All Products
Document Center

Anti-DDoS:Configure the blackhole filtering deactivation feature

Last Updated:Mar 26, 2024

If a service protected by an Anti-DDoS Pro instance is attacked and the bandwidth of attack traffic exceeds the mitigation capability of the instance, blackhole filtering is triggered for the instance. In this case, you can manually deactivate blackhole filtering for the instance to recover your service. This topic describes how to deactivate blackhole filtering for an Anti-DDoS Pro instance.

Handling suggestions after blackhole filtering is triggered

The mitigation capability of an Anti-DDoS Proxy instance is determined by the basic protection bandwidth and burstable protection bandwidth. We recommend that you increase the basic or burstable protection bandwidth before you deactivate blackhole filtering. This prevents blackhole filtering from being triggered again. For more information, see Billing of the burstable protection bandwidth feature and Upgrade an instance.


Anti-DDoS Proxy (Chinese Mainland) supports deactivation of blackhole filtering, but Anti-DDoS Proxy (Outside Chinese Mainland) does not.


Unlike an Anti-DDoS Proxy (Chinese Mainland) instance that has a fixed protection bandwidth, an Anti-DDoS Proxy (Outside Chinese Mainland) instance mitigates DDoS attacks by using all capabilities that are available. You do not need to manually deactivate blackhole filtering for an Anti-DDoS Proxy (Outside Chinese Mainland) instance.

Quota on deactivating blackhole filtering

Each Alibaba Cloud account can deactivate blackhole filtering up to five times per day. The quota is reset at 00:00:00 (UTC+8) on the next day. You cannot increase the quota on manually deactivating blackhole filtering.

  • The quota is deducted by one only when you successfully deactivate blackhole filtering.

  • The first deactivation operation in a day immediately takes effect. The interval between two deactivation operations must be greater than 10 minutes.


  1. Log on to the Anti-DDoS Proxy console.

  2. In the top navigation bar, select Chinese Mainland.

  3. In the left-side navigation pane, choose Mitigation Settings > General Policies.

  4. On the Protection for Infrastructure tab, select the Anti-DDoS Proxy instance that you want to manage from the list on the left.

    You can search for an instance by instance ID or description.

  5. In the Blackhole Filtering Deactivation section, deactivate blackhole filtering based on the instance status.

    • If the instance is in the Blackhole Filtering state and you do not want to wait for blackhole filtering to be automatically deactivated, click Unblock and wait for blackhole filtering to be deactivated.

    • If the instance is in the Normal state, the Unblock button is dimmed.

    The interval of two deactivation operations must be greater than 10 minutes.


  • Blackhole filtering is a risk management policy that is used by the background system of Alibaba Cloud. A deactivation operation may fail. In this case, the quota on deactivating blackhole filtering is not deducted, and an error message appears. You can try again later.

  • If the message "You cannot deactivate blackhole filtering due to the risk control mechanism of the data center. Try again 10 minutes later" appears, try again after 10 minutes.

  • If no error message appears, blackhole filtering is deactivated. You can refresh the page to check whether network access is restored.