All Products
Search
Document Center

Anti-DDoS:Deactivate blackhole filtering

Last Updated:May 23, 2024

You can manually deactivate blackhole filtering for an asset that is protected by an Anti-DDoS Origin paid edition and assigned a public IP address. This topic describes how to manually deactivate blackhole filtering.

Background information

Important

If you use Anti-DDoS Origin Basic that is provided free of charge, the basic DDoS mitigation capability is used. After blackhole filtering is triggered, you cannot manually deactivate blackhole filtering. You can only wait for the blackhole filtering to be automatically deactivated.

Blackhole filtering can be automatically or manually deactivated.

  • Automatic deactivation: You can view the time period to wait before blackhole filtering is automatically deactivated on the Assets page of the Traffic Security console. If the time period is acceptable, we recommend that you wait until blackhole filtering is automatically deactivated. For more information, see View the duration of blackhole filtering.

  • Manual deactivation: If you want to deactivate blackhole filtering at the earliest opportunity, you can manually deactivate blackhole filtering.

The following table describes the deactivation methods that are supported by different editions.

Edition

Deactivation method

Quota on manually deactivating blackhole filtering

Anti-DDoS Origin Basic

Automatic deactivation

None.

Anti-DDoS Origin 1.0 Enterprise

  • Automatic deactivation

  • Manual deactivation

The quota on deactivating blackhole filtering per month is the same as the value of the IP Addresses parameter that you specified when you purchase an instance. The quota on deactivating blackhole filtering is automatically reset to 0 at the beginning of each month. The remaining quota on deactivating blackhole filtering of the previous month are automatically cleared.

For example, if you set the IP Addresses parameter to 50 when you purchase an instance, the quota on deactivating blackhole filtering is 50.

Note

If you increase the value of the IP Addresses parameter when you upgrade an instance, the quota on deactivating blackhole filtering is also increased.

Anti-DDoS Origin 2.0 Enterprise

  • Automatic deactivation

  • Manual deactivation

Anti-DDoS Origin 2.0 instances of Inclusive Edition for Small and Medium Enterprises

  • Automatic deactivation

  • Manual deactivation

Five times per month.

Anti-DDoS Origin 2.0 (Pay-as-you-go)

  • Automatic deactivation

  • Manual deactivation

The quota on deactivating blackhole filtering of the month is the same as the number of IP addresses that you add to an instance for protection.

For example, on May 3, your pay-as-you-go instance had 10 IP addresses under its protection and blackhole filtering was triggered and then deactivated for one of the IP addresses. On May 10, the instance had eight IP addresses under its protection. By now, the instance had a quota of eight for blackhole filtering deactivation. However, since deactivation was performed once on May 3, the instance now had only seven deactivations left for the month.

Usage notes

If you manually deactivate blackhole filtering for the same asset, the interval between two deactivation operations must be at least 30 minutes.

Note
  • If you manually deactivate blackhole filtering for an asset and another blackhole filtering is triggered for the asset, the asset continues to receive DDoS attacks. In this case, the interval between two deactivation operations must be at least 30 minutes.

  • If blackhole filtering is frequently triggered for your asset, the volume of the attacks exceeds the protection capability of your Anti-DDoS Origin instance. In this case, we recommend that you purchase an Anti-DDoS Pro or Anti-DDoS Premium instance to provide up to Tbit/s of protection.

Procedure

  1. Log on to the Traffic Security console.

  2. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Protected Objects.

  3. In the top navigation bar, select the resource group to which the instance belongs and the region in which the instance resides.

    • Anti-DDoS Origin 1.0 (Subscription) instance: Select the region in which the instance resides.

    • Anti-DDoS Origin 2.0 (Subscription) instance: Select All Regions.

    • Anti-DDoS Origin 2.0 (Pay-as-you-go) instance: If you want to add a regular Alibaba Cloud asset to the instance for protection, select All Regions. If you want to add an EIP with Anti-DDoS (Enhanced) enabled to the instance for protection, select the region in which the EIP resides.

  4. On the Protected Objects page, find the instance that is in the Under blackhole state and click Deactivate Blackhole Filtering in the Actions column.

  5. In the Deactivate Blackhole Filtering dialog box, view the remaining times that you can deactivate blackhole filtering for and click Confirm.

    Note

    Blackhole filtering is a risk management policy used by the backend servers of Alibaba Cloud. If your request to deactivate blackhole filtering fails, the quota on deactivating blackhole filtering for the day is not deducted.

Result

If blackhole filtering is deactivated, the value in the Status column of the protected IP address is changed from Under blackhole to Normal. If you fail to deactivate blackhole filtering, an error message appears. We recommend that you wait one minute and try again.