View blackhole event details

Updated at:
Copy as MD

When a DDoS attack exceeds the free mitigation threshold for your Alibaba Cloud service, blackhole filtering is triggered: all inbound traffic to that service is dropped and the service becomes inaccessible. Use Event Center in the Traffic Security console to find out when a blackhole event occurred and how traffic spiked during the attack.

Background

Limitations

Not all assets and time ranges support viewing event details. The following table summarizes what applies to your asset type.

Note

If the event falls outside the supported time window, View Details is dimmed and cannot be clicked. If the asset has been released from your account, the message "You cannot view traffic details because the asset is removed from the current account." appears instead.

Asset type

Event history available

View Details button

IPv4 address

Within 7 days of the event

Active

IPv6 address

Within 3 hours of the event

Active

Anycast EIP

Not available

Dimmed (unavailable)

Released asset

Not available

Error message shown

View blackhole filtering events

  1. Log on to the Traffic Security console,In the left-side navigation pane, choose DDoS.

  2. In the left-side navigation pane, click Event Center.

  3. Enter the IP address of your asset, set the event type to Blackhole, select a time range, and search for events.

  4. (Optional) In the Actions column, click View Details to open the event detail page. The detail page shows two trend charts for the blackhole event, Traffic and Inbound Traffic (pps).

  5. (Optional) To download DDoS attack evidence, click Download in the Trafficof the Event Center page.

What's next

FAQ

  • How do I find out when blackhole filtering will be deactivated?

    You cannot query the exact deactivation time, nor can you manually deactivate it.For more details on duration calculations, see View the duration of blackhole filtering.

    • Automatic Deactivation: Blackhole filtering is automatically lifted by the system after the attack subsides and a specific cooling-off period elapses.

    • Duration Estimates:

      • Default Duration: Approximately 2.5 hours.

      • Typ Range: Generally between 30 minutes and 24 hours.

      • Variables: The exact duration depends on factors such as attack severity, frequency, type, and current network load.

  • Which domain names are affected when an IP address enters blackhole filtering?

    Blackhole filtering operates at the IP level, affecting all domains resolving to that IP.

    • General Impact:When an IP address is blackholed, all inbound traffic to that IP is dropped. Consequently, all domain names resolving to that IP address will become inaccessible.

    • Impact on WAF (Web Application Firewall):

      • If the blackholed IP is a Virtual IP (VIP) of a WAF instance, all domains associated with that WAF instance will be affected.

      • Reason: Multiple domains often share the same WAF VIP. The traffic is blocked at the network (IP) layer before it reaches the WAF engine for domain identification or forwarding. Therefore, the WAF cannot distinguish or serve any of the hosted domains during the blackhole event.

      • Verification: You can log in to the WAF Console to view the list of all domains bound to the affected instance.

References