edit-icon download-icon

ECS cleaning, black hole, and threshold value

Last Updated: Feb 11, 2018

By default, Anti-DDoS Basic is activated, once the ECS instance is created. This service includes flow cleaning and black hole triggering.

Flow cleaning

The flow cleaning service consists of three units: detecting center, cleaning center, and centralized management center.

The detecting center monitors data traffic flowing into the ECS instance, and identifies abnormal traffic in a timely manner, such as DDoS attack. When an abnormity is detected, the management center guides the cleaning center to clean suspicious traffic based on the traffic diversion policy. Malicious traffic is removed, while legitimate traffic is returned to the original instance. This guarantees that only the legitimate traffic is forwarded to the target system.

Black hole triggering

When the attack traffic exceeds the default traffic threshold, the black hole triggering service automatically triggers a black hole. The threshold varies from regions and CPU configurations. For more information about default settings of different regions, see Anti-DDoS Basic black hole threshold.

The black hole causes traffic to be restricted for a period of time (2.5 hours by default), depending on attack status. Meanwhile, the flow cleaning service comes into effect.

The black hole duration keeps extending, if the attack continues. In addition, the black hole state cannot be manually deactivated. You must patiently wait for the system to auto unban the server.

To meet your urgent requirements for service recovery, you can use Alibaba Cloud Anti-DDoS Pro. Anti-DDoS Pro is a value-added, paid service, applicable when services are unavailable after a heavy DDoS attack. You can redirect attack traffic to the Anti-DDoS Pro IP address to guarantee stability and reliability of the source instance.

Thank you! We've received your feedback.