If DDoS attacks occur on an Alibaba Cloud asset that uses a public IP address and the volume of the DDoS attacks exceeds the threshold to trigger blackhole filtering, blackhole filtering is triggered. If blackhole filtering is triggered, all inbound traffic that is destined for the public IP address is dropped and the related services become inaccessible. This topic describes how to view the information about a blackhole filtering event. The information includes the point in time when blackhole filtering is triggered and the amount of attack traffic.

Background information

For more information about blackhole filtering see Blackhole filtering policy of Alibaba Cloud.

The following table lists the thresholds at which blackhole filtering is triggered in each region. In the following table, a tick (Right) indicates that the feature is supported and a cross (Wrong) indicates that the feature is not supported.

Thresholds to trigger blackhole filtering in each region
Region Support IPv4 Support IPv6 ECS instance with one vCPU and simple application server with one vCPU ECS instances with two vCPUs ECS instance with more than four vCPUs SLB instance, EIP, EIP that is associated with a NAT gateway, and WAF instance
China (Hangzhou) Right Right 500 Mbit/s 1 Gbit/s 5 Gbit/s 5 Gbit/s
China (Shanghai) Right Right 500 Mbit/s 1 Gbit/s 2 Gbit/s 2 Gbit/s
China (Qingdao) Right Wrong 500 Mbit/s 1 Gbit/s 5 Gbit/s 5 Gbit/s
China (Beijing) Right Right 500 Mbit/s 1 Gbit/s 2 Gbit/s 2 Gbit/s
China (Zhangjiakou) Right Right 500 Mbit/s 1 Gbit/s 2 Gbit/s 2 Gbit/s
China (Hohhot) Right Right 500 Mbit/s 1 Gbit/s 2 Gbit/s 2 Gbit/s
China (Shenzhen) Right Right 500 Mbit/s 1 Gbit/s 2 Gbit/s 2 Gbit/s
China (Heyuan) Right Right 500 Mbit/s 1 Gbit/s 2 Gbit/s 2 Gbit/s
China (Chengdu) Right Wrong 500 Mbit/s 1 Gbit/s 2 Gbit/s 2 Gbit/s
China (Hong Kong) Right Right 500 Mbit/s 500 Mbit/s 500 Mbit/s 500 Mbit/s
Japan (Tokyo) Right Wrong 500 Mbit/s 500 Mbit/s 500 Mbit/s 500 Mbit/s
Singapore (Singapore) Right Wrong 500 Mbit/s 500 Mbit/s 500 Mbit/s 500 Mbit/s
Australia (Sydney) Right Wrong 500 Mbit/s 500 Mbit/s 500 Mbit/s 500 Mbit/s
Malaysia (Kuala Lumpur) Right Wrong 500 Mbit/s 500 Mbit/s 500 Mbit/s 500 Mbit/s
Indonesia (Jakarta) Right Wrong 500 Mbit/s 500 Mbit/s 500 Mbit/s 500 Mbit/s
India (Mumbai) Right Wrong 500 Mbit/s 1 Gbit/s 1 Gbit/s 1 Gbit/s
South Korea (Seoul) Right Wrong 500 Mbit/s 500 Mbit/s 500 Mbit/s 500 Mbit/s
Germany (Frankfurt) Right Wrong 500 Mbit/s 500 Mbit/s 500 Mbit/s 500 Mbit/s
UK (London) Right Wrong 500 Mbit/s 500 Mbit/s 500 Mbit/s 500 Mbit/s
US (Silicon Valley) Right Wrong 500 Mbit/s 1 Gbit/s 2 Gbit/s 2 Gbit/s
US (Virginia) Right Wrong 500 Mbit/s 500 Mbit/s 500 Mbit/s 500 Mbit/s
UAE (Dubai) Right Wrong 500 Mbit/s 500 Mbit/s 500 Mbit/s 500 Mbit/s

Procedure

  1. Log on to the Traffic Security console.
  2. In the left-side navigation pane, click Assets.
  3. In the top navigation bar, select the region of your asset.
  4. In the IP address list, click the IP address for which you want to configure a traffic scrubbing threshold in the IP/Remark column. Assets
  5. In the IP Address Details panel, view the information about historical blackhole filtering events in the event list and the amount of attack traffic when each blackhole filtering event occurs in the chart. Blackholing is displayed in the Event column of a blackhole filtering event.
    Start time and End time of a blackhole filtering event are displayed.
    Note If no blackhole filtering or traffic scrubbing events occur for the asset, no events are displayed in the event list.
  6. Optional:In the Operation column of an event, click Download. You can download the packet capture files for the attack event and report the downloaded files to network supervisors.