If DDoS attacks occur on an Alibaba Cloud asset that uses a public IP address and the volume of the DDoS attacks exceeds the mitigation capability provided for the asset, blackhole filtering is triggered. Blackhole filtering is used to block all inbound Internet traffic that is destined for the public IP address and protects the asset against subsequent attacks. This topic describes the blackhole filtering policy of Alibaba Cloud and how to handle and prevent blackhole filtering.

What is blackhole filtering?

If volumetric DDoS attacks occur on an Alibaba Cloud asset that uses a public IP address and the peak attack bandwidth exceeds the mitigation capability provided for the asset, blackhole filtering is triggered for the IP address. The peak attack bandwidth is measured in bit/s.

If blackhole filtering is triggered, all inbound Internet traffic that is destined for the IP address is temporarily blocked. The IP address cannot be accessed over the Internet. Blackhole filtering protects the asset against subsequent attacks and prevents other assets from being affected by the attacked IP address. During blackhole filtering, Alibaba Cloud continuously monitors the status of DDoS attacks. A period of time after the DDoS attacks stop, Alibaba Cloud automatically deactivates blackhole filtering for the asset. Then, the asset can be accessed over the Internet. You can manually deactivate blackhole filtering before the DDoS attacks stop.

Why is blackhole filtering required?

If DDoS attacks occur on an asset that uses a public IP address, you can use blackhole filtering to protect the asset against subsequent attacks. DDoS attacks exhaust the resources of the attacked asset and affect other assets. You can use blackhole filtering to protect the asset against subsequent attacks.

What do I do if blackhole filtering is triggered?

If blackhole filtering is triggered for your asset, it indicates that your asset cannot defend against the current DDoS attacks. To resolve this issue, we recommend that you use one of the following methods:
  • (Recommended) Improve the DDoS mitigation capability for your asset

    You can purchase an Anti-DDoS instance to improve the traffic scrubbing capability and deploy the Anti-DDoS instance at the edge of the Alibaba Cloud network to protect your asset. The Alibaba Cloud network is the networking infrastructure of Alibaba Cloud. For more information, see How do I prevent blackhole filtering from being triggered?.

  • Wait for Alibaba Cloud to automatically deactivate blackhole filtering
    Alibaba Cloud monitors the status of DDoS attacks on your asset and automatically deactivates blackhole filtering for your asset a period of time after the DDoS attacks stop. Then, the asset can be accessed over the Internet. By default, Alibaba Cloud automatically deactivates blackhole filtering 2.5 hours after the DDoS attacks stop. In actual scenarios, Alibaba Cloud automatically deactivates blackhole filtering 30 minutes to 24 hours after the DDoS attacks stop. The period of time varies based on the frequency at which your asset is attacked. In rare cases, the period of time exceeds 24 hours. The duration of blackhole filtering varies based on the following factors:
    • The duration of attacks. If attacks continue for a long time, the duration of blackhole filtering is extended.
    • The frequency of attacks. If an asset experiences attacks for the first time, the duration of blackhole filtering automatically decreases. If an asset experiences frequent attacks, the asset has a high probability to encounter continuous attacks, and the duration of blackhole filtering is automatically extended.
    Note If blackhole filtering is frequently triggered for an asset, Alibaba Cloud reserves the right to further extend the duration of blackhole filtering and lower the threshold to trigger blackhole filtering for the asset. You can view the actual duration and threshold of blackhole filtering in the console.
    You can view the time when blackhole filtering is automatically deactivated for your asset, such as an Elastic Compute Service (ECS) instance, a Server Load Balancer (SLB) instance, an elastic IP address (EIP), or a simple application server, on the Assets page of the Traffic Security console. For more information, see View the duration of blackhole filtering. Duration of blackhole filtering
  • Manually deactivate blackhole filtering

    If you want to recover your service during blackhole filtering, you can manually deactivate blackhole filtering. If you deactivate blackhole filtering, you can deploy a mitigation plan within a specific period of time. However, DDoS attacks cannot be mitigated. After you manually deactivate blackhole filtering, blackhole filtering may be triggered again if the DDoS attacks do not stop.

    The following table describes the methods to deactivate blackhole filtering in different Anti-DDoS services.
    Anti-DDoS service Method to deactivate blackhole filtering Limit
    Anti-DDoS Origin Basic (Anti-DDoS instances are not purchased.) On the Overview page of the Traffic Security console, click Handle Now in the Real-time Attack Detection section to deactivate blackhole filtering for the IP addresses that are attacked.
    Note If blackhole filtering is triggered for your ECS instance, you can change the public IP address of your ECS instance or resolve the domain name of your website service to an SLB instance. For more information, see Change the public IP address of an instance.
    You can deactivate blackhole filtering for your asset that is protected by an Anti-DDoS Origin Basic instance for a specific number of times per month. For more information, see the information that is displayed in the Handle Now panel.
    Anti-DDoS Origin Enterprise
    • In the Traffic Security console, choose Network Security > Anti-DDoS Origin > Manage Instances. On the page that appears, find the attacked IP address and click Deactivate Black Hole in the Actions column. The IP address must be protected by an Anti-DDoS Origin Enterprise instance.

