations/caveats: Cost increases with protection capacity and features; procurement may involve subscription terms.

6.6 Asset management and binding protected IPs (paid editions)

What it does: Lets you add/bind public-facing assets (like EIPs) into the Anti-DDoS protection scope.
Why it matters: You need consistent protection across many endpoints.
Practical benefit: Central place to manage protected objects.
Limitations/caveats: Some assets may not be supported; there can be per-instance limits. Verify quotas.

6.7 Alerts and notifications

What it does: Notifies you when attacks are detected, mitigation starts/stops, or thresholds are exceeded.
Why it matters: Operations needs awareness and audit trails.
Practical benefit: Faster incident response and postmortems.
Limitations/caveats: Alert channels vary (console, email/SMS, integration). Confirm supported channels and any additional costs for SMS.

6.8 Attack reports and analytics

What it does: Shows attack timelines, peak bandwidth/packets, top source regions (when available), and attack vectors.
Why it matters: Helps tune defenses and communicate impact.
Practical benefit: Evidence for security reviews and incident reports.
Limitations/caveats: Data retention windows vary; detailed logs may require paid features or integration with Log Service.

6.9 Blackhole (null route) handling and visibility

What it does: When an attack exceeds certain thresholds, traffic to the target IP may be temporarily dropped (“blackholed”) to protect the network.
Why it matters: Blackholing is a major availability risk during large attacks.
Practical benefit: Anti-DDoS helps reduce the likelihood and duration of blackholes (depending on edition).
Limitations/caveats: Blackholing can still occur under extreme attacks; exact thresholds are provider-controlled. Ensure stakeholders understand this.

6.10 Integration with monitoring, audit, and operations tooling

What it does: Supports operational monitoring and auditing through Alibaba Cloud services (for example, ActionTrail for API auditing; CloudMonitor for metrics/alarms; Log Service for logs—verify your edition’s integrations).
Why it matters: Security controls must be observable and auditable.
Practical benefit: Better incident handling and compliance posture.
Limitations/caveats: Some integrations require extra setup and cost.

7. Architecture and How It Works

High-level service architecture

At a high level, Anti-DDoS operates in the network path between the internet and your Alibaba Cloud public endpoint:

Your service is exposed via a public IP (EIP/public SLB IP/public ECS IP).
Alibaba Cloud monitors traffic patterns to that endpoint.
If traffic is identified as a DDoS attack, Anti-DDoS mitigates it upstream (scrubbing/filtering).
Clean traffic is forwarded to your origin; malicious traffic is dropped or rate-limited.
If the attack is too large (beyond thresholds), the provider may blackhole the IP temporarily.

Request/data/control flow

Data plane: Internet → Alibaba Cloud edge/BGP → DDoS detection & scrubbing → your protected endpoint → your application.
Control plane: You manage settings and view reports in the Anti-DDoS console (and possibly via APIs). Alerts are delivered via configured channels.

Integrations with related services

Common patterns: – ECS + EIP: Direct public exposure for APIs or small apps. – SLB/ALB: Public load balancing; origins stay private. – CDN: Offloads cacheable traffic and reduces direct origin exposure; still protect origins. – WAF: Application-layer protection against HTTP floods/bots/exploits (complements Anti-DDoS). – Cloud Firewall: Network access policies, outbound control, threat intel (complements Anti-DDoS). – ActionTrail: Audit console/API actions relevant to Security changes. – CloudMonitor: Alerts when service health or traffic changes indicate attacks.

Dependency services

Internet ingress to Alibaba Cloud (BGP/edge).
The protected asset itself (EIP/SLB/public IP).
Optional: monitoring/audit services.

Security/authentication model

Managed by Alibaba Cloud account and RAM (Resource Access Management).
You grant RAM identities permission to view or administer Anti-DDoS configurations.
Use ActionTrail to audit changes (where supported).

Networking model

Anti-DDoS operates at the network edge/upstream of your VPC ingress.
You typically do not deploy agents.
Some advanced offerings (in some markets) can require DNS/CNAME or proxying for application-level protection—treat those as separate workflows (verify in docs).

Monitoring/logging/governance considerations

Decide who owns: detection, triage, escalation, communications.
Establish runbooks for blackhole events and failover.
Tag protected assets and keep an inventory (EIPs, SLBs, domains, services).
Export or retain attack reports according to compliance needs.

