There's should be an options to specify the certbot client, which ip's should he use.
ATM there's a problems, where the network 47.0.0.0/8 from alibaba is completly compromised, and there's some ip's that came from this network.
With iptables i can block 47.0.0.0/8 but not certbot fails.
I'm not sure I follow. You're talking about Certbot, but also "IP's he should use". What "IP's" do you mean? Because Certbot is an ACME client and cannot and does not control which IP addresses the challenges are send from. That's done on the ACME server side and the ACME client cannot influence that.
Also, I'm pretty sure Let's Encrypt (if that's the ACME CA you're using that is.. I assume you do, otherwise you probably wouldn't have come here) does not use any Alibaba IP address to send their challenges from.
TL;DR: I don't completely follow, can you elaborate and clarify more?
To be clear, (as far as I know) this also includes a change of provider, e.g. a non-AWS hosting provider for the secondary validation servers, if and when Let's Encrypt deems that to be necessary. Not just the IP addresses used at the current AWS vantage points.