When a DDoS attack exceeds the free mitigation threshold for your Alibaba Cloud service, blackhole filtering is triggered: all inbound traffic to that service is dropped and the service becomes inaccessible. Use Event Center in the Traffic Security console to find out when a blackhole event occurred and how traffic spiked during the attack.
Background
Anti-DDoS Origin Basic provides free DDoS mitigation with a capacity of 500 Mbit/s to 5 Gbit/s for specific Alibaba Cloud services. When the peak attack bandwidth exceeds this capacity, blackhole filtering is activated to protect the affected service and prevent the attack from affecting other services.
If your service only has basic DDoS mitigation (no paid edition), blackhole filtering cannot be manually deactivated — it is deactivated automatically after a set duration. For details, see View the duration of blackhole filtering.
For the thresholds that trigger blackhole filtering, see View the thresholds that trigger blackhole filtering in Anti-DDoS Origin Basic and Blackhole filtering thresholds and blackhole filtering duration in Cloud Web Hosting.
Limitations
Not all assets and time ranges support viewing event details. The following table summarizes what applies to your asset type.
| Asset type | Event history available | View Details button |
|---|---|---|
| IPv4 address | Within 7 days of the event | Active |
| IPv6 address | Within 3 hours of the event | Active |
| Anycast EIP | Not available | Dimmed (unavailable) |
| Released asset | Not available | Error message shown |
If the event falls outside the supported time window, View Details is dimmed and cannot be clicked. If the asset has been released from your account, the message "You cannot view traffic details because the asset is removed from the current account." appears instead.
View blackhole filtering events
Log on to the Traffic Security console.
In the left-side navigation pane, click Event Center.
Enter the IP address of your asset, set the event type to Blackhole, select a time range, and search for events.
(Optional) In the Actions column, click View Details to open the event detail page. The detail page shows two trend charts for the blackhole event:
Traffic
Inbound Traffic (pps)
(Optional) To download DDoS attack evidence, click Download in the upper-right corner of the Event Center page.
What's next
If blackhole filtering is disrupting access to an Elastic Compute Service (ECS) instance, you can transfer files or modify configurations on it from another instance. See Connect to an ECS instance for which blackhole filtering is triggered.
Anti-DDoS Origin Basic has limited mitigation capacity. To protect business-critical services, upgrade to a paid Anti-DDoS edition. See Scenario-specific anti-DDoS solutions.
To understand the full blackhole filtering policy, see Blackhole filtering policy of Alibaba Cloud.