Simple architecture diagram (Mermaid)

flowchart LR
  U[Internet Users] --> T[Attack Traffic + Legit Traffic]
  T --> EDGE[Alibaba Cloud Edge Network]
  EDGE --> AD[Anti-DDoS Mitigation]
  AD -->|Clean traffic| PUB[Public Endpoint\n(EIP/SLB Public IP)]
  PUB --> APP[Application\n(ECS/Container/Service)]
  AD -->|Drop malicious traffic| DROP[(Dropped)]

Production-style architecture diagram (Mermaid)

flowchart TB
  subgraph Internet
    A[Legitimate Users]
    B[Attack Sources]
  end

  A --> EDGE[Alibaba Cloud Edge / BGP]
  B --> EDGE

  EDGE --> ADDOS[Anti-DDoS\nDetection + Scrubbing]

  ADDOS -->|Clean traffic| SLB[Public SLB/ALB]
  ADDOS -->|Drop/Rate-limit| X[(Mitigated)]

  SLB --> WAF[WAF (optional)\nHTTP/HTTPS Protection]
  WAF --> APPGW[API Gateway / Ingress (optional)]
  APPGW --> SVC[App Tier\nECS/ACK/Services]
  SVC --> DB[(Database in VPC)]
  SVC --> CACHE[(Cache)]

  subgraph Ops
    CM[CloudMonitor\nAlerts]
    AT[ActionTrail\nAudit]
    SLS[Log Service (SLS)\nCentral Logs]
  end

  ADDOS -. events/metrics .-> CM
  SLB -. access logs .-> SLS
  WAF -. security logs .-> SLS
  Console[Alibaba Cloud Console / APIs] -. config changes .-> AT

8. Prerequisites

Account and billing

An active Alibaba Cloud account with billing enabled.
If you plan to use paid Anti-DDoS editions, ensure your account can purchase subscriptions or pay-as-you-go (model varies by SKU—verify).

Permissions / IAM (RAM)

You need permissions to: – View and manage Anti-DDoS settings. – View and manage the assets you protect (EIP, SLB, ECS). – Configure alerting/monitoring if you use CloudMonitor. – Review audit logs if you use ActionTrail.

Verify in official docs: Alibaba Cloud provides system policies in RAM for many services. Confirm the exact Anti-DDoS policy names and required API actions for least privilege.

Tools

Alibaba Cloud Console access.
SSH client to configure a test server (for the lab).
Optional: Alibaba Cloud CLI (aliyun) if you prefer automation (Anti-DDoS API coverage differs by product; verify).

Region availability

Anti-DDoS availability and editions vary by region and by Alibaba Cloud site (international vs mainland China).
Confirm support for your target region(s) in official documentation.

Quotas/limits

Potential limits (vary by edition; verify): – Number of protected assets per instance/edition. – Maximum protection capacity per protected IP. – Reporting retention time. – Alerting limits or paid notification channels.

Prerequisite services (for this tutorial lab)

ECS instance (Linux) in a VPC.
EIP (Elastic IP Address) bound to the ECS instance (or a public-facing SLB).
Security group rules allowing inbound HTTP/SSH (for lab only; lock down later).

9. Pricing / Cost

Anti-DDoS pricing depends heavily on edition, protection capacity, and billing model available in your region. Do not rely on generic pricing—always confirm using the official pricing page and your console.

Pricing dimensions (common patterns)

Depending on the Anti-DDoS offering you select, pricing can include: – Edition / plan tier (baseline vs higher tiers). – Protection capacity (often expressed as mitigation bandwidth capacity; sometimes separate L4 and L7 capacities). – Number of protected assets (EIPs/SLB IPs/domains). – Feature add-ons (advanced reporting, log retention, specialized protection). – Billing model: subscription, pay-as-you-go, or negotiated enterprise contract (varies).

Free tier / baseline

Many Alibaba Cloud public endpoints include baseline Anti-DDoS protection at no additional charge.
Thresholds and scope vary by product and region—verify in official docs for your asset type (EIP vs SLB vs public ECS IP).

Cost drivers (what makes it expensive)

Choosing a higher-tier Anti-DDoS plan for higher mitigation capacity.
Protecting many public endpoints.
Add-on logging/analytics features with longer retention.
Using additional edge services (CDN/WAF) as part of the overall Security design.

Hidden or indirect costs

Bandwidth/data transfer: Even if attack traffic is mitigated upstream, legitimate traffic still uses bandwidth. Also, some architectures (like proxy/CDN) change traffic patterns and billing.
Operational tooling: Log Service (SLS) ingestion and storage, CloudMonitor alarms, notification costs (SMS).
Multi-region resilience: standby infrastructure in other regions increases spend.

Network/data transfer implications

DDoS floods can drive inbound bandwidth to very high levels. While mitigated traffic might not reach your VPC, you should still understand:
Whether your service charges for some forms of processed/clean traffic.
Whether logs/analytics exports increase outbound usage.
Always validate the billing semantics for your SKU.

How to optimize cost

Prefer baseline protection for low-risk, low-criticality endpoints.
Reduce exposed surface area: use private endpoints + VPN/bastion; only expose what must be public.
Put cacheable content behind CDN to reduce origin exposure and cost.
Use WAF for L7 attack patterns; it can reduce load and some forms of “cheap-to-send, expensive-to-process” traffic.
Protect only critical EIPs/SLB IPs with paid Anti-DDoS; avoid blanket protection without risk-based prioritization.
Keep an inventory and retire unused EIPs/public services.

