- Release Notes and Announcements
- Product Introduction
- Comparison of Anti-DDoS Solutions
- Purchase Guide
- Getting Started
- Operation Guide
- Practical Tutorial
- Remote Protection Scheme with Anti-DDoS Pro
- Using Anti-DDoS Pro Together with WFA
- Suggestions on Stress Tests
- Solutions to Real Server IP Exposure
- Creating an Anti-DDoS EIP
- Configuration Directions and Notes on CC Protection Policies
- Syncing Forwarding Rules to New Anti-DDoS Advanced Instances
- Smart Scheduling of CTCC/CUCC/CMCC Traffic
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Anti-DDoS Advanced Instance APIs
- Resource List APIs
- Protection Configuration APIs
- CreateBlackWhiteIpList
- CreateCcBlackWhiteIpList
- CreateCcGeoIPBlockConfig
- CreateDDoSAI
- CreateDDoSGeoIPBlockConfig
- CreateDDoSSpeedLimitConfig
- CreatePacketFilterConfig
- CreateProtocolBlockConfig
- CreateWaterPrintConfig
- CreateWaterPrintKey
- DeleteCcBlackWhiteIpList
- DeleteCcGeoIPBlockConfig
- DeleteDDoSGeoIPBlockConfig
- DeleteDDoSSpeedLimitConfig
- DeletePacketFilterConfig
- DeleteWaterPrintConfig
- DeleteWaterPrintKey
- DescribeCcBlackWhiteIpList
- DescribeCcGeoIPBlockConfigList
- DescribeListBlackWhiteIpList
- DescribeListDDoSAI
- DescribeListDDoSGeoIPBlockConfig
- DescribeListDDoSSpeedLimitConfig
- DescribeListPacketFilterConfig
- DescribeListProtocolBlockConfig
- DescribeListWaterPrintConfig
- ModifyCcBlackWhiteIpList
- ModifyDDoSGeoIPBlockConfig
- ModifyDDoSSpeedLimitConfig
- ModifyPacketFilterConfig
- SwitchWaterPrintConfig
- Other APIs
- Alarm Notification APIs
- Connection Configuration APIs
- Intelligent Scheduling APIs
- Black hole unblocking APIs
- Statistical Report APIs
- Data Types
- Error Codes
- FAQs
- Service Level Agreement
- Product Policy
- Glossary
- Release Notes and Announcements
- Product Introduction
- Comparison of Anti-DDoS Solutions
- Purchase Guide
- Getting Started
- Operation Guide
- Practical Tutorial
- Remote Protection Scheme with Anti-DDoS Pro
- Using Anti-DDoS Pro Together with WFA
- Suggestions on Stress Tests
- Solutions to Real Server IP Exposure
- Creating an Anti-DDoS EIP
- Configuration Directions and Notes on CC Protection Policies
- Syncing Forwarding Rules to New Anti-DDoS Advanced Instances
- Smart Scheduling of CTCC/CUCC/CMCC Traffic
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Anti-DDoS Advanced Instance APIs
- Resource List APIs
- Protection Configuration APIs
- CreateBlackWhiteIpList
- CreateCcBlackWhiteIpList
- CreateCcGeoIPBlockConfig
- CreateDDoSAI
- CreateDDoSGeoIPBlockConfig
- CreateDDoSSpeedLimitConfig
- CreatePacketFilterConfig
- CreateProtocolBlockConfig
- CreateWaterPrintConfig
- CreateWaterPrintKey
- DeleteCcBlackWhiteIpList
- DeleteCcGeoIPBlockConfig
- DeleteDDoSGeoIPBlockConfig
- DeleteDDoSSpeedLimitConfig
- DeletePacketFilterConfig
- DeleteWaterPrintConfig
- DeleteWaterPrintKey
- DescribeCcBlackWhiteIpList
- DescribeCcGeoIPBlockConfigList
- DescribeListBlackWhiteIpList
- DescribeListDDoSAI
- DescribeListDDoSGeoIPBlockConfig
- DescribeListDDoSSpeedLimitConfig
- DescribeListPacketFilterConfig
- DescribeListProtocolBlockConfig
- DescribeListWaterPrintConfig
- ModifyCcBlackWhiteIpList
- ModifyDDoSGeoIPBlockConfig
- ModifyDDoSSpeedLimitConfig
- ModifyPacketFilterConfig
- SwitchWaterPrintConfig
- Other APIs
- Alarm Notification APIs
- Connection Configuration APIs
- Intelligent Scheduling APIs
- Black hole unblocking APIs
- Statistical Report APIs
- Data Types
- Error Codes
- FAQs
- Service Level Agreement
- Product Policy
- Glossary
Anti-DDoS Pro
Does Anti-DDoS Pro support non-Tencent Cloud IPs?
