Alibaba's Self‑Developed High‑Performance DDoS Defense Product AliGuard: Development History, Architecture, and Capabilities

The article begins by recalling the massive DDoS attack on Dyn in October 2016 that crippled major US internet services such as Twitter, Spotify, Netflix, GitHub, Airbnb, and Visa, highlighting the severe economic impact of DNS‑level disruptions.

It then discusses why DDoS remains a sensitive and technically challenging problem: low entry barriers for attackers, increasing broadband capacity, proliferation of vulnerable IoT devices, and motivations ranging from profit to geopolitical conflict.

Alibaba’s response is introduced as the self‑developed high‑performance DDoS defense product AliGuard, positioned as a “golden shield” against such attacks.

The development history is outlined: in late 2012 the Alibaba Group’s technical support department formed a project team, launching the first version of AliGuard in mid‑2013 to meet the group’s growing security needs with a customized, high‑throughput solution.

Prior reliance on commercial DDoS‑cleaning appliances proved costly and limited in capacity; these devices often failed under large‑scale attacks, prompting Alibaba to build its own system.

Key reasons for building AliGuard include the slow iteration cycle of commercial products, the need for rapid, custom mitigation strategies, and the desire for cost‑effective, high‑performance hardware that can elastically scale from tens of gigabits to multiple terabits.

AliGuard leverages standard x86 servers, achieving over 100 Gbps per server and multi‑terabit capacity for a cluster, while supporting more than 30 defense strategies covering volumetric, malformed‑packet, and L7 HTTP attacks.

Figure 1 illustrates AliGuard’s basic defense model, covering major DDoS attack scenarios.

The product evolved from a single‑tenant solution for Alibaba’s e‑commerce and payment services to a multi‑tenant platform supporting thousands of customers simultaneously, especially as cloud services grew.

Customers now enjoy isolated defense policies, independent attack data, and real‑time visibility, with optional collaborative attack response features.

Figure 2 shows the cleaning model that supports diverse business scenarios.

Early deployments faced attacks exceeding 40 Gbps, surpassing the capabilities of many commercial appliances; subsequent hardware upgrades (1 G, 10 G, 40 G, 100 G NICs) and software enhancements allowed AliGuard to gracefully handle attacks over 450 Gbps and beyond.

Over three years, AliGuard has demonstrated reliable protection for Alibaba’s global services, benefitting from the scalability of x86 servers, continuous CPU and NIC advancements, and a robust R&D pipeline.

Figure 3 depicts a typical AliGuard deployment, where clustered nodes provide elastic capacity to meet varying regional demands.

The article concludes by noting that a second part will continue the discussion of AliGuard’s features and future roadmap.