Smart Intelligent Defense and Big Data Capabilities in Alibaba's Self‑Developed High‑Performance Anti‑Attack Product

Continuing from the previous sections on background and the development history of Alibaba's self‑developed high‑performance anti‑attack product, this part focuses on the final stage of its evolution and the challenges ahead.

4. Intelligent Defense and Big Data Capability

Alibaba Group faces thousands of DDoS attacks daily, with traffic ranging from tens of megabits to several hundred gigabits and varying durations. Most attacks end within an hour, but attackers often change tactics during an attack, making a single static cleaning template insufficient and risking collateral damage to legitimate traffic.

To address this, we introduced the concept of Smart Intelligent Defense . In simple terms, when attackers continuously switch methods, the system performs real‑time traffic analysis, identifies the current attack type, and adjusts defense policies within seconds. Figure 4 shows a basic smart defense model, consisting of three roles: analyzing attack information, determining the attack type, and dynamically updating defense strategies to maintain cleaning effectiveness while reducing manual effort.

After adopting the smart defense model, we not only enhanced large‑scale attack resistance but also gained richer, real‑time information:

Who is attacking us?

How large is the attack traffic?

What are the target addresses or domain names?

What techniques are hackers using throughout the attack?

We record botnet information and attack volume in real time, while simultaneously logging target domains and IPs, providing strong data support for the smart model. The accumulated daily data forms an invisible network that serves as valuable evidence for future attack attribution and investigation.

Figure 4: Basic Model of Smart Intelligent Defense

Future Challenges

Attackers continuously study and attempt to bypass our defense strategies, so challenges are perpetual.

To cope with increasingly complex attack types, we continuously iterate basic protection policies, leverage high‑performance deep packet inspection (DPI) to expose malicious techniques, and introduce higher‑performance protocol stacks to improve cleaning capabilities across layers 4‑7.

To handle larger‑scale attacks, we not only expand bandwidth but also explore complementary measures such as terminating illegal traffic at the source. Deploying cleaning capabilities close to attack origins and adopting new network cards or programmable chips—like the Barefoot Tofino chip (6.5 Tbps processing) invested by Alibaba in November 2016—opens vast possibilities for customized, high‑performance defense.