If volumetric DDoS attacks occur on an Alibaba Cloud asset and the volume of the DDoS attacks exceeds the mitigation capability provided for the asset, blackhole filtering is triggered to temporarily block all Internet traffic that is destined for the asset. This helps protect the asset against subsequent attacks and protect other assets from being adversely affected by the asset. This topic describes how to prevent and handle blackhole filtering.
How do I prevent blackhole filtering from being triggered?
A higher mitigation capability reduces the possibility of blackhole filtering. To prevent blackhole filtering from being triggered, you must increase the mitigation capability (blackhole filtering threshold) for your asset.
You can use one of the following methods to increase the mitigation capability for your asset.
Solution | Description |
Anti-DDoS Basic | Anti-DDoS Basic provides a basic mitigation capability from 500 Mbit/s to 5 Gbit/s against DDoS attacks for some Alibaba Cloud assets free of charge. The basic mitigation capability for assets varies based on the specifications of the assets and the regions to which the assets belong. For more information, see View the thresholds that trigger blackhole filtering in Anti-DDoS Basic. Important If the service traffic of your asset exceeds the blackhole filtering threshold, we recommend that you upgrade your asset at the earliest opportunity. If you do not upgrade your asset at the earliest opportunity, the service traffic of your asset may be identified as unusual traffic and may trigger blackhole filtering. Alibaba Cloud provides burstable mitigation capabilities for your asset. This is an improvement over the basic protection capability that is provided free of charge. The amount of the provided burstable mitigation capabilities varies based on several factors. The factors include the network capacity of Alibaba Cloud, available resources, attacks that your asset experienced, and security credit score. |
Deploy an Anti-DDoS Origin instance |
For more information, see Scenario-specific anti-DDoS solutions. |
How do I deactivate blackhole filtering?
During blackhole filtering, Alibaba Cloud continuously monitors the status of DDoS attacks. After the DDoS attacks stop for a period of time, Alibaba Cloud automatically deactivates blackhole filtering for the asset. Then, the asset can be accessed over the Internet. If you want to recover your service during blackhole filtering, you can manually deactivate blackhole filtering for your asset that is protected by an Anti-DDoS Origin instance.
Wait for Alibaba Cloud to automatically deactivate blackhole filtering
Alibaba Cloud monitors the status of DDoS attacks on your asset and automatically deactivates blackhole filtering for your asset after the DDoS attacks stop for a period of time. Then, the asset can be accessed over the Internet.
To view the time when blackhole filtering is automatically deactivated for your asset, log on to the Traffic Security console and go to the Assets page. 
By default, Alibaba Cloud automatically deactivates blackhole filtering 2.5 hours after the DDoS attacks stop. In actual scenarios, Alibaba Cloud automatically deactivates blackhole filtering 30 minutes to 24 hours after the DDoS attacks stop. The period of time varies based on the frequency at which your asset is attacked. In rare cases, the period of time exceeds 24 hours. The blackhole filtering duration changes based on the following factors:
The duration of attacks. If attacks continue for a long time, the duration of blackhole filtering is extended.
The frequency of attacks. If an asset experiences attacks for the first time, the duration of blackhole filtering automatically decreases. If an asset experiences frequent attacks, the asset has a high probability to encounter continuous attacks, and the duration of blackhole filtering is automatically extended.
If blackhole filtering is frequently triggered for an asset, Alibaba Cloud reserves the right to further extend the duration of blackhole filtering and lower the threshold to trigger blackhole filtering for the asset. You can view the actual duration and threshold of blackhole filtering in the console.
Manually deactivate blackhole filtering
If you manually deactivate blackhole filtering, you can deploy a mitigation plan within a specific period of time. However, DDoS attacks cannot be mitigated. After you manually deactivate blackhole filtering, blackhole filtering may be triggered again if the DDoS attacks do not stop.
The following table describes the methods to deactivate blackhole filtering in different Anti-DDoS services.
Anti-DDoS | Method to deactivate blackhole filtering | Description |
Anti-DDoS Basic | You cannot manually deactivate blackhole filtering for your asset that is protected by an Anti-DDoS Basic instance. Warning If you change the public IP address of your asset, such as your Elastic Compute Service (ECS) instance, Server Load Balancer (SLB) instance, simple application server, or elastic IP address (EIP), or release your asset in a frequent manner, overall cloud tenants may be affected and restrictions may be triggered. | None. |
Anti-DDoS Origin |
| You can deactivate blackhole filtering for your asset that is protected by an Anti-DDoS Origin instance for a specific number of times per month. The number of times is greater than or equal to the number of the IP addresses that can be protected by the instance. |
Anti-DDoS Proxy (Chinese Mainland) |
|
|
Anti-DDoS Proxy (Outside Chinese Mainland) | You cannot manually deactivate blackhole filtering for your asset that is protected by an Anti-DDoS Proxy (Outside Chinese Mainland) instance. | None. |
FAQ
References
View thresholds to trigger blackhole filtering
View the details of a blackhole filtering event
Transfer files or change the configurations of a server on which blackhole filtering is triggered
Connect to an ECS instance for which blackhole filtering is triggered