When a large-scale DDoS attack targets an Alibaba Cloud asset and the peak attack traffic in bits per second (bps) exceeds its DDoS mitigation capacity, Alibaba Cloud activates a blackhole to temporarily block all internet traffic to the asset. This action prevents further damage to the asset and protects other assets from being affected, but it also interrupts normal network communication. This topic describes how to prevent and handle a blackhole.
Basic DDoS Protection capacity
Certain Alibaba Cloud public IP assets include free Basic DDoS Protection, with capacities ranging from 500 Mbps to 5 Gbps. The specific protection capacity depends on the asset's region and specifications. For more information, see Cloud service specifications and scrubbing thresholds and Configure traffic scrubbing thresholds.
If your normal service traffic (in bps) exceeds the blackhole threshold, upgrade your asset's specifications promptly. Otherwise, your traffic may be flagged as anomalous and trigger a blackhole.
The higher an asset's DDoS protection capacity, the lower the risk of a DDoS attack triggering a blackhole. Therefore, the most effective prevention method is to increase the asset's DDoS protection capacity, which also raises its blackhole threshold.
View asset status, traffic, and attack IPs
Log on to the Traffic Security console.
View the status of your asset.
In the upper-left corner of the Assets page, select the region where your public IP asset is located, and then click the corresponding asset tab.
In the asset list, check if the IP Status is Blackholed.
View the asset's traffic and attack IPs.
On the Event Center page, view blackhole or traffic scrubbing events. You can also click View Details to see the inbound traffic rate in bps and packets per second (pps).
In the upper-right corner of the page, click Download. Use a tool such as Wireshark to open the downloaded packet capture and view the attack IPs.
Automatic blackhole removal time
By default, a blackhole is automatically removed after 2.5 hours. However, the actual duration can range from 30 minutes to 24 hours, or even longer in rare cases, depending on the frequency of attacks against the asset. The following factors primarily affect the duration:
Attack continuity: If an attack persists, its duration is extended. The removal timer restarts from the moment of extension.
Attack frequency: For a first-time attack on an asset, the blackhole duration is automatically shortened. Conversely, for frequently attacked assets, the duration is extended because they are considered high-risk targets.
For assets that are frequently blackholed, Alibaba Cloud reserves the right to extend the blackhole duration and lower the blackhole threshold. The actual removal time is specified in the security event notification.
How to remove a blackhole
During a blackhole period, Alibaba Cloud continuously monitors the DDoS attack. After the attack subsides, the blackhole is automatically removed, and internet access to the asset is restored. If you need to restore your service urgently while the asset is blackholed, you can purchase a commercial DDoS protection product, which lets you manually remove the blackhole.
Without a commercial DDoS protection product
Manual removal is not supported. You must wait for the blackhole duration to expire for automatic service restoration. If you need to urgently restore your service or access files on a server, see How to quickly restore services after an ECS instance is blackholed.
Frequently changing or releasing the public IPs of attacked assets, such as ECS, EIP, SLB, or Simple Application Server instances, can negatively impact other tenants and may lead to platform-level restrictions.
After you change an asset's public IP or move your service to a new server, attackers can still discover the new IP by using methods such as pinging your domain. To resolve the root cause, you must purchase Anti-DDoS Native or Anti-DDoS Proxy.
With a commercial DDoS protection product
You can either wait for the blackhole to be automatically removed or remove it manually. Manual removal does not defend against the DDoS attack; it only buys you time to deploy a defense plan. If the DDoS attack is still active after you manually remove a blackhole, your asset may be blackholed again.
DDoS protection product | Manual removal method | Description |
Anti-DDoS Native |
| A limited number of manual removals are available each month. The number is typically no less than the number of protected IPs in your plan. |
Anti-DDoS Proxy (Chinese Mainland) |
|
|
Anti-DDoS Proxy (Outside Chinese Mainland) | Manual removal is not required. | Unlike Anti-DDoS Proxy (Chinese Mainland) instances which have fixed protection bandwidth, Anti-DDoS Proxy (Outside Chinese Mainland) instances provide advanced, elastic protection with no upper limit. Manual removal is typically not necessary. |
How to select a DDoS protection product
Anti-DDoS Native: This security product directly enhances the DDoS mitigation capabilities of your Alibaba Cloud assets. It is easy to deploy and requires no changes to your network architecture. There are no limits on the number of Layer 4 ports or Layer 7 domains. To enable protection, simply associate your cloud asset's IP with an Anti-DDoS Native instance.
Anti-DDoS Proxy: This proxy-based DDoS protection service from Alibaba Cloud defends against both volumetric and resource-exhaustion DDoS attacks. It can protect servers hosted on Alibaba Cloud, on-premises, or in other clouds. After you integrate your service with Anti-DDoS Proxy, it redirects attack traffic to scrubbing centers by using DNS resolution. The scrubbing centers then forward only clean traffic to your origin server.
For detailed selection guidance and billing information, see Select a DDoS protection product, Anti-DDoS Native billing, and Anti-DDoS Proxy billing.