Introduction to Alibaba's Anti-DDoS Service


Alibaba Security & Monitoring

The course is part of this learning path

Introduction to Alibaba's Anti-DDoS Service

In this course, we'll take a look at the services available to help you secure and monitor your Alibaba cloud environment and also help you prepare for the security element of Alibaba's ACA exam. We'll start by looking at Alibaba Security Center and the features that it offers.

Next, we look at Alibaba's anti-DDoS service, including a brief overview of how it works, and what versions are available. Finally, we cover Cloud Monitor, a service that allows you to monitor your cloud resources and internet applications.

Learning Objectives

  • Understand the basics of Alibaba Security Center and its offerings
  • Learn about the anti-DDoS service and how it works to protect your Alibaba cloud environments from attack
  • Learn how to monitor your resources and applications with Alibaba Cloud Monitor

Intended Audience

  • Cloud architects
  • Security engineers
  • Anyone looking to secure their Alibaba Cloud infrastructure
  • Anyone studying for the ACA exam


To get the most out of this course, you should have a basic understanding of Alibaba cloud and cloud security in general.


Hello and welcome to session two, introduction to Alibaba's anti-DDoS service. In this session, we will cover what Alibaba anti-DDoS service is, a brief overview of how it works, and what versions are available. 

Before we discuss the anti-DDoS service we first need to know what a DDoS attack is. DDoS stands for distributed denial of service. This is a type of attack where an attacker takes control of thousands or potentially tens of thousands of computers, which are often called zombies, and then uses them to simultaneously access a particular website. That website then becomes what's called the victim.

If the attacker controls enough computers to generate a large enough amount of network traffic this can have the effect of causing the victim's website to no longer be able to respond to legitimate requests. That's why it's called denial of service.

This is one of the hardest types of attack to block because as long as the attacker has enough resources at his or her disposal the attacker can essentially take down any target site simply by overloading all of the network links. And because the attack is coming from thousands or potentially tens of thousands of distinct computers, all potentially distributed around different parts of the world, this means that there is no simple rule that you can use to block a denial of service attack.

There are actually many different types of DDoS attack, but let's look at one type as an example, the SYN flood attack. If you're familiar with a TCP protocol you may be familiar with the TCP three-way handshake. This three-way handshake allows your computer to establish a connection to a remote computer.

To connect to a remote computer your computer sends a synchronized packet, or SYN packet, to establish a connection to the target computer. What the target computer will do is open a port and make a note of your IP address, and then send back a synchronized acknowledgement, or SYN ACK, which is an acknowledgement of your request. When the computer receives that SYN ACK it then sends back a final acknowledgement, or ACK, to open the TCP connection.

So, how does the attack work? Well, in a SYN flood attack what you get is potentially hundreds or thousands of machines all sending a SYN packet to a target computer at the same time. This computer now becomes the victim. The victim computer opens a port for each request and makes a note of the IP addresses, sends the SYN ACK back and then waits for the final acknowledgement, or ACK, to arrive to create the TCP connection. But that final acknowledgement never arrives and, of course, there are a limited number of port numbers available for the victim computer to use, so eventually the computer runs out of port numbers and is no longer able to respond to requests. And that's how a SYN flood overwhelms the target computer.

So, to mitigate against this kind of attack Alibaba cloud has a tool called anti-DDoS that is designed to filter out attack traffic. And it works on multiple different types of DDoS attacks. I've just covered one, SYN flood, but there are many other types of attack.

Anti-DDoS is a set of techniques, best practices, tools and systems for resisting or mitigating the impact of distributed denial of service attacks on internet facing applications by protecting the target and relay networks. Anti-DDoS is a layer four and layer seven service. It's not designed to defend against all types of attacks. However, it will work on most of the popular types of DDoS attacks that are in use today.

There are three different levels of anti-DDoS service in Alibaba Cloud. Basic, which is the default offering and is available to everyone. It offers up to five gigabytes per second of protection capability. Enterprise Pro is for use inside of mainland China and can mitigate a minimum of eight terabits per second of protection capability. And then there is Enterprise Premium, for use anywhere outside of mainland China, and can mitigate a minimum of two terabits per second of protection capability. 

The Basic edition is free but Pro and Premium are paid services. How does the anti-DDoS service work? Well, there are some slight differences between Pro and Premium but in general in order to mitigate a DDoS attack you need to be able to absorb and process all of the attack traffic, analyse it, and determine which traffic is part of the attack and which is not. Then clean the attack traffic and then pass the clean traffic back to its origin.

The way Alibaba cloud does this is to use a scrubbing service. There are twelve scrubbing centres worldwide which provides up to ten terabits per second of DDoS scrubbing capacity. All incoming traffic is matched against some heuristics that are built in to detect attacks and discards any traffic that matches the patterns that anti-DDoS knows to look for. It then passes the remaining clean traffic back to your back-end server load balancer or ECS instance.

That concludes this session on an introduction to Alibaba's anti-DDoS service. In the next session I will give an introduction to Alibaba cloud monitor. I look forward to seeing you there.

About the Author

David’s IT career started in 1990, when he took on the role of Database Administrator as a favor for his boss. He redirected his career into the Client Server side of Microsoft with NT4, and then progressed to Active Directory and each subsequent version of Microsoft Client/Server Operating Systems. In 2007 he joined QA as a Technical Trainer, and has delivered training in Server systems from 2003 to 2016 and Client systems from XP onwards. Currently, David is a Principal Technical Learning Specialist (Cloud), and delivers training in Azure Cloud Computing, specializing in Infrastructure Compute and Storage. David also delivers training in Microsoft PowerShell, and is qualified in the Alibaba Cloud Space.