When attack traffic exceeds the mitigation capacity of an Anti-DDoS Proxy (Chinese Mainland) instance, Alibaba Cloud triggers blackhole filtering to protect the broader network. You can wait for blackhole filtering to lift automatically, or manually deactivate it to restore your service faster.
Scope
Only Anti-DDoS Proxy (Chinese Mainland) instances support manual deactivation. Anti-DDoS Proxy (Outside Chinese Mainland) instances do not require manual deactivation — they mitigate DDoS attacks by using all available capabilities automatically.
Quota for manual deactivation
Each Alibaba Cloud account can manually deactivate blackhole filtering up to five times per day. The quota resets at 00:00:00 (UTC+8) each day and cannot be increased.
Two additional constraints apply:
The first deactivation of the day takes effect immediately.
Subsequent deactivations must be more than 10 minutes apart.
Note: The quota is deducted only when deactivation succeeds. Failed attempts do not consume your quota.
If you have used up your daily quota, increase the basic protection bandwidth or burstable protection bandwidth to absorb attack traffic and prevent the instance from being blocked again. See Upgrade an instance for details.
Deactivate blackhole filtering
To reduce the chance of blackhole filtering being triggered again after deactivation, increase the basic or burstable protection bandwidth before you proceed. See Billing of the burstable protection bandwidth feature and Upgrade an instance.
Prerequisites:
An Anti-DDoS Proxy (Chinese Mainland) instance
An instance in the Blackhole Filtering state
Steps:
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select Chinese Mainland.
In the left-side navigation pane, choose Mitigation Settings > General Policies.
On the Protection for Infrastructure tab, select the instance you want to manage from the list on the left. You can search by instance ID or description.
In the Blackhole Filtering Deactivation section, click Unblock.
If the instance is in the Blackhole Filtering state, the Unblock button is active. Click it and wait for deactivation to complete.
If the instance is in the Normal state, the Unblock button is dimmed. No action is needed.
Result:
After clicking Unblock, one of the following outcomes occurs:
| Outcome | What you see | Next step |
|---|---|---|
| Deactivation succeeds | No error message | Refresh the page to confirm that network access is restored |
| Fails: data center risk control | "You cannot deactivate blackhole filtering due to the risk control mechanism of the data center. Try again 10 minutes later" | Wait 10 minutes and try again. Your quota is not consumed |
| Fails: other reasons | An error message appears | Try again later. Your quota is not consumed |
What's next
ModifyBlackholeStatus — use the API to deactivate blackhole filtering programmatically
Blackhole filtering policy of Alibaba Cloud — understand how and when blackhole filtering is triggered