Example low-cost starter estimate (conceptual)

A low-cost approach usually looks like: – Use Anti-DDoS baseline included with your public endpoint(s). – Add CloudMonitor alarms on your ECS/SLB metrics to detect unusual spikes. – Add WAF/CDN only if your app needs it.

Because pricing varies by region and product edition, do not assume a numeric cost. Start by checking: – The Anti-DDoS product pricing page (official). – The Alibaba Cloud pricing calculator (official, if available for your region).

Example production cost considerations (conceptual)

In production for a high-risk service: – Budget for paid Anti-DDoS capacity sized to your threat model. – Add WAF and possibly CDN. – Add Log Service for centralized retention of security logs and attack reports. – Plan for multi-region DR if downtime costs are high.

Official pricing references (verify and use your region): – Product page (often includes pricing entry points): https://www.alibabacloud.com/product/ddos-protection
– Documentation landing (choose your Anti-DDoS offering): https://www.alibabacloud.com/help
– General pricing entry point: https://www.alibabacloud.com/pricing

If your console shows a different product name (for example “DDoS Protection”), use the console’s “Buy” page as the source of truth for your region and account.

10. Step-by-Step Hands-On Tutorial

This lab focuses on something you can do safely and inexpensively: stand up a small public web endpoint, confirm baseline Anti-DDoS visibility, and set up operational monitoring. It does not attempt to generate a DDoS attack (unsafe and against acceptable use in many environments).

Objective

Deploy a small NGINX web server on an Alibaba Cloud ECS instance with an EIP.
Confirm the public IP is visible in the Anti-DDoS console (baseline protection).
Set up basic monitoring/alerts to detect abnormal inbound traffic and availability issues.

Lab Overview

You will: 1. Create an ECS instance and attach an EIP. 2. Install NGINX and publish a test page. 3. Verify reachability from the internet. 4. Open the Anti-DDoS console and confirm the asset is listed (baseline protection). 5. Configure CloudMonitor alarms for inbound bandwidth and availability symptoms. 6. Clean up resources to avoid ongoing charges.

Expected time: 45–75 minutes
Cost: ECS + EIP charges may apply. Baseline Anti-DDoS is typically included. CloudMonitor basic alarms may be free/limited; SMS notifications may cost extra (verify in your account).

Step 1: Create a VPC and ECS instance (Linux)

Console path (typical): – Alibaba Cloud Console → ECS → Instances → Create Instance

Recommended lab choices (cost-aware): – A small general-purpose instance type (choose the smallest that fits your region’s availability). – Pay-as-you-go for short testing (if available). – Linux image (Alibaba Cloud Linux / CentOS / Ubuntu—choose one you’re comfortable with). – In a new or existing VPC in your chosen region.

Security group rules (lab-only): – Allow inbound TCP 22 from your IP only (SSH). – Allow inbound TCP 80 from 0.0.0.0/0 (HTTP) for testing.

Expected outcome – ECS instance is running. – You have private VPC networking configured. – You can see the instance in the ECS console.

Step 2: Allocate an Elastic IP (EIP) and associate it to the ECS

Console path (typical): – Alibaba Cloud Console → EIP (or “Elastic IP Address”) → Create EIP – Then Associate the EIP to your ECS instance

Expected outcome – ECS instance has a public IPv4 address via EIP. – You can see the EIP associated with your instance in the console.

Verification – Copy the EIP address; you’ll use it for SSH and HTTP checks.

Step 3: Connect via SSH and install NGINX

From your local machine:

ssh root@<YOUR_EIP>

If your image uses a non-root default user (for example, ubuntu), use that user instead.

Install and start NGINX.

Alibaba Cloud Linux / CentOS / RHEL-family (yum/dnf):

sudo yum -y install nginx || sudo dnf -y install nginx
sudo systemctl enable nginx
sudo systemctl start nginx

Ubuntu/Debian (apt):

sudo apt-get update
sudo apt-get -y install nginx
sudo systemctl enable nginx
sudo systemctl start nginx

Create a simple home page:

echo "Anti-DDoS lab: $(hostname) - $(date)" | sudo tee /usr/share/nginx/html/index.html

Expected outcome – NGINX is running. – A test page is served from the instance.

Step 4: Verify HTTP reachability from the internet

From your local machine:

curl -i http://<YOUR_EIP>/

Expected outcome – You receive HTTP/1.1 200 OK and your test page content.

If it fails, check: – Security group inbound rule for TCP 80. – OS firewall rules (for example, ufw status on Ubuntu). – NGINX service status.

Step 5: Confirm baseline Anti-DDoS visibility for the public IP

In Alibaba Cloud Console, search for Anti-DDoS (or DDoS Protection depending on your console labeling).
Open the Anti-DDoS console.
Look for pages such as: – Assets / Protected Assets – Overview – Events / Attack Analysis – Security Reports

The exact navigation and labels vary by edition and console updates. Your goal is to find your EIP/public IP and confirm it is covered by baseline protection.