No. Anti-DDoS Pro only provides DDoS protection for public IPs in Tencent Cloud. If you need protection for IPs off Tencent Cloud, purchase Anti-DDoS Advanced, which supports protection for website domain names and service ports.
Does Anti-DDoS Pro provide protection for VPN gateways?
Yes.
Does Anti-DDoS Pro provide protection for Anycast EIPs?
Anycast EIPs cannot be connected to Anti-DDoS Pro. However, you can purchase an Anti-DDoS Advanced (Global Enterprise) instance and bind it to your Anycast EIP for protection.
What if the bound resource has expired but the Anti-DDoS Pro instance has not?
An Anti-DDoS Pro instance is purchased by month, and provides protection based on IPs. If the resource protected by your Anti-DDoS Pro instance expires and you do not change the IP bound to the instance, the instance will continue to provide protection for the bound IP, but the resource corresponding to the IP may not be yours. It is recommended to renew your Tencent Cloud resources or change the IP you want to protect in time.
The protection bandwidth of Anti-DDoS Basic is no greater than 2 Gbps. If I purchase an Anti-DDoS Pro instance, will the final protection bandwidth be the sum of the two?
No. In such a case, the final protection bandwidth you enjoy will be the protection bandwidth of the Anti-DDoS Pro instance. The default protection bandwidth of Anti-DDoS Basic will not be added to it.
For example, if a CVM IP has a free protection bandwidth of no greater than 2 Gbps and you purchase an Anti-DDoS Pro instance for it, the maximum protection capability the CVM IP enjoys will be the maximum protection capability of the Anti-DDoS Pro instance in the current region.
What are the differences between Anti-DDoS Pro and Anti-DDoS Advanced?
Protection coverage:
Anti-DDoS Pro provides DDoS protection only for services within Tencent Cloud.
Anti-DDoS Advanced is for users both in and off Tencent Cloud and supports protection for website domain names and service ports.
Connection:
Anti-DDoS Pro is easy to connect and you do not need to change your public IPs.
To connect to Anti-DDoS Advanced, you need to modify DNS or your business IPs.
What are the differences between Anti-DDoS Pro and non-BGP protection?
Difference | Anti-DDoS Pro | Non-BGP protection |
Low-cost connection | Enhanced protection capability for your cloud resources and low-cost connection without the need to change your server IPs. | Complicated configuration where you need to replace your server IPs with non-BGP IPs and enter the domain name and port information. |
Access quality | It uses BGP bandwidth and offers a lower access latency across networks and 30% higher access speed. | It has no BGP bandwidth with a high network latency and poor quality. |
Pricing policy | Billed according to the "number of protected IPs + protection times" with all-out protection available at no additional elastic costs. | Billed in a complicated manner with traffic fees incurred. |
What is a managed IP?
A managed IP refers to a customized network routing solution, which is not provided by but can be protected by Anti-DDoS Pro.
What will happen if the protection threshold of Anti-DDoS Pro is exceeded?
There is no concept of threshold in Anti-DDoS Pro.
Does Anti-DDoS Pro Light allow three chances per month to manually unblock IPs?
Yes.
Does Anti-DDoS Pro Light allow chances to manually unblock IPs for Lighthouse resources?
No.
Which edition of Anti-DDoS Pro should I purchase if I use Lighthouse?
Both editions of Anti-DDoS Pro can be purchased to protect Lighthouse instances. The difference lies in the protection capabilities and discounts. For more information, see Billing Overview.
Anti-DDoS Advanced
### Is Anti-DDoS Advanced available for non-Tencent Cloud users?
Yes. Anti-DDoS Advanced is available for any servers with access to internet, including but not limited to those in Tencent Cloud, other clouds, and customer IDCs.
Note:
ICP filing issued by the Chinese MIIT is required for all domain names connected to Anti-DDoS Advanced in the Chinese mainland.
Does Anti-DDoS Advanced support wildcard domain names?
Yes. You can use it to protect wildcard domain names by configuring website traffic forwarding rules.
Wildcard domain name resolution involves using wildcards (\\*) as secondary domain names to allow all secondary domain names to point to the same IP. For example, you can configure \\*.tencent.com.
What exactly does behavior pattern analysis refer to in Anti-DDoS Advanced security protection policy?
Behavior pattern analysis mainly includes the identification of packets with attack characteristics, packets that do not comply with the protocol specifications, abnormal connections, and so on. You can configure behavior pattern analysis based on your business needs to cope with the ever-changing attack techniques. For more information, see Protection Configurations.
Does Anti-DDoS Advanced automatically add forwarding IPs to a security group?
