If DDoS attacks occur on an Alibaba Cloud service and the volume of the DDoS attack traffic exceeds the threshold to trigger blackhole filtering, blackhole filtering is triggered. In this case, all inbound traffic that is destined for the cloud service is dropped and the related business becomes inaccessible. This topic describes how to view information about blackhole filtering events.
Background information
The basic DDoS mitigation capability from 500 Mbit/s to 5 Gbit/s is provided for specific Alibaba Cloud services free of charge. If the peak attack bandwidth of DDoS attacks exceeds the mitigation capability provided for your cloud service, blackhole filtering is triggered. Blackhole filtering is used to block all inbound traffic that is destined for a cloud service. This helps protect the cloud service against subsequent attacks and protect other cloud services from being adversely affected by the cloud service. For more information, see Blackhole filtering policy of Alibaba Cloud
If only basic DDoS mitigation capability is provided for your cloud service, you cannot manually deactivate blackhole filtering that is triggered for the cloud service. You can only wait for the blackhole filtering to be automatically deactivated. For more information, see View the duration of a blackhole.
For more information about the blackhole triggering thresholds of cloud services, see View the thresholds that trigger blackhole filtering in Anti-DDoS Origin Basic and Blackhole filtering thresholds and blackhole filtering duration in Cloud Web Hosting.
Usage notes
If your asset uses an IPv4 address, you can view information about blackhole filtering events of the asset only within seven days after the events are generated. If your asset uses an IPv6 address, you can view information about blackhole filtering events of the asset only within 3 hours after the events are generated. If the information that you want to view is not within the preceding time ranges, the View Details button is dimmed and you cannot view the information.
If your asset is an Anycast EIP, the View Details button is dimmed and you cannot view information about the blackhole filtering events.
If your asset is released, the message You cannot view traffic details because the asset is removed from the current account. appears and you cannot view the information about blackhole filtering events.
You can click Download in the upper-right corner of the Event Center page to download the evidence of DDoS attacks.
Procedure
Log on to the Traffic Security console.
In the left-side navigation pane, click Event Center.
Enter the IP address of the asset, set the event type to Blackhole Filtering, select a time range, and then click Search to view information about blackhole filtering events.
Optional. Click View Details in the Actions column to view the trend charts of Traffic and Inbound Traffic (pps).
References
Anti-DDoS Origin Basic provides limited mitigation capability against DDoS attacks free of charge. To prevent impacts on your business, we recommend that you use an Anti-DDoS paid edition. For more information, see Scenario-specific anti-DDoS solutions.
You can transfer files from an Elastic Compute Service (ECS) instance on which blackhole filtering is triggered to another normal ECS instance or modify configuration files on this ECS instance. For more information, see Connect to an ECS instance for which blackhole filtering is triggered.