To ensure business continuity, you must learn how to recover your business by deactivating a black hole that is applied to the IP address of a protection target. A black hole may still be activated if the protection target encounters an instantaneous amount of high-traffic DDoS attacks. Anti-DDoS Origin Enterprise supports automatic deactivation of black holes in response to such requirements.


The solution applies to only Anti-DDoS Origin Enterprise instances. This is because you must call an Anti-DDoS Origin API operation to complete auto-deactivation. Before implementing the solution, make sure that the IP address of the required protection target is added to an Anti-DDoS Origin Enterprise instance. For more information, see Add a protection target.

Background information

Anti-DDoS Origin allows you to deactivate black holes manually or automatically. However, manual deactivation may result in delays and unexpected errors. For more information, see Deactivate a black hole. If your business requires a high level of stability and continuity, you can use the following method to set up automated responses and deactivation for black holes.
  1. Create an alarm rule in the CloudMonitor console to monitor the blackhole events of an Anti-DDoS Origin Enterprise instance.
    Note Only if blackhole events occur on the protected IP addresses, CloudMonitor sends messages. You must add IP addresses that you want to protect to the instance as protection targets.
  2. Create an alarm rule and specify an action of calling the DeleteBlackhole API operation of Anti-DDoS Origin to deactivate the black holes.

Likewise, the preceding method also allows you to automatically call an API operation of Alibaba Cloud DNS. The operation helps change DNS records for a domain that is under DDoS attacks and associate the name of the domain with the IP address of an Anti-DDoS Pro instance.


  1. Log on to the CloudMonitor console.
  2. In the left-side navigation pane, choose Alarms > Alarm Rules.
  3. On the Alarm Rules page, select the Event Alarm tab.
  4. Click Create Event Alert to create a rule for blackholing events.
    • In the Product Type field, select Anti-DDoS Advanced.
    • In the Event Name field, select ddosbgp_event_blackhole.
    Event alarms
  5. In the event alarm, select alarm types based on your business requirements and click OK.
    CloudMonitor supports the following alarm types:
    • MNS queue
    • Function Compute
    • URL callback
    • Log Service
    Alarm types
    After you create the event alarm, the alarm automatically triggers a response to any blackhole events. Then, CloudMonitor sends an alarm message to the target that you specified in the Alarm Type section. The following shows a sample alarm message.

    Sample alarm message

        "action": "add", //The action. The value of add indicates that an event begins, and the value of del indicates that an event ends.    
        "bps": 0, //The throughput of a DDoS attack. Unit: Mbit/s.    
        "pps": 0, //The packet forwarding rate of a DDoS attack. Unit: packets per second (PPS).    
        "instanceId": "ddosbgp-cn-78v17******", //The ID of an Anti-DDoS Origin instance.    
        "ip": "47. *. *. *", //The IP address to which a black hole is applied.    
        "regionId": "cn-hangzhou", //The ID of a region where the Anti-DDoS Origin instance resides.    
        "time": 1564104493000, //The time when the event begins. Unit: milliseconds.    
        "type": "blackhole"  //The event type. The value of defense indicates a cleaning event, and the value of blackhole indicates a blackholing event.
  6. Specify an alarm action that calls the DeleteBlackhole API operation to deactivate black holes.