Blackhole filtering is used to block Internet traffic in an Internet service provider (ISP) backbone network. If an asset with a public IP address suffers DDoS attacks and the volume of the DDoS attacks exceeds the mitigation capability provided for the asset, blackhole filtering is triggered. Blackhole filtering protects the asset against further attacks. This topic describes the blackhole filtering policy of Alibaba Cloud and how to handle and prevent blackhole filtering.

What is blackhole filtering?

If an asset with a public IP address suffers volumetric DDoS attacks and the peak attack bandwidth exceeds the mitigation capability provided for the asset, blackhole filtering is triggered on the IP address. The peak attack bandwidth is measured in bit/s.

If blackhole filtering is triggered, all inbound Internet traffic that is destined for the IP address is temporarily blocked. The IP address cannot be accessed over the Internet. Blackhole filtering protects the asset against further attacks and prevents other assets from being affected by the attacked IP address. During blackhole filtering, Alibaba Cloud continuously monitors the status of DDoS attacks. A period of time after the DDoS attacks stop, Alibaba Cloud automatically deactivates blackhole filtering for the asset. Then, the asset can be accessed over the Internet. You can manually deactivate blackhole filtering before the DDoS attacks stop.

Why is blackhole filtering required?

If an asset with a public IP address suffers DDoS attacks, blackhole filtering can be used to protect the asset against further attacks. DDoS attacks exhaust the resources on the attacked asset and affect other assets. You can use blackhole filtering to protect the asset against further attacks.

What do I do if blackhole filtering is triggered?

If blackhole filtering is triggered on your asset, it indicates that your asset cannot defend against the current DDoS attacks. We recommend that you use one of the following methods to resolve this issue:
  • (Recommended) Improve the DDoS mitigation capability for your asset

    You can purchase an Anti-DDoS instance to improve the traffic scrubbing capability and deploy the Anti-DDoS instance at the edge of the Alibaba Cloud network to protect your asset. The Alibaba Cloud network is the networking infrastructure of Alibaba Cloud. For more information, see How do I prevent blackhole filtering from being triggered?.

  • Wait for automatic deactivation of blackhole filtering

    Alibaba Cloud monitors the status of DDoS attacks on your asset and automatically deactivates blackhole filtering for your asset a period of time after the DDoS attacks stop. Then, the asset can be accessed over the Internet. By default, Alibaba Cloud automatically deactivates blackhole filtering 2.5 hours after the DDoS attacks stop. In actual scenarios, Alibaba Cloud automatically deactivates blackhole filtering 30 minutes to 24 hours after the DDoS attacks stop. The period of time varies based on the frequencies at which your asset is attacked.

    You can view the time when blackhole filtering is automatically deactivated for your asset, such as an Elastic Compute Service (ECS) instance, a Server Load Balancer (SLB) instance, or an elastic IP address (EIP), on the Assets page of the Traffic Security console. For more information, see View the duration of blackhole filtering. Duration of blackhole filtering
  • Manually deactivate blackhole filtering

    If you want to recover your service during blackhole filtering, you can manually deactivate blackhole filtering. If you deactivate blackhole filtering, you are allowed to deploy a mitigation plan within a specific period of time. However, DDoS attacks cannot be mitigated. After you manually deactivate blackhole filtering, blackhole filtering may be triggered again if the DDoS attacks do not stop.

    The following table describes the methods to deactivate blackhole filtering in different Anti-DDoS services.
    Anti-DDoS service Manual deactivation of blackhole filtering Limit
    Anti-DDoS Origin Basic (Anti-DDoS instances are not purchased.) On the Overview page of the Traffic Security console, click Handle Now in the Real-time Attack Detection section to deactivate blackhole filtering for the IP addresses that are attacked.
    Note If blackhole filtering is triggered on your ECS instance, you can change the public IP address of your ECS instance or resolve the domain name of your website service to an SLB instance. For more information about how to change the public IP address of an ECS instance, see Change the public IP address of an ECS instance.
    You can deactivate blackhole filtering for your asset that is protected by an Anti-DDoS Origin Basic instance for a specific number of times per month. For more information, see the information that is displayed in the Handle Now panel.
    Anti-DDoS Origin Enterprise
    • In the Traffic Security console, choose Network Security > Anti-DDoS Origin > Manage Instances. On the page that appears, find the attacked IP address and click Deactivate Black Hole in the Actions column. The IP address must be protected by an Anti-DDoS Origin Enterprise instance.

      For more information, see Deactivate blackhole filtering.

    • Call the DeleteBlackhole operation of the Anti-DDoS Origin API to deactivate blackhole filtering.

