ESA defends against Distributed Denial-of-Service (DDoS) attacks with network/transport-layer (L3/L4) protection, application-layer (L7) protection, and a DDoS analytics dashboard.
What is a DDoS attack
A DDoS attack exhausts your resources to paralyze services. It typically follows three steps:
-
Build a botnet: An attacker compromises a large number of internet-connected devices through viruses, trojans, or vulnerability exploits, forming a massive command-driven network (botnet).
-
Issue attack commands: The attacker sends commands to all compromised machines through a command and control (C&C) server, targeting a specific IP address or domain.
-
Launch a concentrated attack: Compromised machines worldwide simultaneously flood your server with requests, overwhelming your service.
The globally distributed attack sources make tracing and blocking extremely difficult.
Common types of DDoS attacks
DDoS attacks fall into two categories by network layer:
-
Network-layer/transport-layer (L3/L4) attack
-
How it works: Floods the network with crafted TCP or UDP packets to exhaust server bandwidth or connection tables, blocking legitimate requests.
-
Common types: SYN Flood, UDP Flood, ACK Flood, etc.
-
Characteristics: High-volume brute-force attacks that overwhelm targets with sheer traffic.
-
-
Application-layer (L7) attack
-
How it works: Sends seemingly valid requests (HTTP GET/POST) that mimic legitimate user behavior. Instead of congesting the network, these requests exhaust server application resources such as CPU and memory.
-
Common type: HTTP Flood, also known as a CC attack (Challenge Collapsar).
-
Characteristics: Traffic volume is not necessarily large, but resource consumption per request is high. Attack traffic blends with legitimate traffic, making it difficult to distinguish and mitigate.
-
Identify a DDoS attack
Your service may be under DDoS attack if you observe any of these symptoms:
-
Website or application suddenly becomes inaccessible or extremely slow.
-
Network traffic surges abnormally, far exceeding normal peak levels. You can observe this in the Data Overview report on the Overview page of the ESA console.
-
Server CPU or memory usage spikes to near 100% for an extended period.
-
Logs show massive requests from a wide range of random IP addresses. You can use the Security Analytics feature under Security in the ESA console to investigate.
DDoS protection in ESA
|
Category |
Feature |
Description |
|
Mitigate network-layer/transport-layer (L3/L4) attacks |
ESA provides Basic DDoS Protection (platform-level) by default for the Pro, Premium, and Advanced plans, defending against DDoS attacks up to 10 Gbps without guaranteeing a specific value. |
|
|
With Enterprise, you can purchase additional Best-Effort Protection of up to the Tbps level and simultaneously protect Layer 4 proxy services. |
||
|
Mitigate application-layer (L7) attacks |
HTTP DDoS Attack Protection uses Alibaba Cloud anti-DDoS engine rules built on extensive attack-defense experience to reduce CC attacks reaching the origin at attack onset. |
|
|
During an attack, the protection engine continuously learns attack characteristics and generates targeted protection policies within minutes. |
||
|
DDoS attack data analysis |
The DDoS Analytics tab shows traffic patterns to help distinguish legitimate usage from malicious activity. |
|
|
The Attack Details tab logs all detected and mitigated DDoS attacks. Filter by time and attack type to investigate specific incidents. Use this view to: |
Protection levels
|
Service region |
Protection level |
Description |
|
Chinese mainland |
Guaranteed 30 Gbps, max 300 Gbps protection |
Guaranteed protection up to 30 Gbps. Elastic protection configurable up to 300 Gbps. For example, if you set 200 Gbps, attacks between 30–200 Gbps are billed at the elastic rate. Attacks exceeding your configured bandwidth trigger a black hole, interrupting services. |
|
Guaranteed 60 Gbps, max 600 Gbps protection |
Guaranteed protection up to 60 Gbps. Elastic protection configurable up to 600 Gbps. For example, if you set 500 Gbps, attacks between 60–500 Gbps are billed at the elastic rate. Attacks exceeding your configured bandwidth trigger a black hole, interrupting services. |
|
|
Global (excluding Chinese mainland) |
Maximum 300 Gbps |
Protects against attacks up to 300 Gbps. Attacks exceeding 300 Gbps trigger a black hole, interrupting services. |
|
Terabit-level Anycast unlimited protection (2 times/month) |
Protects against attacks up to 1 Tbps with 2 protection instances per month. Attacks exceeding 1 Tbps trigger a black hole, interrupting services. Note
Only network-layer attacks peaking over 20 Gbps consume a protection instance. Application-layer CC attacks do not. An instance is consumed approximately 30 minutes after an attack ends, then the counter resets. |
|
|
Terabit-level Anycast unlimited protection (unlimited instances) |
Protects against attacks up to 1 Tbps. Attacks exceeding 1 Tbps trigger a black hole, interrupting services. |
-
When attack traffic exceeds the protection threshold and triggers a black hole, the elastic attack bandwidth for this event is not billed.
-
Example 1: You purchase Best-Effort Protection (guaranteed 30 Gbps, max elastic 300 Gbps). If attack traffic reaches 500 Gbps and ESA triggers a black hole, the 30–300 Gbps elastic bandwidth for this event is not billed.
-
Example 2: You purchase Best-Effort Protection (guaranteed 60 Gbps, max elastic 600 Gbps). If the ESA platform lacks resources due to concurrent large-scale attacks and ESA prematurely triggers a black hole when attack traffic reaches 500 Gbps, the 60–500 Gbps elastic bandwidth is not billed.
-
-
Chinese mainland protection is independent of Global (excluding Chinese mainland) protection. If your site is accelerated globally but you purchased only 600 Gbps Best-Effort Protection for the Chinese mainland, ESA makes a best effort to route requests to the Chinese mainland for scrubbing when other regions are attacked. Due to ICP filing requirements, cross-region protection is not currently supported for sites accelerated globally (excluding the Chinese mainland).
-
For elastic protection pricing, contact us.
Feature availability by plan
Feature category | Detailed feature | Free (0 CNY/month) | Basic (9.9 CNY/month) | Standard (375 CNY/month) | Advanced (3600 CNY/month) | Enterprise (contact sales for custom pricing) |
Basic DDoS protection | ||||||
Unlimited protection | Contact sales to request on-demand customization. | |||||
HTTP DDoS attack protection | ||||||
Deep Learning and Protection | ||||||
Scenario policies |