No. You need to manually add the forwarding IP range to a CVM security group. If you have deployed a firewall or other host security protection software on the real server, you also need to add the forwarding IP range to the allowlist to prevent business traffic from being affected by IP blocking or speed restriction.
Can I set a private IP as the real server IP in Anti-DDoS Advanced?
No. Anti-DDoS Advanced forwards traffic to the real server over the public network. Therefore, you cannot use a private IP.
What is a forwarding IP in Anti-DDoS Advanced?
After you connect your business to Anti-DDoS, the system automatically assigns multiple forwarding IPs to you. The forwarding IPs are used as the egress IPs of your Anti-DDoS instance to forward cleansed access traffic to your real server. For the real server, the egress IPs are the source IPs of business traffic.
How long does it take for a real server IP update to take effect?
Changes to the real server IP protected by Anti-DDoS Advanced take effect in seconds.
How long does it take for configuration changes in the Anti-DDoS Advanced console to take effect?
Changes to Anti-DDoS Advanced service configurations take effect in seconds.
Does Anti-DDoS Advanced support IPv6 protocol for traffic forwarding?
No.
Does Anti-DDoS Advanced support HTTPS mutual authentication?
For websites, HTTPS mutual authentication is not supported.
For non-websites using TCP, HTTPS mutual authentication is supported.
Does Anti-DDoS Advanced have packet capture files?
Currently, the new Anti-DDoS Advanced does not provide attack packet files for download.
How does Anti-DDoS Advanced deal with load balancing if multiple real server IPs are configured?
For website businesses, default round-robin load balancing is used.
For non-website businesses, weighted round-robin load balancing is used to forward traffic to real server IPs in turn.
What are the differences between L4 and L7 forwarding?
Anti-DDoS Advanced distinguishes between layer-4 and layer-7 forwarding as follows:
Layer-4 forwarding: uses the "IP + port" method, that is, "connection via port".
Layer-7 forwarding: uses the "connection via domain" method.
What is protection bandwidth in Anti-DDoS Advanced?
There are two types of protection bandwidth: base protection bandwidth and elastic protection bandwidth.
Base protection bandwidth: refers to the base protection capability of an Anti-DDoS Advanced instance. Base protection bandwidth is a prepaid monthly subscription feature.
Elastic protection bandwidth: refers to the maximum protection capability of an Anti-DDoS Advanced instance. The part that exceeds the base protection bandwidth is billed on a daily pay-as-you-go basis.
If elastic protection is not enabled for an instance, its maximum protection capability will be the base protection bandwidth.
If elastic protection is enabled for an instance, its maximum protection capability will be the elastic protection bandwidth.
When the attack traffic exceeds the maximum protection capability of an instance, IP blocking will be triggered.
How many forwarding ports and domain names are supported by a single Anti-DDoS Advanced instance?
Forwarding ports: 60 forwarding rules for TCP/UDP protocol are provided free of charge by default. Up to 500 ports can be supported.
Domain names: 60 forwarding rules for HTTP/HTTPS protocol are provided free of charge by default. Up to 500 domain names can be supported.
How many IPs can be added to the blocklist and allowlist of CC protection respectively? Do they support expansion?
You can add up to 50 IPs to the blocklist and allowlist of CC protection respectively. If you need to add more, submit a ticket.
What is business bandwidth? What will happen if its value is exceeded?
The business bandwidth purchased is for the entire Anti-DDoS Advanced instance. It refers to the incoming and outgoing normal business traffic to and from the instance.
If your business traffic exceeds the free tier, it will trigger traffic speed limit, which may result in random packet loss. If this problem persists, please upgrade the business bandwidth in time.
Note:
Tencent Cloud users who purchase Anti-DDoS Advanced and whose business is deployed in the Chinese mainland will be given 100 Mbps forwarding service bandwidth for free by default. This offer is not available for businesses deployed outside the Chinese mainland.
Does Anti-DDoS Advanced support session persistence?
Anti-DDoS Advanced supports session persistence, which is not enabled by default. For non-website businesses, you can configure this feature in the console as instructed in Configuring Session Persistence.
Does Anti-DDoS Advanced support health check?
Health check is enabled by default for non-website businesses, which is recommended. You can modify this feature as instructed in Configuring Health Check.
WS is not enabled on my real server. After I bind my business to Anti-DDoS Advanced, why is access to the real server slow?
Anti-DDoS servers have Window Scaling (WS) enabled by default. If WS is not enabled on the real server, a delay will occur when the sliding window is filled up while receiving slightly larger files. You are recommended to enable WS for your real server. For more information about WS, contact us.
Yes
No
Was this page helpful?