In the Anti-DDoS Pro console, you can view a list of black hole events for all assets that belong to an account. For example, you can view the time point when a black hole is enabled for an asset and a list of IP addresses from which attacks originate.

Background information

The public IP address of an Elastic Compute Service (ECS) or Server Load Balancer (SLB) instance may experience a large number of distributed denial of service (DDoS) attacks. If the throughput of these attacks exceeds the predefined black hole triggering threshold, all traffic to the public IP address is routed to a black hole. Your businesses are no longer accessible by clients because all exterior traffic is dropped.

The black hole triggering threshold for an instance changes based on the region where the instance resides. For more information about black holes, see Alibaba Cloud black hole policies.


  1. Log on to the Alibaba Cloud Anti-DDoS Basic console.
  2. On the top of the Assets page, select a region.
  3. Select the ECS, SLB, EIP (including NAT), or Others tab based on the type of cloud service for which you want to configure a cleaning threshold.
  4. In a list of instances, find the target instance and click the IP address of the instance.
    If excessive instances exist, we recommend that you search for the target instance by using the instance ID, instance name, or instance IP as the search condition.Assets
  5. On the Instance Details page, view a list of historical black hole events where the Event is Black Hole and view the peak traffic for each attack.
    The Start time and End time of a black hole event are displayed.
    Note If no black hole or scrubbing event for an asset exists, no result is displayed in the event list.
  6. Optional: In the Operation column of the target event, click Download. You can use the downloaded packet file for the attack event as evidence of criminal activity. You can send the evidence to the Internet Crime Reporting Center.