All Products
Search
Document Center

Anti-DDoS:Restore workloads of an ECS instance on which blackhole filtering is triggered

更新時間:May 07, 2024

After blackhole filtering is triggered on an Elastic Compute Service (ECS) instance, Alibaba Cloud discards all packets that are destined for the public IP address of the instance. You cannot access the public IP address of the instance over the Internet. You can estimate the time when blackhole filtering is automatically deactivated and wait for blackhole filtering to be automatically deactivated. In urgent scenarios, you can change the public IP address of the ECS instance or migrate your workloads to another ECS instance to quickly restore the workloads. This topic describes how to quickly restore the workloads of an ECS instance on which blackhole filtering is triggered.

Important

After you change the public IP address of the ECS instance or migrate your workloads to another ECS instance, attackers can still obtain the new public IP address by pinging the domain name and re-launch attacks. To resolve the issue, we recommend that you purchase an Anti-DDoS Origin or Anti-DDoS Proxy instance.

Estimate the time when blackhole filtering is automatically deactivated

If you do not purchase an Anti-DDoS Origin or Anti-DDoS Proxy instance, you must wait for the blackhole filtering to be automatically deactivated. If you purchase an Anti-DDoS Origin or Anti-DDoS Proxy instance, you can manually deactivate blackhole filtering for the ECS instance after you add your workloads to the instance for protection. For more information, see Deactivate blackhole filtering (Anti-DDoS Origin) and Deactivate blackhole filtering (Anti-DDoS Proxy).

  1. View the most recent time when the ECS instance was attacked.

    Log on to the Traffic Security console. On the Event Center page, find the public IP address of the ECS instance and click View Details to view the most recent time when the ECS instance was attacked.

    Note

    If an asset receives multiple DDoS attacks, the duration of blackhole filtering is calculated after the last DDoS attack stops.

  2. View the duration of blackhole filtering.

    On the Assets page, view the duration of blackhole filtering. The duration indicates the total duration of blackhole filtering. The default duration of blackhole filtering is 2.5 hours. The actual duration ranges from 30 minutes to 24 hours based on the frequency of attacks on your asset. In rare cases, the duration may be longer. 黑洞时长

  3. Estimate the time when blackhole filtering is automatically deactivated.

    For example, the ECS instance was attacked at 12:30 and the duration of blackhole filtering is 150 minutes. In this case, blackhole filtering is expected to be deactivated at 15:00.

    Note

    The estimated time is provided for reference only. If the ECS instance receives continuous DDoS attacks, the duration of blackhole filtering may be longer.

You can wait for blackhole filtering to be automatically deactivated. In urgent scenarios, you can use one of the following solutions to quickly restore your workloads.

Important

After you change the public IP address of the ECS instance or migrate your workloads to another ECS instance, you must modify settings such as the DNS record and database connection.

Solution 1: Change the public IP address of the ECS instance

Important

If you frequently change the public IP address of the ECS instance on which blackhole filtering is triggered, continuous attack traffic may cause risks to the cloud platform. In this case, your Alibaba Cloud account becomes restricted and you cannot perform operations such as purchasing new instances.

Change the elastic IP address (EIP) of the ECS instance

  1. (Optional) Apply for a new EIP.

    For more information, see Apply for an EIP.

  2. Disassociate the current EIP from the ECS instance.

    For more information, see Disassociate an EIP from a cloud resource.

    Important
    • After you disassociate a pay-as-you-go EIP from a cloud resource, you are still charged an EIP configuration fee. To avoid unnecessary charges, release the EIP.

    • If you no longer need a pay-as-you-go EIP after you disassociate the EIP from a cloud resource, you can unsubscribe from the EIP. For more information, see Rules for unsubscribing from resources.

  3. Associate the new EIP with the ECS instance.

    For more information, see Associate an EIP with an ECS instance.

Change the system-assigned public IP address of the ECS instance

Solution 2: Create an ECS instance that has the same configurations based on the image of the ECS instance on which blackhole filtering is triggered and migrate your workloads to the new ECS instance

  1. Create a custom image for the ECS instance on which blackhole filtering is triggered. For more information, see Create a custom image.

    Note

    We recommend that you regularly create snapshots for your ECS instance during O&M. If you want to quickly restore your workloads, you can use a snapshot to create a custom image to restore your workloads. For more information, see Create an automatic snapshot policy and Create a custom image from a snapshot.

  2. Use the custom image to create an ECS instance that has the same configurations. For more information, see Create an ECS instance by using a custom image.

Solution 3: Use SMC to create another ECS instance for your workloads

Server Migration Center (SMC) is a server migration platform provided by Alibaba Cloud. We recommend that you use SMC to migrate the ECS instance on which blackhole filtering is triggered. Then, SMC generates a custom image for the ECS instance. You can use the custom image to create another ECS instance.

  1. Import the ECS instance on which blackhole filtering is triggered to SMC as a migration source. For more information, see Step 1: Import the information about a migration source.

  2. Create a migration task to migrate system configurations and business data to a custom image. For more information, see the topics in Step 2: Create and start a migration task.

  3. Use the custom image to create an ECS instance that has the same configurations. For more information, see Create an ECS instance by using a custom image.

Solution 4: Log on to the ECS instance on which blackhole filtering is triggered and migrate business data

You cannot connect to an ECS instance on which blackhole filtering is triggered over the Internet. You can connect to the ECS instance by using Workbench, Session Manager, Virtual Network Computing (VNC), or another ECS instance that resides in the same virtual private cloud (VPC) as the ECS instance.

For more information about how to connect to an ECS instance by using Workbench, Session Manager, or VNC, see Connect to an instance. In this example, an ECS instance on which blackhole filtering is triggered is connected by using another ECS instance that resides in the same VPC as the ECS instance.

Usage notes

The two ECS instances must reside in the same region, same VPC, and belong to the same security group. The two ECS instances must be connected. For more information about security groups, see Overview.

Procedure

  1. Log on to the ECS instance on which blackhole filtering is not triggered by using its private or public IP address.

  2. Run a command or use a tool to connect to the ECS instance on which blackhole filtering is triggered by using its private IP address or public IP address.

    The following table describes the common connection methods.

    Operating system of the ECS instance on which blackhole filtering is triggered

    Operating system of the ECS instance on which blackhole filtering is not triggered

    Connection method

    References

    Windows

    Windows

    Use Microsoft Terminal Services Client (MSTSC).

    Connect to a Windows instance by using a username and password

    Linux

    Use rdesktop.

    Linux

    Windows

    Use PuTTY.

    Linux

    Run an SSH command.

    ssh root@<System-assigned public IP address or EIP of the instance>
  3. Migrate business data to the ECS instance on which blackhole filtering is not triggered.

References