View blackhole event details
When a DDoS attack exceeds the free mitigation threshold for your Alibaba Cloud service, blackhole filtering is triggered: all inbound traffic to that service is dropped and the service becomes inaccessible. Use Event Center in the Traffic Security console to find out when a blackhole event occurred and how traffic spiked during the attack.
Background
Anti-DDoS Native Basic provides free DDoS mitigation with a capacity of 500 Mbit/s to 5 Gbit/s for specific Alibaba Cloud services. When the peak attack bandwidth exceeds this capacity, blackhole filtering is activated to protect the affected service and prevent the attack from affecting other services.
If your service only has basic DDoS mitigation (no paid edition), blackhole filtering cannot be manually deactivated — it is deactivated automatically after a set duration. For details, see View the duration of blackhole filtering.
For the thresholds that trigger blackhole filtering, see View the thresholds that trigger blackhole filtering in Anti-DDoS Native Basic and Blackhole filtering thresholds and blackhole filtering duration in Cloud Web Hosting.
Limitations
Not all assets and time ranges support viewing event details. The following table summarizes what applies to your asset type.
If the event falls outside the supported time window, View Details is dimmed and cannot be clicked. If the asset has been released from your account, the message "You cannot view traffic details because the asset is removed from the current account." appears instead.
Asset type | Event history available | View Details button |
IPv4 address | Within 7 days of the event | Active |
IPv6 address | Within 3 hours of the event | Active |
Anycast EIP | Not available | Dimmed (unavailable) |
Released asset | Not available | Error message shown |
View blackhole filtering events
Log on to the Traffic Security console,In the left-side navigation pane, choose DDoS.
In the left-side navigation pane, click Event Center.
Enter the IP address of your asset, set the event type to Blackhole, select a time range, and search for events.
(Optional) In the Actions column, click View Details to open the event detail page. The detail page shows two trend charts for the blackhole event, Traffic and Inbound Traffic (pps).
(Optional) To download DDoS attack evidence, click Download in the Trafficof the Event Center page.
What's next
If blackhole filtering is disrupting access to an Elastic Compute Service (ECS) instance, you can transfer files or modify configurations on it from another instance. See Connect to an ECS instance for which blackhole filtering is triggered.
Anti-DDoS Native Basic has limited mitigation capacity. To protect business-critical services, upgrade to a paid Anti-DDoS edition. See Scenario-specific anti-DDoS solutions.
To understand the full blackhole filtering policy, see Blackhole filtering policy of Alibaba Cloud.
FAQ
How do I find out when blackhole filtering will be deactivated?
You cannot query the exact deactivation time, nor can you manually deactivate it.For more details on duration calculations, see View the duration of blackhole filtering.
Automatic Deactivation: Blackhole filtering is automatically lifted by the system after the attack subsides and a specific cooling-off period elapses.
Duration Estimates:
Default Duration: Approximately 2.5 hours.
Typ Range: Generally between 30 minutes and 24 hours.
Variables: The exact duration depends on factors such as attack severity, frequency, type, and current network load.
Which domain names are affected when an IP address enters blackhole filtering?
Blackhole filtering operates at the IP level, affecting all domains resolving to that IP.
General Impact:When an IP address is blackholed, all inbound traffic to that IP is dropped. Consequently, all domain names resolving to that IP address will become inaccessible.
Impact on WAF (Web Application Firewall):
If the blackholed IP is a Virtual IP (VIP) of a WAF instance, all domains associated with that WAF instance will be affected.
Reason: Multiple domains often share the same WAF VIP. The traffic is blocked at the network (IP) layer before it reaches the WAF engine for domain identification or forwarding. Therefore, the WAF cannot distinguish or serve any of the hosted domains during the blackhole event.
Verification: You can log in to the WAF Console to view the list of all domains bound to the affected instance.