Expected outcome – Your public IP (EIP) or associated internet-facing asset appears as protected by baseline Anti-DDoS (or shows a default protection status). – You can see whether there are any ongoing events (there should be none in a quiet lab).

Verification – Record the asset identifier (EIP, IP address, or instance association) and any displayed baseline thresholds/status (if shown). – If you do not see your IP: – Confirm you are in the correct account and region. – Confirm the endpoint is a supported asset type for baseline display. – Some consoles show baseline protection in a centralized global view; others are per region. Verify in official docs for where baseline assets are listed.

Step 6: Set up CloudMonitor alarms for early detection (recommended)

Anti-DDoS mitigates attacks, but operations still need signals. Create alarms to detect “something is wrong” symptoms.

Open CloudMonitor in Alibaba Cloud Console.
Create an alarm rule for your ECS instance: – Metric: Internet inbound bandwidth (or the closest equivalent metric available in your region/instance) – Condition: threshold above your normal baseline for a sustained period (for example, 5–10 minutes)
Create an alarm rule for: – CPU utilization spike (helps detect application overload due to L7 floods/bots) – Optionally: connection count metrics if available

Expected outcome – You have alerts that notify you when traffic/compute patterns indicate possible abuse or misconfiguration.

Verification – Test alarm delivery (some setups allow a “send test notification”). – Confirm alarm is in “Enabled” state.

Notification channels (email/SMS/webhook) vary and may cost money (especially SMS). Verify billing for notifications in your account.

Step 7 (Optional): If you have a paid Anti-DDoS edition, bind/protect the EIP and enable enhanced reporting

If your organization already purchased a paid Anti-DDoS tier, you will usually do one or more of the following (exact steps vary by edition): – Add/bind the EIP (or SLB IP) as a protected asset under the paid instance. – Configure protection policies (for example, mitigation modes, thresholds, protocol settings—if exposed). – Enable/report detailed attack logs and retention. – Configure alert recipients and escalation.

Expected outcome – The asset is associated with the paid protection plan and shows enhanced status/reporting options.

Verification – Confirm the asset appears in the paid plan’s protected assets list. – Confirm you can view richer attack analytics or configuration options.

If these options are not visible, it may mean: – Your account does not have that edition. – The asset type is not supported in that plan. – You are in the wrong region/scope. – Feature is not enabled for your account. Check official docs or open a support ticket.

Validation

Use this checklist:

[ ] curl http://<EIP>/ returns 200 OK.
[ ] ECS security group allows inbound TCP 80 (for lab) and TCP 22 (restricted).
[ ] Anti-DDoS console shows the public endpoint as covered by baseline protection or lists it in assets (as applicable).
[ ] CloudMonitor alarm rules are created and enabled.
[ ] ActionTrail (optional) is enabled to audit security-relevant changes.

Troubleshooting

Problem: HTTP fails (timeout) – Check security group inbound rule for 80. – Confirm NGINX is running: bash sudo systemctl status nginx --no-pager – Confirm NGINX is listening: bash sudo ss -lntp | grep ':80'

Problem: SSH fails – Ensure inbound 22 is allowed from your public IP. – Confirm you used the correct username and key/password. – If you changed security group rules, allow a minute for propagation.

Problem: EIP is reachable but Anti-DDoS console does not show it – Anti-DDoS UI grouping can differ by region and product edition. – Some baseline protection may not list assets explicitly, but still applies. – Confirm you searched for both Anti-DDoS and DDoS Protection in console. – Verify in official docs which assets are visible and where.

Problem: Unexpected charges – EIP and ECS incur charges while allocated/running. – SMS notifications can incur charges. – Paid Anti-DDoS editions incur subscription charges—confirm before enabling.

Cleanup

To avoid ongoing charges: 1. Delete CloudMonitor alarm rules created for the lab (optional). 2. Stop and release ECS instance (or delete it). 3. Unassociate and release the EIP (important). 4. Delete any test security group rules that opened ports to the internet.

Expected outcome – No billable compute/network resources remain allocated for the lab.

11. Best Practices

Architecture best practices

Minimize exposed endpoints: Put apps behind SLB/ALB; keep origins private in VPC subnets.
Use layered protection:
Anti-DDoS for L3/L4 volumetric and protocol floods
WAF for L7 threats
CDN for caching and reducing origin exposure
Design for failover: For critical services, plan multi-region or multi-provider strategies. DDoS is an availability threat—assume extreme cases.
Separate critical IPs: Don’t multiplex too many critical services on a single public IP if you can avoid it; blackholing can take all of them down.

IAM/security best practices

Use RAM least privilege: separate roles for “view only” (SOC) vs “admin” (network/security ops).
Require MFA for console users.
Audit changes with ActionTrail and alert on Security-related configuration changes.

Cost best practices

Use baseline where sufficient; upgrade only for endpoints with clear risk/impact.
Retire unused EIPs and public services.
Centralize logging carefully—retain only what you need for compliance.

