All Products
Search

This Product

    Anti-DDoS:Blackhole filtering policy of Alibaba Cloud

    Document Center

    Anti-DDoS:Blackhole filtering policy of Alibaba Cloud

    Last Updated:Dec 02, 2025

    If a high-volume DDoS attack targets an Alibaba Cloud product and its peak bandwidth exceeds the product's DDoS mitigation capability, Alibaba Cloud triggers its blackhole filtering policy. This policy temporarily blocks all internet traffic to the product to prevent further damage and stop the attack from affecting other assets. As a result, normal network communication is disrupted. This topic describes how to prevent and respond to blackhole filtering.

    Basic DDoS mitigation capability

    By default, some Alibaba Cloud assets that are assigned public IP addresses include a free basic DDoS mitigation capability of 500 Mbps to 5 Gbps. The specific mitigation capability depends on the asset's region and specifications. For more information, see Thresholds that trigger blackhole filtering in Anti-DDoS Basic and Set traffic scrubbing thresholds.

    Important

    If your normal service traffic (in bps) exceeds the blackhole triggering threshold, you must promptly upgrade your asset specifications. Otherwise, your service traffic may be identified as an attack and trigger blackhole filtering.

    The higher an asset's DDoS mitigation capability, the lower the risk of a DDoS attack triggering blackhole filtering. Therefore, the most effective way to prevent blackhole filtering is to increase the asset's DDoS mitigation capability, which raises its blackhole triggering threshold.

    View asset status, traffic, and attack IPs

    1. Log on to the Traffic Security console.

    2. View the asset status.

      1. In the upper-left corner of the Assets page, select the region of the asset that has a public IP address, and then click the corresponding asset tab.

      2. In the asset list, verify that the IP Status is Black Hole Activated.

    3. View the asset's traffic and attack IPs.

      1. On the Event Center page, you can view blackhole filtering or scrubbing events. You can also click View Details to view the inbound traffic in bps and pps.

      2. In the upper-right corner of the page, click Download. You can use a tool such as Wireshark to open the downloaded data packet and view the attacking IP addresses.

    Estimate the automatic deactivation time for blackhole filtering

    The default blackhole filtering duration is 2.5 hours. The actual duration can vary from 30 minutes to 24 hours and may be longer in rare cases, depending on the attack frequency. The automatic deactivation time is mainly affected by the following factors:

    • Attack persistence: If an attack persists, the blackhole duration is extended. The countdown for the blackhole duration restarts from the moment of the extension.

    • Attack frequency: If an asset is attacked for the first time, the blackhole duration is automatically shortened. Conversely, for frequently attacked assets, the probability of sustained attacks is higher, and the blackhole duration is extended.

    Note

    For assets that experience excessively frequent blackhole filtering, Alibaba Cloud reserves the right to extend the blackhole duration and lower the blackhole triggering threshold. The specific deactivation time is provided in the security event notification.

    1. View the time of the last attack on the asset.

      Log on to the Traffic Security console. On the Event Center page, find the asset with a public IP address and view the time of the last attack.

      Note

      If an asset is subjected to multiple DDoS attacks, the blackhole duration is calculated from the end of the last DDoS attack.

    2. View the current blackhole filtering duration.

      On the Assets page, the Blackhole Filtering Deactivation Time shows the total duration of blackhole filtering.黑洞时长

    3. Estimate the automatic deactivation time.

      For example, if the last attack occurred at 12:30 and the Blackhole Filtering Deactivation Time is 150 minutes, blackhole filtering is expected to be deactivated at 15:00.

      Note

      This is only an estimated time. If the asset's public IP address continues to be attacked, the blackhole duration may be extended.

    How to deactivate blackhole filtering

    During blackhole filtering, Alibaba Cloud continuously monitors the DDoS attack status. After the attack ends, blackhole filtering is automatically deactivated for the asset after a specified period, and its internet access is restored. To restore your service urgently during blackhole filtering, you can purchase a commercial Anti-DDoS product. This lets you manually deactivate blackhole filtering.

    Commercial Anti-DDoS product not purchased

    Manual deactivation is not supported. You must wait for the blackhole filtering duration to expire before the service is automatically restored. To urgently restore your service or log on to the server to retrieve files, see How to quickly restore services for an ECS instance after it enters blackhole filtering.

    Warning

    • Frequently changing or releasing attacked cloud assets, such as ECS instances, EIPs, SLB instances, or simple application servers, can negatively impact other tenants and may trigger platform-level restrictions.

    • After you change an asset's public IP address or move the service to a different server, attackers can still discover the new IP address using methods such as pinging a domain name, and then launch another attack. To resolve the underlying issue, purchase Anti-DDoS Origin or Anti-DDoS Pro and Anti-DDoS Premium.

    Commercial Anti-DDoS product purchased

    You can wait for the blackhole filtering duration to expire for automatic deactivation, or you can manually deactivate it. Manual deactivation does not defend against DDoS attacks. It only provides a window of time to deploy a defense plan. If the DDoS attack has not ended after manual deactivation, the asset may be attacked and enter blackhole filtering again.

    Commercial Anti-DDoS product

    Manual deactivation method

    Description

    Anti-DDoS Origin

    The number of available manual deactivations per month is limited. The limit is typically equal to or greater than the number of protected IP addresses specified in your plan.

    Anti-DDoS Pro and Anti-DDoS Premium (the Chinese mainland)

    • You can deactivate blackhole filtering only after the asset has been in the blackhole filtering status for at least 2 minutes.

    • You can perform manual deactivation up to five times per day.

    Anti-DDoS Pro and Anti-DDoS Premium (outside the Chinese mainland)

    Manual deactivation is not required.

    Unlike instances in the Chinese mainland that have a fixed protection bandwidth, instances outside the Chinese mainland provide unlimited advanced mitigation. Therefore, manual deactivation is typically not required.

    How to select an Anti-DDoS product

    • Anti-DDoS Origin: Anti-DDoS Origin is a security product that enhances the DDoS mitigation capabilities of other Alibaba Cloud products. It is easy to deploy and does not require changes to your network architecture. It has no limits on the number of Layer 4 ports or Layer 7 domain names. To protect a cloud product, you only need to attach its IP address to an Anti-DDoS Origin instance.

    • Anti-DDoS Pro and Anti-DDoS Premium: Anti-DDoS Pro and Anti-DDoS Premium is a proxy-based service that defends against volumetric and resource exhaustion DDoS attacks. It can protect servers on Alibaba Cloud, in other clouds, or in on-premises data centers. After you add your service to Anti-DDoS Pro or Anti-DDoS Premium, traffic is rerouted to anti-DDoS scrubbing centers through DNS parsing. The scrubbing centers filter out attack traffic and forward only clean traffic to your origin server.

    For more information about product selection and billing, see How to select an Anti-DDoS product, Billing of Anti-DDoS Origin, and Billing of Anti-DDoS Pro and Anti-DDoS Premium.

    FAQ