If volumetric DDoS attacks occur on an Alibaba Cloud asset and the volume of the DDoS attacks exceeds the mitigation capability provided for the asset, blackhole filtering is triggered to temporarily block all Internet traffic that is destined for the asset. This helps protect the asset against subsequent attacks and protect other assets from being adversely affected by the asset. This topic describes how to prevent and handle blackhole filtering.
Basic mitigation capability provided by Anti-DDoS Basic
Anti-DDoS Basic provides a basic mitigation capability from 500 Mbit/s to 5 Gbit/s against DDoS attacks for some Alibaba Cloud assets that are assigned public IP addresses. The capability is provided free of charge. In the following sections, Alibaba Cloud assets that are assigned public IP addresses are referred to as assets. The basic mitigation capability varies based on the region and specifications of an asset. For more information, see View the thresholds that trigger blackhole filtering in Anti-DDoS Basic and Configure traffic scrubbing thresholds.
If the service traffic of your asset exceeds the blackhole filtering threshold, we recommend that you upgrade your asset at the earliest opportunity. If you do not upgrade your asset at the earliest opportunity, the service traffic of your asset may be identified as unusual traffic and may trigger blackhole filtering.
A higher mitigation capability reduces the possibility of blackhole filtering. To prevent blackhole filtering from being triggered, you must increase the mitigation capability (blackhole filtering threshold) for your asset.
View the status and traffic of an asset
Log on to the Traffic Security console.
In the upper-left corner of the Assets page, select the region where your asset resides and click the corresponding tab.
In the asset list, check whether Under blackhole is displayed in the IP Status column for your asset.
On the Event Center page, view the blackhole filtering or traffic scrubbing event for your asset. You can also click View Details to view the inbound traffic in bit/s and packet per second (pps).
Estimate the time when blackhole filtering is automatically deactivated
By default, Alibaba Cloud automatically deactivates blackhole filtering 2.5 hours after the DDoS attacks stop. In actual scenarios, Alibaba Cloud automatically deactivates blackhole filtering 30 minutes to 24 hours after the DDoS attacks stop. The period of time varies based on the frequency at which your asset is attacked. In rare cases, the period of time exceeds 24 hours. The blackhole filtering duration changes based on the following factors:
The duration of attacks. If attacks continue for a long time, the duration of blackhole filtering is extended.
The frequency of attacks. If an asset experiences attacks for the first time, the duration of blackhole filtering automatically decreases. If an asset experiences frequent attacks, the asset has a high probability to encounter continuous attacks, and the duration of blackhole filtering is automatically extended.
If blackhole filtering is frequently triggered for an asset, Alibaba Cloud reserves the right to further extend the duration of blackhole filtering and lower the threshold to trigger blackhole filtering for the asset. You can view the actual duration and threshold of blackhole filtering in the console.
View the time when an asset was last attacked.
Log on to the Traffic Security console. On the Event Center page, find the asset that you want to manage and view the time when the asset was last attacked.
NoteIf an asset receives multiple DDoS attacks, the duration of blackhole filtering is calculated after the last DDoS attack stops.
View the duration of blackhole filtering.
On the Assets page, view the duration of blackhole filtering for the asset.
Estimate the time when blackhole filtering is automatically deactivated.
For example, the asset was attacked at 12:30, and the duration of blackhole filtering is 150 minutes. In this case, blackhole filtering is expected to be deactivated at 15:00.
NoteThe estimated time is provided for reference only. If your asset receives continuous DDoS attacks, the duration of blackhole filtering may be longer.
How to deactivate blackhole filtering
During blackhole filtering, Alibaba Cloud continuously monitors the status of DDoS attacks. After the DDoS attacks stop for a period of time, Alibaba Cloud automatically deactivates blackhole filtering for your asset. Then, your asset can be accessed over the Internet. If you want to restore your service during blackhole filtering, you can manually deactivate blackhole filtering for your asset that is protected by an Anti-DDoS instance of a paid edition.
Anti-DDoS instance of a paid edition not purchased
You cannot manually deactivate blackhole filtering for your asset. If you want to restore your service or log on to your server to obtain files during blackhole filtering, refer to the instructions provided in Restore workloads of an ECS instance on which blackhole filtering is triggered.
If you change the public IP address of your asset, such as your Elastic Compute Service (ECS) instance, Server Load Balancer (SLB) instance, simple application server, or elastic IP address (EIP), or release your asset in a frequent manner, overall cloud tenants may be affected, and restrictions may be triggered.
After you change the public IP address of your asset or change your server, attackers can still obtain the new IP address by pinging the domain name and launch attacks again. To resolve the preceding issue, we recommend that you purchase Anti-DDoS Origin or Anti-DDoS Proxy.
Anti-DDoS instance of a paid edition purchased
You can wait for Alibaba Cloud to automatically deactivate blackhole filtering after the duration of blackhole filtering expires or manually deactivate blackhole filtering. If you manually deactivate blackhole filtering, you can deploy a mitigation plan within a specific period of time. However, DDoS attacks cannot be mitigated. After you manually deactivate blackhole filtering, blackhole filtering may be triggered again if the DDoS attacks do not stop.
Anti-DDoS instance of a paid edition | Method to manually deactivate blackhole filtering | Description |
Anti-DDoS Origin |
| You can deactivate blackhole filtering for your asset that is protected by an Anti-DDoS Origin instance for a specific number of times per month. The number of times is greater than or equal to the number of the IP addresses that can be protected by the instance. |
Anti-DDoS Proxy (Chinese Mainland) |
|
|
Anti-DDoS Proxy (Outside Chinese Mainland) | You do not need to manually deactivate blackhole filtering. | Unlike an Anti-DDoS Proxy (Chinese Mainland) instance, which has a fixed protection bandwidth, an Anti-DDoS Proxy (Outside Chinese Mainland) instance mitigates DDoS attacks with all the capabilities that are available. You do not need to manually deactivate blackhole filtering for an Anti-DDoS Proxy (Outside Chinese Mainland) instance. |
How to select an Anti-DDoS service
Anti-DDoS Origin: Anti-DDoS Origin is a security service that enhances mitigation against DDoS attacks for resources of Alibaba Cloud services. Anti-DDoS Origin directly protects the resources. You do not need to change the IP addresses of the resources that you want to protect or consider the limits on the number of Layer 4 ports or Layer 7 domain names. You need to only add the IP address of an asset to an Anti-DDoS Origin instance for protection.
Anti-DDoS Proxy: Anti-DDoS Proxy is a proxy-based service that is provided by Alibaba Cloud to mitigate volumetric and resource exhaustion DDoS attacks. Anti-DDoS Proxy can protect servers that are deployed on Alibaba Cloud, on third-party clouds, and in data centers. If volumetric DDoS attacks are launched against your service that is added to Anti-DDoS Proxy, Anti-DDoS Proxy forwards traffic to the anti-DDoS scrubbing centers by using DNS resolution for scrubbing and forwards only service traffic to the origin server.
For more information about selection instructions and billing, see Scenario-specific anti-DDoS solutions, Billing description of Anti-DDoS Origin, and Billing description of Anti-DDoS Proxy.