Updated on 2024-10-29 GMT+08:00

Black Hole Policy

To protect the usability of Huawei Cloud services in general, if the attack traffic on the cloud server exceeds the threshold, a black hole will be triggered to block all accesses from the Internet for a certain period of time.

What Is a Black Hole?

A black hole refers to a situation where access to a cloud server is blocked by Huawei Cloud because attack traffic targeting a cloud server exceeds a certain threshold.

Why Is the Blackhole Policy Required?

DDoS attacks will interrupt user services and cause adverse impacts on the AAD data center. Defense against DDoS attacks is costly on bandwidth consumption.

Bandwidth is purchased by HUAWEI CLOUD from carriers, and those carriers bill for bandwidth even if it was part of DDoS attack. Huawei Cloud provides Cloud Native Anti-DDoS Basic (Anti-DDoS) for free to protect your resources against DDoS attacks below a certain threshold, but if an attack exceeds a certain size, we will route the traffic to a black hole.

How Do I Deactivate a Black Hole?

When a server (ECS) enters is put in the black hole, you handle it by referring to Table 1.

Table 1 Black hole deactivation methods

Anti-DDoS Edition

Deactivation Policy

Deactivation Method

Cloud Native Anti-DDoS Basic (Anti-DDoS)

NOTE:

Anti-DDoS is enabled by default.

  • The system automatically deactivates the black hole 24 hours after the access to a cloud server is blocked.
  • If the system detects that the attack has not stopped, and attack traffic is still exceeding the configured threshold, the access will be blocked again.

You need to wait until the system deactivates it automatically.

Black Hole Threshold

The black hole threshold refers to the basic attack mitigation capability provided by Huawei Cloud. When the scale of attack exceeds the threshold, Huawei Cloud executes a black hole policy to block the attacked IP address.

Scrubbing Principles

The system detects attack traffic in real time. Once detecting an attack on a cloud host, the system diverts the service traffic from the original network path to the Huawei Cloud DDoS scrubbing system. The Huawei Cloud DDoS scrubbing system identifies the traffic of the attacking IP address, discards attack traffic, and forwards normal traffic to the target IP address to mitigate the damage to the server.

Self-Service Unblocking Rules

  • There is a minimum block duration after which you can unblock a blocked IP address. The minimum block duration for the first time you unblock an IP address in a day is 30 minutes. Minimum block duration = 2 (n-1) x 30 minutes (n indicates the number of times you want to unblock the same IP address)

    For example, a 30-minute block duration is required for the first time you unblock an IP address, a 60-minute block duration for the second time, and a 120-minute block duration for the third time.

  • For the same protected IP address, if it is blocked again less than 30 minutes after it is unblocked, you can unblock it 2n x 30 minutes later (n indicates the number of times you are unblocking it).

    For example, if the IP address has been unblocked once at 10:20, and is blocked again at 10:40, the interval between the two time points is less than 30 minutes. This is the second time you unblock the IP address on the day. The IP address cannot be unblocked until the 120-minute block duration expires at 12: 40 (2x2x30 minutes after 10:40).

    If you have unblocked any other IP address within 30 minutes, you cannot unblock the IP address even if the preceding conditions are met.

  • Anti-DDoS Service automatically adjusts the allowed IP unblocking attempts and the interval based on the risk control.