      For more information, see Make API requests.

    You can deactivate blackhole filtering for your asset that is protected by an Anti-DDoS Origin Enterprise instance for a specific number of times per month. The number of times is greater than or equal to the number of the IP addresses that can be protected by the instance.
    Anti-DDoS Pro
    • In the Anti-DDoS Pro console, choose Mitigation Settings > General Policies. On the page that appears, use the Deactivate Blackhole Status feature that is displayed on the Protection for Infrastructure tab to manually deactivate blackhole filtering.

      For more information, see Deactivate blackhole filtering.

    • Call the ModifyBlackholeStatus operation of the Anti-DDoS Pro API to deactivate blackhole filtering.

      For more information, see Make API requests.

    • After blackhole filtering is triggered, you must wait for at least 2 minutes before you can deactivate the blackhole filtering.
    • You can deactivate blackhole filtering for your asset that is protected by an Anti-DDoS Pro instance up to five times per day.
    Anti-DDoS Premium You cannot manually deactivate blackhole filtering for your asset that is protected by an Anti-DDoS Premium instance. None.

How do I prevent blackhole filtering from being triggered?

If the peak attack bandwidth of the DDoS attacks exceeds the mitigation capability provided for your asset, blackhole filtering is triggered. A higher mitigation capability lowers the possibilities of blackhole filtering. To prevent blackhole filtering from being triggered, you must improve the mitigation capability (blackhole filtering threshold) for your asset.

You can use one of the following methods to improve the mitigation capability for your asset:
  • Use Anti-DDoS Origin Basic free of charge

    Anti-DDoS Origin Basic provides a basic mitigation capability of up to 5 Gbit/s against DDoS attacks for Alibaba Cloud assets free of charge. In this case, the assets refer to the assets with public IP addresses. The basic mitigation capability for assets varies based on the specifications of the assets and the regions to which the assets belong. For more information, see View black hole triggering thresholds in Anit-DDoS Origin Basic.

    Alibaba Cloud can also increase your blackhole filtering threshold based on your security credit score. The security credit score is calculated by Security Credibility. The security credit score is not fixed. You can improve your security credit score to obtain a higher mitigation capability free of charge. To improve your security credit score, you can control the exposure of your asset.

    Security Credibility determines the blackhole filtering threshold based on multiple factors. Security Credibility improves the mitigation capability against the first DDoS attack for users who have a qualified security credit score. The blackhole filtering threshold is adjusted as the security credit score changes. Security Credibility does not guarantee a fixed mitigation capability. For more information, see Security Credibility.

  • Deploy an Anti-DDoS instance of a paid edition
    • Purchase an Anti-DDoS Origin Enterprise instance to enable unlimited mitigation without the need to change your service IP address.
    • Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance and switch your service traffic to the IP address of the instance. This way, you can obtain up to Tbit/s of mitigation capabilities. Anti-DDoS Pro and Anti-DDoS Premium guarantee a committed mitigation capability and defense effect.

    For more information about scenario-specific anti-DDoS solutions, see Scenario-specific anti-DDoS solutions.

Can I use ACLs to mitigate DDoS attacks and prevent blackhole filtering from being triggered?

No, you cannot use access control lists (ACLs) to mitigate DDoS attacks and prevent blackhole filtering from being triggered. ACLs take effect only when attacks reach the edge of the Alibaba Cloud network in which your server resides. ACLs cannot mitigate DDoS attacks that are initiated from multiple botnets and destined for your server. When the DDoS attacks reach the edge of the Alibaba Cloud network in which your server resides, the volume of attacks far exceeds the mitigation capability of the ACLs. To mitigate the DDoS attacks, you must deploy mitigation policies at the edge of an ISP backbone network.

You can use traffic analysis and filtering methods together with sufficient network bandwidth to scrub attack traffic. If you want to expand the network bandwidth of your server to the bandwidth of the attack traffic and deploy a scrubbing center to scrub the attack traffic, the costs generated by bandwidth expansion and the servers used for traffic scrubbing can be excessively high. If each user deploys a scrubbing center, the overall mitigation costs significantly increase.

In this case, a cost-effective DDoS mitigation plan is provided. Cloud service providers offer large network bandwidths and deploy scrubbing centers at their ISP backbone networks. DDoS attacks are scrubbed in the scrubbing center closest to the location where the attacks are initiated. The cloud service providers offer the Software-as-a-Service (SaaS)-based anti-DDoS services for users to purchase. This way, the scrubbing centers can be repeatedly used, and the costs for each user are reduced.