      For more information, see Deactivate blackhole filtering.

    • Call the DeleteBlackhole operation of the Anti-DDoS Origin API to deactivate blackhole filtering.

      For more information, see Make API requests.

    You can deactivate blackhole filtering for your asset that is protected by an Anti-DDoS Origin Enterprise instance for a specific number of times per month. The number of times is greater than or equal to the number of the IP addresses that can be protected by the instance.
    Anti-DDoS Pro
    • In the Anti-DDoS Pro console, choose Mitigation Settings > General Policies. On the page that appears, use the Deactivate Blackhole Status feature that is displayed on the Protection for Infrastructure tab to manually deactivate blackhole filtering.

      For more information, see Deactivate blackhole filtering.

    • Call the ModifyBlackholeStatus operation of the Anti-DDoS Pro API to deactivate blackhole filtering.

      For more information, see Make API requests.

    • After blackhole filtering is triggered, you must wait for at least 2 minutes before you can deactivate the blackhole filtering.
    • You can deactivate blackhole filtering for your asset that is protected by an Anti-DDoS Pro instance up to five times per day.
    Anti-DDoS Premium You cannot manually deactivate blackhole filtering for your asset that is protected by an Anti-DDoS Premium instance. None.

How do I prevent blackhole filtering from being triggered?

If the peak attack bandwidth of the DDoS attacks exceeds the mitigation capability provided for your asset, blackhole filtering is triggered. A higher mitigation capability lowers the possibility of blackhole filtering. To prevent blackhole filtering from being triggered, you must improve the mitigation capability (blackhole filtering threshold) for your asset.

You can use one of the following methods to improve the mitigation capability for your asset:
  • Use Anti-DDoS Origin Basic free of charge

    Anti-DDoS Origin Basic provides a basic mitigation capability of up to 5 Gbit/s against DDoS attacks for Alibaba Cloud assets free of charge. In this case, the assets refer to the assets that use public IP addresses. The basic mitigation capability for assets varies based on the specifications of the assets and the regions to which the assets belong. For more information, see View thresholds to trigger blackhole filtering in Anit-DDoS Origin Basic.

    Alibaba Cloud can also increase your blackhole filtering threshold based on your security credit score. The security credit score is calculated by Security Credibility. The security credit score is not fixed. You can improve your security credit score to obtain a higher mitigation capability free of charge. To improve your security credit score, you can control the exposure of your asset.

    Security Credibility determines the blackhole filtering threshold based on multiple factors. Security Credibility improves the mitigation capability against the first DDoS attack for users who have a qualified security credit score. The blackhole filtering threshold is adjusted as the security credit score changes. Security Credibility does not guarantee a fixed mitigation capability. For more information, see Security Credibility.

  • Deploy an Anti-DDoS instance of a paid edition
    • Purchase an Anti-DDoS Origin Enterprise instance to enable best effort protection without the need to change your service IP address.
    • Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance and switch your service traffic to the IP address of the instance. This way, you can obtain up to Tbit/s of mitigation capabilities. Anti-DDoS Pro and Anti-DDoS Premium guarantee a committed mitigation capability and defense effect.

    For more information about scenario-specific anti-DDoS solutions, see Scenario-specific anti-DDoS solutions.

Can I use ACLs to mitigate DDoS attacks and prevent blackhole filtering from being triggered?

No, you cannot use access control lists (ACLs) to mitigate DDoS attacks and prevent blackhole filtering from being triggered. ACLs take effect only when attacks reach the edge of the Alibaba Cloud network in which your server resides. ACLs cannot mitigate DDoS attacks that are initiated from multiple botnets and destined for your server. When the DDoS attacks reach the edge of the Alibaba Cloud network in which your server resides, the volume of attacks far exceeds the mitigation capability of the ACLs. To mitigate the DDoS attacks, you must deploy mitigation policies at the edge of an Internet service provider (ISP) backbone network.

You can use traffic analysis and filtering methods together with sufficient network bandwidth to scrub attack traffic. If you want to expand the network bandwidth of your server to the bandwidth of the attack traffic and deploy a scrubbing center to scrub the attack traffic, the costs generated by bandwidth expansion and the servers used for traffic scrubbing can be excessively high. If each user deploys a scrubbing center, the overall mitigation costs significantly increase.

In this case, a cost-effective DDoS mitigation plan is provided. Cloud service providers offer large network bandwidths and deploy scrubbing centers at their ISP backbone networks. DDoS attacks are scrubbed in the scrubbing center closest to the location where the attacks are initiated. The cloud service providers offer the Software-as-a-Service (SaaS)-based anti-DDoS services for users to purchase. This way, the scrubbing centers can be repeatedly used, and the costs for each user are reduced.