All Products
Search

This Product

    Anti-DDoS:Deactivate blackhole filtering

    Document Center

    Anti-DDoS:Deactivate blackhole filtering

    Last Updated:Jun 22, 2026

    When attack traffic exceeds the mitigation capacity of an Anti-DDoS Proxy instance, the instance enters blackhole filtering. You can manually deactivate blackhole filtering to restore your service faster. This topic describes how to deactivate the blackhole state of an Anti-DDoS Proxy instance.

    Recommendations after blackhole filtering

    The protection capability of an Anti-DDoS Proxy instance is determined by its baseline protection bandwidth and burstable protection bandwidth. We recommend that you increase the protection capability before deactivating blackhole filtering to prevent the instance from entering the blackhole state again after deactivation. For more information, see Billing of burstable protection bandwidth and Instance upgrade.

    Limits

    • Only Anti-DDoS Proxy (Chinese Mainland) instances support blackhole filtering deactivation. Anti-DDoS Proxy (Outside Chinese Mainland) instances do not support this feature.

      Note

      Unlike Anti-DDoS Proxy (Chinese Mainland) instances that have a fixed protection bandwidth, Anti-DDoS Proxy (Outside Chinese Mainland) instances provide unlimited advanced protection. Manual deactivation is generally not required.

    • Blackhole filtering deactivation applies only to Anti-DDoS Proxy instance IPs. It cannot directly deactivate the blackhole state of origin server IPs.

      Note

      If your domain name is configured with CNAME resolution to an Anti-DDoS Proxy address but the blackhole state persists, or if you cannot deactivate blackhole filtering through this feature after CNAME access, check whether the blackhole state occurs on the origin server IP. When the origin server IP is in the blackhole state, your website can still be accessed through the Anti-DDoS Proxy IP. To restore the origin server IP, wait for automatic deactivation or use Anti-DDoS Origin.

    Deactivation quota

    Each Alibaba Cloud account has five blackhole filtering deactivation attempts per day. The quota automatically resets to five at 00:00 (UTC+8) each day and cannot be increased.

    • A deactivation attempt is counted only when it succeeds.

    • The first deactivation of the day generally takes effect immediately. If you use blackhole filtering deactivation multiple times on the same day, the interval between two consecutive deactivations must be greater than 10 minutes.

    Procedure

    1. Log on to the Anti-DDoS Proxy console.

    2. In the top navigation bar, select Chinese Mainland.

    3. In the left-side navigation pane, choose Mitigation Settings > General Policies.

    4. On the Protection for Infrastructure tab, select the Anti-DDoS Proxy instance you want to manage from the instance list on the left. You can search for the target instance by instance ID or instance description.

    5. Find the Blackhole Filtering Deactivation section and deactivate blackhole filtering based on the current instance state.

      Note

      The interval between two consecutive deactivation attempts must be greater than 10 minutes.

      • If the instance is in the Blackhole Filtering state and you do not want to wait for automatic deactivation, click Unblock and wait for the blackhole state to be successfully deactivated.

      • If the instance is in the Normal state, the Unblock button is unavailable.

    Results

    • Blackhole filtering deactivation involves the risk control management policy of the Alibaba Cloud backend system. Deactivation may fail (a failed attempt does not consume your quota). If deactivation fails, you will receive an error message. Wait for a period of time and try again.

    • If the system prompts "Affected by data center risk control, deactivation is temporarily unavailable. Try again in 10 minutes," wait and try again later.

    • If no message appears, deactivation succeeds. You can refresh the line status to confirm whether the Anti-DDoS Proxy line has returned to normal.

    FAQ

    How do I check the estimated time for blackhole filtering to be automatically lifted on an Anti-DDoS Proxy instance or IP?

    The blackhole filtering deactivation described in this topic is a manual operation and applies only to Anti-DDoS Proxy (Chinese Mainland) instances. To check the estimated time for automatic deactivation, see the blackhole duration description in Blackhole filtering policy of Alibaba Cloud.

    The automatic deactivation time is dynamically calculated by the system based on attack conditions and cannot be manually intervened. If you need to restore services immediately, use the manual deactivation feature described in this topic (available only for Anti-DDoS Proxy Chinese Mainland instances).