Performance best practices

Keep app performance robust:
Use connection timeouts sensibly.
Tune NGINX/ingress settings.
Use autoscaling where appropriate.
DDoS is not only network-level; app-layer floods can degrade CPU/memory.

Reliability best practices

Prepare runbooks for:
Attack detection and stakeholder communication
Blackhole events and recovery actions
Temporary rate limits and feature flags
Regularly test incident response procedures (tabletop exercises).

Operations best practices

Establish baselines for:
normal inbound bandwidth
normal connection rates
normal error rates and latency
Configure alerting to reduce noise:
Use sustained thresholds (e.g., 5–10 minutes) to avoid false positives.
Keep contact and escalation lists current.

Governance/tagging/naming best practices

Tag EIPs/SLBs with:
env (prod/stage/dev)
owner
service
criticality
Maintain an inventory that maps:
IP → DNS name → service → owner → protection tier

12. Security Considerations

Identity and access model

Anti-DDoS is managed at the account level; use RAM to delegate access.
Apply least privilege and separate duties:
SOC: read-only access to dashboards/reports
NetSec/Ops: admin access for mitigation policies and asset management

Encryption

Anti-DDoS operates at network layers. Encryption considerations are typically addressed at:
TLS termination at SLB/ALB/WAF/ingress
End-to-end encryption from client to origin (where required)
Anti-DDoS does not replace TLS; keep TLS configurations modern.

Network exposure

DDoS protection does not fix overly permissive network access.
Restrict management ports (SSH/RDP) to trusted IP ranges or use VPN/bastion.
Prefer private origins; expose only load balancers or controlled ingress points.

Secrets handling

Anti-DDoS itself typically does not require application secrets.
Protect console/API credentials:
Use RAM users/roles, rotate access keys
Store secrets in a secrets manager if used in automation (verify Alibaba Cloud secrets product for your environment)

Audit/logging

Enable ActionTrail for auditing of:
configuration changes
resource modifications (EIP/SLB changes can affect exposure)
Centralize logs in Log Service (SLS) when appropriate:
SLB access logs
WAF logs
application logs
Confirm whether Anti-DDoS attack logs can be exported in your edition (verify).

Compliance considerations

Document your availability controls:
what Anti-DDoS tier protects which endpoints
incident response process
monitoring and alerting approach
Ensure log retention meets regulatory requirements (retention periods vary by service/edition).

Common security mistakes

Assuming Anti-DDoS stops application-layer abuse (bots, credential stuffing).
Exposing SSH/RDP to the internet and relying on Anti-DDoS as “protection.”
Not planning for blackhole scenarios and not having a failover strategy.
Not alerting on traffic anomalies until users complain.

Secure deployment recommendations

Put public apps behind SLB/ALB and (when needed) WAF.
Use private subnets for application and database tiers.
Use strong IAM controls and audit logging.
Keep a documented DDoS playbook and communicate to stakeholders.

13. Limitations and Gotchas

The following are common limitations; exact details depend on your Anti-DDoS edition and region—verify in official docs.

Blackholing can still occur if attacks exceed thresholds; Anti-DDoS reduces risk but does not eliminate it.
Application-layer floods may still degrade your service even if network floods are mitigated; use WAF, caching, and application tuning.
Visibility varies: baseline protection often has limited dashboards and limited historical data.
Asset coverage differences: not every public endpoint type is managed the same way (EIP vs SLB vs public ECS IP).
Regional product differences: Alibaba Cloud offerings and feature names can differ between regions and between international vs mainland China consoles.
Operational confusion due to naming: you may see “Anti-DDoS”, “DDoS Protection”, and separate “Anti-DDoS” subproducts in console.
Notification costs: SMS alerts (if used) can incur charges.
Change management matters: moving IPs, changing EIPs, or re-architecting entry points can accidentally bypass expected protection.
Third-party dependencies: if you rely on external DNS/CDN, misconfiguration can expose origin IPs directly, bypassing intended front doors.

14. Comparison with Alternatives

Anti-DDoS is one layer in a broader Security and availability strategy.

Within Alibaba Cloud

WAF: Protects HTTP/HTTPS at Layer 7 (bots, exploits, app-layer floods). Complementary.
CDN: Offloads traffic and hides origin in many cases. Not a full DDoS replacement for origin IP floods, but helpful.
Cloud Firewall: Central network security policy and threat protection. Complementary.

Other clouds / vendors

AWS Shield / AWS Shield Advanced: Managed DDoS protection integrated with AWS edge and services.
Azure DDoS Protection: DDoS protection for Azure public IPs and VNet resources.
Google Cloud Armor: DDoS protection and WAF capabilities at Google edge.
Cloudflare / Akamai / Fastly: Large global edge networks providing DDoS mitigation and WAF (often proxy/DNS-based).

Open-source / self-managed

Self-managed scrubbing is rarely feasible unless you operate a large network footprint.
On-host mitigation (iptables/nftables, SYN cookies, rate limiting) helps with small attacks but is not sufficient for volumetric floods.

