edit-icon download-icon

Alibaba Cloud black hole policies

Last Updated: Apr 13, 2018

What is a black hole?

When the attack traffic to a server exceeds the black hole threshold configured for the server room, the server is thrown into a black hole to block external network access to the server. Once a server is thrown into a black hole, it become unavailable during the black hole duration. After that, the system determines that the attack traffic stops, and the black hole status is automatically lifted.

The black hole is a service that Alibaba Cloud purchases from the operator who imposes strict restrictions on the time and frequency to lift the black hole. The black hole state cannot be manually deactivated. Thus, you must patiently wait for the system to auto unban the server.

Why enact the black hole policy? Why can’t help users resist the attack for an unlimited period of time?

DDoS attacks severely impair not only victims, but also the entire cloud network. Besides, DDoS defense costs a lot, the biggest among which is the bandwidth cost.

Alibaba Cloud purchases bandwidth from ISPs. ISPs will not clean out DDoS attack traffic when calculating the bandwidth cost, but will directly charge Alibaba Cloud on the consumed bandwidth.

Alibaba Cloud Security potentially defends against DDoS attacks for Alibaba Cloud users free of charge at a limited cost, but when the attacking traffic exceeds the threshold, Alibaba Cloud will block the traffic to the IP address under attack.

What to do if the black hole threshold is not enough?

You can purchase the Anti-DDoS Pro service to easily prevent DDoS attacks and safeguard normal operation of servers.

Anti-DDoS Pro service is designed to help users defend against DDoS attacks, with clear commitment on the protection capability and defense performance.

Black hole triggering thresholds for various regions

The default black hole triggering thresholds offered by basic protection feature of Anti-DDoS Basic in various regions are as follows (Unit: bps):

Note: The triggering thresholds apply to Alibaba Cloud ECS, Server Load Balancer, VPC, and other products.

Region 1-core CPU classic-network ECS 2-core CPU classic-network ECS 4-core (or later) CPU classic-network ECS Server Load Balancer and VPC
China East 1 500M 1G 5G 5G
China East 2 500M 1G 2G 2G
China North 1 500M 1G 5G 5G
China North 2 500M 1G 2G 2G
China North 3 500M 1G 2G 2G
China North 5 500M 1G 2G 2G
China South 1 500M 1G 2G 2G
Hong Kong 500M 500M 500M 500M
US West 1 500M 1G 2G 2G
US East 1 500M 500M 500M 500M
Tokyo 500M 500M 500M 500M
Singapore 500M 500M 500M 500M
Sydney 500M 500M 500M 500M
Kuala Lumpur 500M 500M 500M 500M
Mumbai 500M 1G 1G 1G
Frankfurt 500M 500M 500M 500M
Dubai 500M 500M 500M 500M

Black hole duration

The default black hole duration is 2.5 hours and the server cannot be unbanned during this period.

The actual black hole duration depends on the attack situation and may range from 30 minutes to 24 hours.

The duration of the black hole is mainly influenced by the following factors:

  • Whether the attack persists. The black hole duration keeps extending, if the attack continues. The black hole duration is re-calculated from the time of extension.

  • Whether the attack is frequent. If a user is attacked for the first time, the black hole duration will be automatically shortened. On the contrary, the black hole duration for a user under frequent attacks will be automatically extended as the user is more likely to be attacked again.

Note: For users suffering overly frequent black holes, Alibaba Cloud reserves the right to extend the black hole duration and reduce the black hole threshold. You can go to the console to view the specific black hole threshold and duration.

Thank you! We've received your feedback.