If your asset that is assigned a public IP address encounters volumetric DDoS attacks after your asset is added to an Anti-DDoS Origin instance of a paid edition, blackhole filtering may still be triggered. To prevent extended periods of service interruptions, you must deactivate blackhole filtering at the earliest opportunity. Anti-DDoS Origin paid editions provide a solution to configure alerts and automatically deactivate blackhole filtering.
Prerequisites
This solution requires you to call an API operation of Anti-DDoS Origin paid editions. Therefore, this solution is available only for Anti-DDoS Origin instances of paid editions. Before you use this solution, make sure that your asset is added to an Anti-DDoS Origin instance of a paid edition. For more information, see Add an object for protection.
Background information
You can manually deactivate blackhole filtering for Anti-DDoS Origin instances of paid editions in the Traffic Security console. For more information, see Deactivate blackhole filtering. However, manual deactivation may result in delays and unexpected errors. If your service requires a high level of stability and continuity, use the following method to configure alerts and automatically deactivate blackhole filtering:
Create an alert rule in the CloudMonitor console to monitor blackhole filtering that is triggered on an Anti-DDoS Origin instance of a paid edition.
NoteIf blackhole filtering is triggered and detected on assets that are added to Anti-DDoS Origin paid editions, CloudMonitor sends messages about blackhole filtering. In other scenarios, no messages about blackhole filtering are sent.
Create a custom rule to automatically deactivate blackhole filtering on an Anti-DDoS Origin instance of a paid edition by calling the DeleteBlackhole operation. For more information, see DeleteBlackhole.
You can also create rules to automatically call an API operation of Alibaba Cloud DNS (DNS). The operation resolves your domain name to the IP address of an Anti-DDoS Pro or Anti-DDoS Premium instance during DDoS attacks.
Procedure
Log on to the CloudMonitor console.
In the left-side navigation pane, choose .
On the Event-triggered Alert Rules tab, click Create Alert Rule to create a rule for blackhole filtering.
In the panel that appears, set Product Type to Anti-DDoS Origin, Event Type to DDoS Attacks, Event Level to CRITICAL, and Event Name to ddosbgp_event_blackhole. Then, select a channel to which you want to push alert notifications based on your business requirements. For more information about other parameters, see Manage system event-triggered alert rules.
The event alert is created. When CloudMonitor detects that blackhole filtering is triggered on an asset that is added to an Anti-DDoS Origin instance of a paid edition, CloudMonitor generates an alert and pushes the following message by using the specified channels. Sample alert message:
{ "action": "add", //The event status. The value add indicates that the event started, and the value del indicates that the event ended. "bps": 0, //The throughput when the event is triggered. Unit: Mbit/s. "pps": 0, //The packet rate when the event is triggered. Unit: packets per second (pps). "instanceId": "ddosbgp-cn-78v17******", //The ID of the Anti-DDoS Origin instance of a paid edition. "ip": "47.*.*.*", // The IP address of the asset on which the event is triggered. "regionId": "cn-hangzhou", //The ID of the region in which the Anti-DDoS Origin instance of a paid edition resides. "time": 1564104493000, //The time when the event begins. The value is a timestamp. Unit: milliseconds. "type": "blackhole" //The event type. The value defense indicates a traffic scrubbing event and the value blackhole indicates a blackhole filtering event. }Create a custom rule to automatically deactivate blackhole filtering by calling the DeleteBlackhole operation. For more information, see DeleteBlackhole.