Comparison table

Option	Best For	Strengths	Weaknesses	When to Choose
Alibaba Cloud Anti-DDoS	Protecting Alibaba Cloud internet-facing assets	Upstream mitigation integrated with Alibaba Cloud network; baseline protection often included	Edition/region differences; may still blackhole at extreme volumes; L7 needs WAF	You run workloads on Alibaba Cloud and need DDoS resilience
Alibaba Cloud WAF	HTTP/HTTPS app protection	Strong for L7 threats and HTTP floods; virtual patching	Doesn’t protect non-HTTP protocols; not designed for raw volumetric L3/L4 floods alone	You need app-layer protection and bot/threat controls
Alibaba Cloud CDN	Static/edge caching and origin shielding	Reduces origin exposure; improves latency	Not a substitute for protecting origin IP directly; cache bypass can still hit origin	You have cacheable content and want edge offload
Alibaba Cloud Cloud Firewall	Central network security governance	Policy control, visibility, segmentation	Not a DDoS scrubber; doesn’t absorb volumetric floods	You need centralized network security posture management
Cloudflare (DDoS + WAF)	Multi-cloud/global edge protection	Huge edge; simple DNS/proxy onboarding	Proxy model; may require architectural changes; cost	You need global edge with fast onboarding and multi-cloud front door
AWS Shield / Azure DDoS	DDoS protection within those clouds	Tight integration with native services	Cloud-specific	You primarily run in that cloud and want native DDoS controls
Self-managed mitigation (iptables, rate limit)	Small-scale abuse and tuning	Cheap and immediate	Doesn’t handle volumetric attacks; risk of collateral damage	Use only as a supplement, not as primary DDoS defense

15. Real-World Example

Enterprise example: Regional e-commerce platform

Problem: The company runs a high-traffic storefront on Alibaba Cloud. During major sales, attackers launch SYN floods and UDP reflection attacks against the public entry points, causing timeouts and failed checkouts.
Proposed architecture:
Public ingress: Anti-DDoS protecting the public endpoints (SLB/ALB and/or EIPs as applicable)
WAF in front of web/API endpoints for Layer 7 threats
CDN for static assets and caching
Private app tier in VPC; databases not publicly reachable
Central logging (SLS), CloudMonitor alarms, ActionTrail auditing
Why Anti-DDoS was chosen: Tight alignment with Alibaba Cloud public endpoints and upstream mitigation reduces volumetric impact; paid tier considered for higher thresholds where baseline is insufficient.
Expected outcomes:
Reduced downtime during volumetric floods
Faster detection and response with better attack visibility
Clearer reporting for executive stakeholders and compliance

Startup/small-team example: B2B SaaS API

Problem: A small team exposes a public API on an ECS instance with an EIP. They experience periodic traffic floods causing CPU spikes and connection exhaustion.
Proposed architecture:
Baseline Anti-DDoS on public endpoint
Move from direct ECS exposure to SLB/ALB front door
Add WAF only if HTTP abuse persists
Add CloudMonitor alarms and incident runbook
Why Anti-DDoS was chosen: Baseline protection is a cost-effective first step; the team can upgrade if attacks become sustained or larger.
Expected outcomes:
Better uptime against common opportunistic floods
Better operational readiness (alerts, documented response)
Reduced direct origin exposure by using a load balancer

16. FAQ

1) Is Anti-DDoS enabled by default on Alibaba Cloud?
For many internet-facing Alibaba Cloud assets, baseline DDoS protection is commonly enabled by default. Coverage and thresholds vary by asset type and region—verify in official docs and your console.

2) What’s the difference between baseline protection and paid Anti-DDoS?
Baseline is typically included with limited thresholds and fewer controls/visibility. Paid tiers generally provide higher mitigation capacity and additional operational features. Exact tier names and capabilities vary—verify in your region’s product pages.

3) Does Anti-DDoS stop HTTP floods?
Anti-DDoS focuses primarily on network/transport layers. Some offerings may include HTTP-related protections, but for sustained Layer 7 attacks you should evaluate Alibaba Cloud WAF and application-side rate limiting.

4) Will Anti-DDoS prevent my IP from being blackholed?
It can reduce risk, especially with higher tiers, but blackholing can still occur if an attack exceeds thresholds. Plan for failover and incident response.

5) Do I need Anti-DDoS if I already use CDN?
CDN helps reduce origin exposure and absorbs traffic for cacheable content, but origin IPs can still be attacked directly. For critical origins, Anti-DDoS remains relevant.

6) Do I need Anti-DDoS if I already use WAF?
WAF is primarily Layer 7. Volumetric L3/L4 floods can overwhelm networks before WAF can help. Anti-DDoS + WAF together is a common pattern.

7) What Alibaba Cloud resources can I protect with Anti-DDoS?
Commonly EIPs, public SLB/ALB addresses, and other public endpoints. Exact supported asset types depend on the Anti-DDoS edition—verify in official docs.

