If your asset that is assigned a public IP address encounters volumetric DDoS attacks after your asset is added to an Anti-DDoS Origin instance of a paid edition, blackhole filtering may still be triggered. To prevent extended periods of service interruptions, you must deactivate blackhole filtering at the earliest opportunity. Anti-DDoS Origin paid editions provide a solution to configure alerts and automatically deactivate blackhole filtering.
Prerequisites
This solution requires you to call an API operation of Anti-DDoS Origin. Therefore, this solution is available only for Anti-DDoS Origin instances. Before you use this solution, make sure that your asset is added to an Anti-DDoS Origin instance. For more information, see Add an object for protection.
Background information
You can manually deactivate blackhole filtering for Anti-DDoS Origin instances in the Traffic Security console. For more information, see Deactivate blackhole filtering. However, manual deactivation may result in delays and unexpected errors. If your service requires a high level of stability and continuity, use the following method to configure alerts and automatically deactivate blackhole filtering:
Create an alert rule in the CloudMonitor console to monitor blackhole filtering that is triggered on an Anti-DDoS Origin instance of a paid edition.
NoteIf blackhole filtering is triggered and detected on assets that are added to Anti-DDoS Origin paid editions, CloudMonitor sends messages about blackhole filtering. In other scenarios, no messages about blackhole filtering are sent.
Create a custom rule to automatically deactivate blackhole filtering on an Anti-DDoS Origin instance by calling the DeleteBlackhole operation. For more information, see DeleteBlackhole.
You can also create rules to automatically call an API operation of Alibaba Cloud DNS (DNS). The operation resolves your domain name to the IP address of an Anti-DDoS Pro or Anti-DDoS Premium instance during DDoS attacks.
Procedure
Log on to the CloudMonitor console.
In the left-side navigation pane, choose
.On the Event Monitoring tab, click Save as Alert Rule. In the Create/Modify Event-triggered Alert Rule panel, create an alert rule for an Anti-DDoS Origin instance.
In the panel that appears, set Product Type to ddosbgp, Event Type to DDoS Attacks, Event Level to CRITICAL, and Event Name to ddosbgp_event_blackhole. Then, select a channel to which you want to push alert notifications based on your business requirements. For more information about other parameters, see Manage system event-triggered alert rules.
The event alert is created. When CloudMonitor detects that blackhole filtering is triggered on an asset that is added to the Anti-DDoS Origin instance, CloudMonitor generates an alert and pushes the following message by using the specified channels. Sample alert message:
{ "action": "add", //The event status. The value add indicates that the event started, and the value del indicates that the event ended. "bps": 0, //The throughput when the event is triggered. Unit: Mbit/s. "pps": 0, //The packet rate when the event is triggered. Unit: packets per second (pps). "instanceId": "ddosbgp-cn-78v17******", //The ID of the Anti-DDoS Origin instance. "ip": "47.*.*.*", // The IP address of the asset on which the event is triggered. "regionId": "cn-hangzhou", //The ID of the region in which the Anti-DDoS Origin instance resides. "time": 1564104493000, //The time when the event begins. The value is a timestamp. Unit: milliseconds. "type": "blackhole" //The event type. The value defense indicates a traffic scrubbing event and the value blackhole indicates a blackhole filtering event. }
Create a custom rule to automatically deactivate blackhole filtering by calling the DeleteBlackhole operation. For more information, see DeleteBlackhole.