If DDoS attacks occur on an Alibaba Cloud asset that uses a public IP address and the volume of the DDoS attacks exceeds the threshold to trigger blackhole filtering, blackhole filtering is triggered. If blackhole filtering is triggered, all inbound traffic that is destined for the public IP address is dropped and the related services become inaccessible. This topic describes how to view the information about a blackhole filtering event. The information includes the point in time when blackhole filtering is triggered and the amount of attack traffic.

Background information

For more information about blackhole filtering see Blackhole filtering policy of Alibaba Cloud.

The following table lists the thresholds at which blackhole filtering is triggered in each region. In the following table, a tick (Tick) indicates that the feature is supported and a cross (Cross) indicates that the feature is not supported.

Thresholds to trigger blackhole filtering in each region
RegionSupport IPv4Support IPv6ECS instance with one vCPU and simple application server with one vCPUECS instances with two vCPUsECS instance with more than four vCPUsSLB instance, EIP, EIP that is associated with a NAT gateway, and WAF instance
China (Hangzhou)TickTick500 Mbit/s1 Gbit/s5 Gbit/s5 Gbit/s
China (Shanghai)TickTick500 Mbit/s1 Gbit/s2 Gbit/s2 Gbit/s
China (Qingdao)TickCross500 Mbit/s1 Gbit/s5 Gbit/s5 Gbit/s
China (Beijing)TickTick500 Mbit/s1 Gbit/s2 Gbit/s2 Gbit/s
China (Zhangjiakou)TickTick500 Mbit/s1 Gbit/s2 Gbit/s2 Gbit/s
China (Hohhot)TickTick500 Mbit/s1 Gbit/s2 Gbit/s2 Gbit/s
China (Shenzhen)TickTick500 Mbit/s1 Gbit/s2 Gbit/s2 Gbit/s
China (Heyuan)TickTick500 Mbit/s1 Gbit/s2 Gbit/s2 Gbit/s
China (Chengdu)TickCross500 Mbit/s1 Gbit/s2 Gbit/s2 Gbit/s
China (Hong Kong)TickTick500 Mbit/s500 Mbit/s500 Mbit/s500 Mbit/s
Japan (Tokyo)TickCross500 Mbit/s500 Mbit/s500 Mbit/s500 Mbit/s
Singapore (Singapore)TickCross500 Mbit/s500 Mbit/s500 Mbit/s500 Mbit/s
Australia (Sydney)TickCross500 Mbit/s500 Mbit/s500 Mbit/s500 Mbit/s
Malaysia (Kuala Lumpur)TickCross500 Mbit/s500 Mbit/s500 Mbit/s500 Mbit/s
Indonesia (Jakarta)TickCross500 Mbit/s500 Mbit/s500 Mbit/s500 Mbit/s
India (Mumbai)TickCross500 Mbit/s1 Gbit/s1 Gbit/s1 Gbit/s
South Korea (Seoul)TickCross500 Mbit/s500 Mbit/s500 Mbit/s500 Mbit/s
Germany (Frankfurt)TickCross500 Mbit/s500 Mbit/s500 Mbit/s500 Mbit/s
UK (London)TickCross500 Mbit/s500 Mbit/s500 Mbit/s500 Mbit/s
US (Silicon Valley)TickCross500 Mbit/s1 Gbit/s2 Gbit/s2 Gbit/s
US (Virginia)TickCross500 Mbit/s500 Mbit/s500 Mbit/s500 Mbit/s
UAE (Dubai)TickCross500 Mbit/s500 Mbit/s500 Mbit/s500 Mbit/s

Procedure

  1. Log on to the Traffic Security console.
  2. In the left-side navigation pane, click Assets.
  3. In the top navigation bar, select the region of your asset.
  4. Click the tab based on the type of assets that you want to manage. For example, you can click ECS.
  5. In the IP address asset list, click the IP address for which you want to configure a traffic scrubbing threshold.
  6. In the IP Address Details panel, view the information about historical blackhole filtering events in the event list and the amount of attack traffic when each blackhole filtering event occurs in the chart. Blackholing is displayed in the Event column of a blackhole filtering event.
    Start time and End time of a blackhole filtering event are displayed.
    Note If no blackhole filtering or traffic scrubbing events occur for the asset, no events are displayed in the event list.
  7. Optional:In the Operation column of an event, click Download. You can download the packet capture files for the attack event and report the downloaded files to network supervisors.