Help Center> Anti-DDoS Service> FAQs> General FAQs> What Is the Black Hole Policy of HUAWEI CLOUD?

Updated on 2023-06-27 GMT+08:00

View PDF

What Is the Black Hole Policy of HUAWEI CLOUD?

To protect the usability of Huawei Cloud services in general, if a cloud server is subject to a large enough attack, a black hole will be triggered to block all accesses from the Internet for a certain period of time.

Huawei Cloud CNAD Basic (Anti-DDoS) provides 2 Gbit/s of defense against DDoS attacks for common users for free. Anti-DDoS can provide up to 5 Gbit/s of defense capability (depending on the available bandwidth of Huawei Cloud).

What Is a Black Hole?

A black hole refers to a situation where access to a cloud server is blocked by Huawei Cloud because attack traffic targeting a cloud server exceeds a certain threshold.

Why Is the Blackhole Policy Required?

DDoS attacks will interrupt user services and cause adverse impacts on the AAD data center. Defense against DDoS attacks is costly on bandwidth consumption.

Bandwidth is purchased by Huawei Cloud from carriers, and those carriers bill for bandwidth even if it was part of DDoS attack. Huawei Cloud provides Cloud Native Anti-DDoS Basic (Anti-DDoS) for free to protect your resources against DDoS attacks below a certain threshold, but if an attack exceeds a certain size, we will route the traffic to a black hole.

How Do I Deactivate a Black Hole?

When the access to a cloud server is blocked by Huawei Cloud because attack traffic targeting a cloud server exceeds a certain threshold, follow the instructions described in Table 1 to handle that.

**Table 1** Black hole deactivation methods
Edition	Deactivation Policy	Deactivation Method
CNAD Basic (Anti-DDoS) NOTE: Cloud Native Anti-DDoS Basic (CNAD Basic) is enabled by default.	The system automatically deactivates the black hole 24 hours after the access to a cloud server is blocked. If the system detects that the attack has not stopped, and attack traffic is still exceeding the configured threshold, the access will be blocked again.	You need to wait until the system deactivates it automatically.
CNAD Advanced	The system automatically deactivates the black hole 24 hours after the access to a cloud server is blocked.
AAD	Contact Huawei Cloud technical support to deactivate the blackhole quickly. You are advised to increase the elastic bandwidth to avoid being black-holed again.	You can upgrade the elastic protection bandwidth to deactivate the blackhole.

Self-Service Unblocking Rules

If you have purchased Anti-DDoS (Native Advanced Anti-DDoS Protection or Advanced Anti-DDoS), you will be rewarded with three self-service blackhole-deactivation quotas for free every month. If the quotas are not used up in the current month, they will be cleared at the end of the month.

Currently, only public IP addresses in North China, East China, and South China can be unblocked by you.

There is a minimum block duration after which you can unblock a blocked IP address. The minimum block duration for the first time you unblock an IP address in a day is 30 minutes. Minimum block duration = 2 ^(n-1) x 30 minutes (n indicates the number of times you want to unblock the same IP address)
For example, a 30-minute block duration is required for the first time you unblock an IP address, a 60-minute block duration for the second time, and a 120-minute block duration for the third time.
For the same protected IP address, if it is blocked again less than 30 minutes after it is unblocked, you can unblock it 2ⁿ x 30 minutes later (n indicates the number of times you are unblocking it).
For example, if the IP address has been unblocked once at 10:20, and is blocked again at 10:40, the interval between the two time points is less than 30 minutes. This is the second time you unblock the IP address on the day. The IP address cannot be unblocked until the 120-minute block duration expires at 12: 40 (2x2x30 minutes after 10:40).

If you have unblocked any other IP address within 30 minutes, you cannot unblock the IP address even if the preceding conditions are met.
ADS automatically adjusts the allowed IP unblocking attempts and the interval based on the risk control.

How Can I Increase the Black Hole Threshold?

You can increase the black hole threshold using the following methods:

Enable Cloud Native Anti-DDoS Pro (CNAD Pro) to obtain the unlimited protection capability without changing the service IP address.
Connect your services to AAD to obtain the Tbit/s protection capability. The malicious attacks targeting the origin servers can be diverted to the high-defense IP address for scrubbing to ensure the stable running of mission-critical workloads.

Parent topic: General FAQs

General FAQs FAQs

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot

more