If a Web Application Firewall (WAF) instance is under DDoS attacks, blackhole filtering may be triggered for the instance. This topic describes the impact after blackhole filtering is triggered and the solution.

Impact

If a Web Application Firewall (WAF) instance is under DDoS attacks and the peak attack traffic exceeds the free DDoS mitigation capability provided by the instance, blackhole filtering is triggered for the instance. Then, the traffic destined for the default exclusive IP address of the WAF instance is routed to an IP address that does not exist. In this case, you can receive notifications on the Overview page of the WAF console.

After blackhole filtering is triggered, all the traffic redirected to the WAF instance is discarded. This includes both normal and attack traffic. During blackhole filtering, all the domain names added to the WAF instance are inaccessible.

Methods to deactivate blackhole filtering and mitigate DDoS attacks

Blackhole filtering is automatically deactivated after a specific period. By default, blackhole filtering is deactivated 150 minutes after it is triggered. The threshold to trigger blackhole filtering for the WAF instance is the same as the default threshold at which Alibaba Cloud triggers blackhole filtering in the region of your Elastic Compute Service (ECS) instance. For more information about blackhole filtering policies, see Blackhole filtering policy of Alibaba Cloud.
Note By default, each WAF instance has an exclusive IP address. If blackhole filtering is triggered for a default exclusive IP address, all the domain names added to the WAF instance become inaccessible. To prevent an important domain name from being affected by DDoS attacks on other domain names that are protected by the same WAF instance, we recommend that you purchase an exclusive IP address for the important domain name. For more information about exclusive IP addresses, see Exclusive IP addresses.

If you want to mitigate DDoS attacks, we recommend that you use Anti-DDoS Pro or Anti-DDoS Premium to protect your domain name. If you have deployed WAF with Anti-DDoS Pro or Anti-DDoS Premium but blackhole filtering is still triggered for WAF, submit a ticket to contact the after-sales team.

FAQ about WAF for which blackhole filtering is triggered

  • Blackhole filtering is triggered for my WAF instance. Can it be immediately deactivated?
    No, blackhole filtering cannot be immediately deactivated after it is triggered. Blackhole filtering is purchased by Alibaba Cloud from Internet service providers (ISPs). The ISPs have strict limits on the time and frequency to deactivate blackhole filtering. Therefore, you cannot manually deactivate blackhole filtering. You must wait until blackhole filtering is automatically deactivated.
    Note Even if you can immediately deactivate blackhole filtering, it is triggered again if the WAF instance is still under DDoS attacks.
  • Multiple domain names are added to my WAF instance. How do I check which domain name is under attack?

    Attackers can resolve a domain name that is added to WAF to obtain the IP address of the WAF instance. Then, the attackers launch DDoS attacks on the IP address. DDoS attacks target the default exclusive IP address of a WAF instance. You cannot determine which domain name is under attack based on attack traffic.

    However, you can change the DNS records of domain names to determine the attacked domain name. For example, you can resolve some domain names to WAF and the rest of the domain names to other services, such as ECS, Alibaba Cloud CDN, or Server Load Balancer (SLB). If blackhole filtering is no longer triggered after this operation, the attacked domain name is among the domain names that you resolve to the other services. However, this method is complicated and may cause some assets, such as the IP address of the origin server, to be exposed on the Internet. More serious security issues may arise. Therefore, we recommend that you do not use this method to determine the attacked domain name.

  • Blackhole filtering is triggered for my WAF instance. Can I prevent this issue by changing the IP address of my WAF instance?

    No, you cannot prevent blackhole filtering by changing the IP address. If attackers target your domain name, they can ping your domain name to obtain the IP address of your WAF instance regardless of whether you change the IP address.

  • What is the difference between DDoS attacks and HTTP flood attacks? Why is WAF unable to defend against DDoS attacks?

    DDoS attacks are common at Layer 4, and HTTP flood attacks are common at Layer 7. HTTP flood attacks may use HTTP GET or POST requests. WAF can defend against HTTP flood attacks. To defend against DDoS attacks, WAF must be able to receive a huge volume of traffic before it can scrub the traffic. However, WAF cannot provide sufficient bandwidth in this case. Therefore, we recommend that you use Anti-DDoS Pro or Anti-DDoS Premium to defend against DDoS attacks.