If volumetric DDoS attacks occur on an Alibaba Cloud asset and the volume of the DDoS attacks exceeds the mitigation capability provided for the asset, blackhole filtering is triggered to temporarily block all Internet traffic that is destined for the asset. This helps protect the asset against subsequent attacks and protect other assets from being adversely affected by the asset. This topic describes how to prevent and handle blackhole filtering.
Basic mitigation capability provided by Anti-DDoS Basic
Anti-DDoS Basic provides a basic mitigation capability from 500 Mbit/s to 5 Gbit/s against DDoS attacks for some Alibaba Cloud assets that are assigned public IP addresses. The capability is provided free of charge. In the following sections, Alibaba Cloud assets that are assigned public IP addresses are referred to as assets. The basic mitigation capability varies based on the region and specifications of an asset. For more information, see View the thresholds that trigger blackhole filtering in Anti-DDoS Basic and Configure traffic scrubbing thresholds.
Important
If the service traffic of your asset exceeds the blackhole filtering threshold, we recommend that you upgrade your asset at the earliest opportunity. If you do not upgrade your asset at the earliest opportunity, the service traffic of your asset may be identified as unusual traffic and may trigger blackhole filtering.
A higher mitigation capability reduces the possibility of blackhole filtering. To prevent blackhole filtering from being triggered, you must increase the mitigation capability (blackhole filtering threshold) for your asset.
View asset status, traffic, and attack IPs
Log on to the Traffic Security console.
View asset status
In the upper-left corner of the Assets page, select the region where your asset resides and click the corresponding tab.
In the asset list, check whether Under blackhole is displayed in the IP Status column for your asset.
View asset traffic and attack IPs
On the Event Center page, view the blackhole filtering or traffic scrubbing event for your asset. You can also click View Details to view the inbound traffic in bit/s and packet per second (pps).
Click Download in the upper-right corner of the page, then use tools like Wireshark to open the downloaded packet and view the attack IPs.
Estimate the time when blackhole filtering is automatically deactivated
By default, Alibaba Cloud automatically deactivates blackhole filtering 2.5 hours after the DDoS attacks stop. In actual scenarios, Alibaba Cloud automatically deactivates blackhole filtering 30 minutes to 24 hours after the DDoS attacks stop. The period of time varies based on the frequency at which your asset is attacked. In rare cases, the period of time exceeds 24 hours. The blackhole filtering duration changes based on the following factors:
The duration of attacks. If attacks continue for a long time, the duration of blackhole filtering is extended.
The frequency of attacks. If an asset experiences attacks for the first time, the duration of blackhole filtering automatically decreases. If an asset experiences frequent attacks, the asset has a high probability to encounter continuous attacks, and the duration of blackhole filtering is automatically extended.
Note
If blackhole filtering is frequently triggered for an asset, Alibaba Cloud reserves the right to further extend the duration of blackhole filtering and lower the threshold to trigger blackhole filtering for the asset. You can view the actual duration and threshold of blackhole filtering in the console.
View the time when an asset was last attacked.
Log on to the Traffic Security console. On the Event Center page, find the asset that you want to manage and view the time when the asset was last attacked.
Note
If an asset receives multiple DDoS attacks, the duration of blackhole filtering is calculated after the last DDoS attack stops.
View the duration of blackhole filtering.
On the Assets page, view the duration of blackhole filtering for the asset. 
Estimate the time when blackhole filtering is automatically deactivated.
For example, the asset was attacked at 12:30, and the duration of blackhole filtering is 150 minutes. In this case, blackhole filtering is expected to be deactivated at 15:00.
Note
The estimated time is provided for reference only. If your asset receives continuous DDoS attacks, the duration of blackhole filtering may be longer.
How to deactivate blackhole filtering
During blackhole filtering, Alibaba Cloud continuously monitors the status of DDoS attacks. After the DDoS attacks stop for a period of time, Alibaba Cloud automatically deactivates blackhole filtering for your asset. Then, your asset can be accessed over the Internet. If you want to restore your service during blackhole filtering, you can manually deactivate blackhole filtering for your asset that is protected by an Anti-DDoS instance of a paid edition.
Anti-DDoS instance of a paid edition not purchased
You cannot manually deactivate blackhole filtering for your asset. If you want to restore your service or log on to your server to obtain files during blackhole filtering, refer to the instructions provided in Restore workloads of an ECS instance on which blackhole filtering is triggered.
Warning
If you change the public IP address of your asset, such as your Elastic Compute Service (ECS) instance, Server Load Balancer (SLB) instance, simple application server, or elastic IP address (EIP), or release your asset in a frequent manner, overall cloud tenants may be affected, and restrictions may be triggered.
After you change the public IP address of your asset or change your server, attackers can still obtain the new IP address by pinging the domain name and launch attacks again. To resolve the preceding issue, we recommend that you purchase Anti-DDoS Origin or Anti-DDoS Proxy.
Anti-DDoS instance of a paid edition purchased
You can wait for Alibaba Cloud to automatically deactivate blackhole filtering after the duration of blackhole filtering expires or manually deactivate blackhole filtering. If you manually deactivate blackhole filtering, you can deploy a mitigation plan within a specific period of time. However, DDoS attacks cannot be mitigated. After you manually deactivate blackhole filtering, blackhole filtering may be triggered again if the DDoS attacks do not stop.
Anti-DDoS instance of a paid edition | Method to manually deactivate blackhole filtering | Description |
Anti-DDoS instance of a paid edition | Method to manually deactivate blackhole filtering | Description |
Anti-DDoS Origin | | You can deactivate blackhole filtering for your asset that is protected by an Anti-DDoS Origin instance for a specific number of times per month. The number of times is greater than or equal to the number of the IP addresses that can be protected by the instance. |
Anti-DDoS Proxy (Chinese Mainland) | | After blackhole filtering is triggered, you must wait for at least 2 minutes before you can deactivate the blackhole filtering. You can deactivate blackhole filtering for your asset that is protected by an Anti-DDoS Proxy instance up to five times per day.
|
Anti-DDoS Proxy (Outside Chinese Mainland) | You do not need to manually deactivate blackhole filtering. | Unlike an Anti-DDoS Proxy (Chinese Mainland) instance, which has a fixed protection bandwidth, an Anti-DDoS Proxy (Outside Chinese Mainland) instance mitigates DDoS attacks with all the capabilities that are available. You do not need to manually deactivate blackhole filtering for an Anti-DDoS Proxy (Outside Chinese Mainland) instance. |
How to select an Anti-DDoS service
Anti-DDoS Proxy: Anti-DDoS Proxy is a proxy-based service that is provided by Alibaba Cloud to mitigate volumetric and resource exhaustion DDoS attacks. Anti-DDoS Proxy can protect servers that are deployed on Alibaba Cloud, on third-party clouds, and in data centers. If volumetric DDoS attacks are launched against your service that is added to Anti-DDoS Proxy, Anti-DDoS Proxy forwards traffic to the anti-DDoS scrubbing centers by using DNS resolution for scrubbing and forwards only service traffic to the origin server.
For more information about selection instructions and billing, see Scenario-specific anti-DDoS solutions, Billing description of Anti-DDoS Origin, and Billing description of Anti-DDoS Proxy.
Elastic Compute Service (ECS)
Container Compute Service (ACS)