8) Is Anti-DDoS regional or global?
Mitigation happens in Alibaba Cloud’s network and may use distributed scrubbing capacity. Product availability and controls can be region-dependent. Confirm for your deployment regions.

9) How do I know an attack is happening?
Use the Anti-DDoS console dashboards/events and configure alerts. Also monitor symptoms: inbound bandwidth spikes, increased latency, and error rates.

10) Can I test Anti-DDoS by generating attack traffic?
Do not generate DDoS traffic against real endpoints. It may violate acceptable use policies and impact others. Use safe validation: verify asset listing, alerts, and operational readiness.

11) Does Anti-DDoS change my application IP or DNS?
Baseline protection typically does not require DNS changes. Some advanced/proxy-based offerings may require DNS/CNAME changes. Verify your edition.

12) What should I log for DDoS incidents?
Collect timestamps, affected IPs, traffic metrics, SLB/WAF logs, application logs, and Anti-DDoS attack reports. Centralize in Log Service (SLS) when feasible.

13) How do I avoid exposing my origin IP?
Use SLB/ALB and keep ECS private, use CDN/WAF proxying when appropriate, and restrict direct access with security groups and firewall rules.

14) Can Anti-DDoS protect IPv6?
Support depends on product and region. Verify in official documentation for IPv6 coverage and any limitations.

15) What’s the first upgrade step if baseline isn’t enough?
Typically: move to a paid Anti-DDoS tier sized for your threat model and/or add WAF for L7 protections, while improving architecture (SLB/ALB, private origins, CDN).

17. Top Online Resources to Learn Anti-DDoS

Resource availability and naming can vary by region; use the official Alibaba Cloud Help Center navigation if a direct link changes.

Resource Type	Name	Why It Is Useful
Official product page	Alibaba Cloud DDoS Protection / Anti-DDoS product page: https://www.alibabacloud.com/product/ddos-protection	High-level overview, edition entry points, and buying links
Official documentation	Alibaba Cloud Help Center (search Anti-DDoS / DDoS Protection): https://www.alibabacloud.com/help	Canonical documentation set; choose your exact offering and region
Official pricing	Alibaba Cloud Pricing entry point: https://www.alibabacloud.com/pricing	Starting point for pricing and calculators (availability varies)
Official console	Alibaba Cloud Console: https://home.console.alibabacloud.com/	Where you actually configure and verify Anti-DDoS for your account
Official monitoring docs	CloudMonitor docs (Help Center): https://www.alibabacloud.com/help	Guides for alarms, metrics, and notifications used in operations
Official audit docs	ActionTrail docs (Help Center): https://www.alibabacloud.com/help	Audit trails for change tracking and compliance
Official architecture guidance	Alibaba Cloud Architecture Center (if available in your region): https://www.alibabacloud.com/solutions	Reference architectures and best practices for resilient designs
Official security guidance	Alibaba Cloud Security solutions pages: https://www.alibabacloud.com/solutions/security	Context for layered Security (Anti-DDoS + WAF + firewall)
Videos/webinars	Alibaba Cloud YouTube channel (verify official playlists): https://www.youtube.com/@alibabacloud	Product walkthroughs and recorded sessions (content varies)
API/SDK docs	Alibaba Cloud Developer Center / API Explorer (verify): https://api.alibabacloud.com/	Check if your Anti-DDoS offering supports APIs and how to automate

18. Training and Certification Providers

The following are training providers to explore. Availability, course outlines, and delivery modes should be confirmed on each website.

Institute	Suitable Audience	Likely Learning Focus	Mode	Website URL
DevOpsSchool.com	DevOps/SRE, cloud engineers, platform teams	Cloud operations, DevOps practices, Security fundamentals	Check website	https://www.devopsschool.com/
ScmGalaxy.com	Beginners to intermediates in DevOps/SCM	DevOps tooling, CI/CD, automation foundations	Check website	https://www.scmgalaxy.com/
CLoudOpsNow.in	CloudOps and operations teams	Cloud operations, monitoring, reliability practices	Check website	https://www.cloudopsnow.in/
SreSchool.com	SREs, platform engineers	Reliability engineering, incident response, observability	Check website	https://www.sreschool.com/
AiOpsSchool.com	Ops/SRE with automation interest	AIOps concepts, automation, operations analytics	Check website	https://www.aiopsschool.com/

19. Top Trainers

These sites may list trainers, training services, or related support offerings. Verify current focus and credentials directly on each site.

Platform/Site	Likely Specialization	Suitable Audience	Website URL
RajeshKumar.xyz	DevOps/cloud training content (verify)	Beginners to intermediate engineers	https://rajeshkumar.xyz/
devopstrainer.in	DevOps training (verify)	DevOps engineers, sysadmins, SREs	https://www.devopstrainer.in/
devopsfreelancer.com	Freelance DevOps services/training (verify)	Teams seeking hands-on implementation help	https://www.devopsfreelancer.com/
devopssupport.in	DevOps support and enablement (verify)	Ops teams needing practical guidance	https://www.devopssupport.in/

20. Top Consulting Companies

The following organizations may offer consulting services relevant to cloud Security and operations. Verify service scope, case studies, and references directly with each company.

