edit-icon download-icon

How to fix WAF black holes?

Last Updated: Jan 30, 2018

What is a black hole

When Web Application Firewall (WAF) suffers heavy-traffic DDoS attack that is beyond the free-protection capability of Anti-DDoS Basic, WAF is thrown into a black hole.

After a WAF IP address is thrown into the black hole, all traffic that flows through WAF (normal access or attack) is blocked, which means that during the black pole period, you cannot access any domain names protected by the WAF instance.

Note: If a site is thrown into a black hole, it can only be recovered after the black hole period is over. The default black hole period lasts for 150 minutes. The WAF black hole threshold is the same as the default threshold of the region where the ECS is located.

For more information about black hole and black hole policies, see Alibaba Cloud black hole policies.

How to avoid a black hole

By default, each WAF instance allocates an exclusive IP address to you. Once this WAF IP address is thrown into the black hole, none of the domain names protected by this WAF instance can be accessed during the black hole period. To avoid this, you can purchase an additional Exclusive IP address for an important domain name. In this case, this important domain name is not affected by other domain names under DDoS attacks.

Note: The best solution to heavy-traffic DDoS attacks is to use Anti-DDoS Pro to protect your domain names.

WAF black hole FAQ

My WAF is thrown into a black hole. Can you recover it immediately?

The black hole is a service that Alibaba Cloud purchases from the operator who imposes strict restrictions on the time and frequency to trigger a black hole. Therefore, you cannot manually deactivate the black hole state, rather you have to patiently wait for the system to automatically free the server.

In fact, even if the black hole is deactivated immediately, it gets triggered again if the WAF is still under heavy-traffic DDoS attack.

How do I know the specific domain name that is under attack when the WAF is configured with multiple domain names?

Generally, the hacker resolves a WAF protected domain name to obtain the WAF instance’s IP address, and then starts the DDoS attack against this IP address. Heavy-traffic DDoS attacks are targeting at a WAF IP address. We cannot figure out the domain name that is under attack, based on the traffic.

However, you can use the domain name split method to find out the domain name that is under attack. For example, you can resolve some of the domain names to WAF, and the rest to some other places (ECS origin, CDN, or SLB). If the WAF is no longer in the black hole, it means that the hacker’s target lies in the domain names that are resolved to other places. However, this operation is relatively complex and may expose the origin and other assets, which may lead to a greater security issue. Unless necessary, do not use this method to find the domain name that is under attack.

Can you help change the WAF IP address so that my WAF is not thrown into the black hole?

Changing the WAF IP address does not resolve the problem. A hacker can obtain your new IP address by pinging your domain name and can start another DDoS attack. So, changing your IP address will not be of much help.

Is there any difference between a DDoS attack and a HTTP flood attack? Why cannot WAF defend against DDoS attacks?

Heavy-traffic DDoS attacks are layer 4 attacks against IP addresses; while HTTP flood attacks are layer 7 attacks (for example, HTTP GET/POST Flood).

WAF can defend against HTTP flood attacks. However, in case of heavy-traffic DDoS attacks, it requires sufficient bandwidth resources to take over all traffic to perform the traffic cleaning. Therefore, you can only count on protection from Anti-DDoS Pro.

Thank you! We've received your feedback.