All Products
Search

This Product

    Anti-DDoS:Alibaba Cloud blackhole policy

    Document Center

    Anti-DDoS:Alibaba Cloud blackhole policy

    Last Updated:May 29, 2026

    When a DDoS attack exceeds an Alibaba Cloud asset's mitigation capacity, Alibaba Cloud activates a blackhole to temporarily block all internet traffic to the asset, preventing further damage but interrupting normal communication. Learn how to prevent and handle blackholes.

    Basic DDoS Protection capacity

    Certain Alibaba Cloud public IP assets include free Basic DDoS Protection, with capacities ranging from 500 Mbps to 5 Gbps. The specific protection capacity depends on the asset's region and specifications. For more information, see Cloud service specifications and scrubbing thresholds and Configure traffic scrubbing thresholds.

    Important

    If your normal service traffic (bps) exceeds the blackhole threshold, upgrade your asset's specifications. Otherwise, your traffic may be flagged as anomalous and trigger a blackhole.

    Higher DDoS protection capacity reduces blackhole risk. The most effective prevention is to increase your asset's protection capacity, which also raises the blackhole threshold.

    View asset status, traffic, and attack IPs

    1. Log on to the Traffic Security console.

    2. View the status of your asset.

      1. In the upper-left corner of the Assets page, select the region where your public IP asset is located, and then click the corresponding asset tab.

      2. In the asset list, check if the IP Status is Blackholed.

    3. View the asset's traffic and attack IPs.

      1. On the Event Center page, view blackhole or traffic scrubbing events. You can also click View Details to see the inbound traffic rate in bps and packets per second (pps).

      2. In the upper-right corner of the page, click Download. Use a tool such as Wireshark to open the downloaded packet capture and view the attack IPs.

    Automatic blackhole removal

    By default, a blackhole is removed after 2.5 hours. The actual duration ranges from 30 minutes to 24 hours (or longer in rare cases), depending on attack frequency. Key factors:

    • Attack continuity: If the attack persists, the blackhole duration extends. The removal timer restarts from each extension.

    • Attack frequency: First-time attacks trigger shorter blackhole durations. Frequently attacked assets are considered high-risk and receive longer durations.

    Note

    For frequently blackholed assets, Alibaba Cloud may extend the blackhole duration and lower the threshold. The actual removal time appears in the security event notification.

    Remove a blackhole

    Alibaba Cloud continuously monitors the attack during a blackhole. After the attack subsides, the blackhole is automatically removed and internet access is restored. To restore service urgently, purchase a commercial DDoS protection product to manually remove the blackhole.

    Without a commercial DDoS protection product

    Manual removal is not supported. Wait for the blackhole to expire for automatic restoration. To urgently restore service or access server files: How to quickly restore services after an ECS instance is blackholed.

    Warning

    • Frequently changing or releasing public IPs of attacked assets (ECS, EIP, SLB, or Simple Application Server) can affect other tenants and lead to platform-level restrictions.

    • After you change an asset's public IP or move your service to a new server, attackers can still discover the new IP through methods such as pinging your domain. To resolve the root cause, purchase Anti-DDoS Native or Anti-DDoS Proxy.

    With a commercial DDoS protection product

    You can wait for automatic removal or remove the blackhole manually. Manual removal does not stop the attack — it only buys time to deploy a defense plan. If the attack continues after manual removal, the asset may be blackholed again.

    DDoS protection product

    Manual removal method

    Description

    Anti-DDoS Native

    Manual removals are limited each month, typically no fewer than the number of protected IPs in your plan.

    Anti-DDoS Proxy (Chinese Mainland)

    • You can remove the blackhole only after the asset has been blackholed for at least 2 minutes.

    • You can manually remove a blackhole up to five times per day.

    Anti-DDoS Proxy (Outside Chinese Mainland)

    Manual removal is not required.

    Unlike Anti-DDoS Proxy (Chinese Mainland) instances which have fixed protection bandwidth, Anti-DDoS Proxy (Outside Chinese Mainland) provides elastic protection with no upper limit, so manual removal is typically unnecessary.

    Select a DDoS protection product

    • Anti-DDoS Native: Directly enhances DDoS mitigation for your Alibaba Cloud assets. Requires no network architecture changes and imposes no limits on Layer 4 ports or Layer 7 domains. Associate your asset's IP with an Anti-DDoS Native instance to enable protection.

    • Anti-DDoS Proxy: A proxy-based service that defends against volumetric and resource-exhaustion DDoS attacks. Protects servers on Alibaba Cloud, on-premises, or in other clouds. Redirects attack traffic to scrubbing centers via DNS resolution, forwarding only clean traffic to your origin server.

    Selection guidance and billing: Select a DDoS protection product, Anti-DDoS Native billing, and Anti-DDoS Proxy billing.

    FAQ