Company	Likely Service Area	Where They May Help	Consulting Use Case Examples	Website URL
cotocus.com	Cloud/DevOps consulting (verify)	Architecture reviews, DevOps enablement, Security posture	Anti-DDoS onboarding guidance, resilient ingress design, monitoring setup	https://cotocus.com/
DevOpsSchool.com	DevOps/cloud consulting & training (verify)	Platform engineering, automation, cloud migration support	Designing layered Security (Anti-DDoS + WAF), incident readiness, operational runbooks	https://www.devopsschool.com/
DEVOPSCONSULTING.IN	DevOps consulting (verify)	CI/CD, operations processes, cloud operations	Hardening public endpoints, observability, cost controls	https://devopsconsulting.in/

21. Career and Learning Roadmap

What to learn before Anti-DDoS

Networking fundamentals: TCP/UDP, SYN/ACK, MTU, NAT, BGP basics (conceptual)
Web fundamentals: HTTP/HTTPS, TLS termination, reverse proxies
Alibaba Cloud basics: VPC, ECS, EIP, SLB/ALB, security groups
Monitoring basics: metrics, logs, alerts, incident response

What to learn after Anti-DDoS

Alibaba Cloud WAF for Layer 7 protection and bot mitigation
Secure ingress design: ALB/SLB patterns, private subnets, zero trust access
Observability: Log Service (SLS) pipelines, dashboards, alert tuning
Resilience engineering: multi-region architectures, DR drills, chaos testing (carefully)
Governance: RAM least privilege, ActionTrail audits, policy-as-code (where supported)

Job roles that use Anti-DDoS

Cloud Security Engineer
SOC Analyst / Incident Responder
SRE / Reliability Engineer
Network Engineer (cloud)
DevOps / Platform Engineer
Cloud Solutions Architect

Certification path (if available)

Alibaba Cloud certifications and tracks change over time and vary by market. Look for: – Alibaba Cloud Security-related certifications – Cloud architect tracks that include Security and availability
Verify current certification listings on official Alibaba Cloud training/certification pages (region-specific).

Project ideas for practice

Build a reference “secure ingress” stack: SLB/ALB → WAF → private app tier.
Implement a DDoS incident runbook and simulate “attack-like” symptoms safely (traffic spikes via load testing from controlled clients, not DDoS).
Create CloudMonitor alarms and dashboards for inbound traffic anomalies and error rate spikes.
Inventory and tag all public endpoints; document which are protected and how.

22. Glossary

DDoS (Distributed Denial of Service): An attack where many sources send traffic to overwhelm a service, making it unavailable to legitimate users.
Volumetric attack: A flood intended to saturate bandwidth (Gbps-scale).
Protocol attack (L3/L4): Attacks exploiting network/transport behavior (e.g., SYN flood).
Application-layer attack (L7): Targets HTTP/HTTPS requests, expensive endpoints, or business logic to exhaust compute (often better handled by WAF and app controls).
Scrubbing / mitigation: Filtering malicious traffic and forwarding clean traffic to the origin.
Blackhole / null route: A protective measure where traffic to a targeted IP is dropped entirely to protect the network.
EIP (Elastic IP Address): A public IP you can allocate and associate with cloud resources.
ECS (Elastic Compute Service): Alibaba Cloud virtual machine service.
SLB/ALB: Server Load Balancer / Application Load Balancer (names and products vary); used to expose a stable public entry point and distribute traffic to private origins.
VPC (Virtual Private Cloud): Your isolated network environment within Alibaba Cloud.
RAM (Resource Access Management): Alibaba Cloud’s IAM service for users, roles, and permissions.
ActionTrail: Alibaba Cloud auditing service for API/console actions.
CloudMonitor: Monitoring and alerting service for metrics and alarms.
SLS (Log Service): Central log ingestion, storage, and analysis service.

23. Summary

Alibaba Cloud Anti-DDoS is a Security service that protects internet-facing Alibaba Cloud assets from DDoS attacks by detecting abnormal traffic and mitigating it upstream. It matters because DDoS is fundamentally an availability threat—an otherwise healthy service can still go down if network traffic overwhelms it.

Anti-DDoS fits best as part of a layered design: use it for L3/L4 floods, add WAF for L7 threats, and consider CDN to reduce origin exposure. Cost depends on whether you rely on baseline protection or purchase higher-tier capacity; the main cost drivers are the edition, mitigation capacity, and number of protected assets. From a security standpoint, control access with RAM, audit changes with ActionTrail, and build operational readiness with CloudMonitor alarms and incident runbooks.

Use Anti-DDoS when you run critical public endpoints on Alibaba Cloud and need resilience against floods; don’t treat it as a replacement for application security controls. Next, deepen your skills by learning Alibaba Cloud WAF, secure ingress architectures (SLB/ALB + private subnets), and observability with Log Service (SLS).

Category