Halaman ini belum tersedia dalam bahasa lokal Anda. Kami berusaha keras untuk menambahkan lebih banyak versi bahasa. Terima kasih atas dukungan Anda.
- What's New
- Function Overview
- Service Overview
-
Billing
- Billing Overview
- Billing Modes
- Billing Items
- Renewing Subscriptions
- Bills
- Arrears
- Stopping Billing
- Cost Management
-
Billing FAQs
- General FAQs
- Billing FAQs of CNAD Advanced
-
Billing FAQs of AAD
- How Is AAD Billed?
- Why Does My Payment Status Not Update After I Make a Payment?
- Will I Be Charged If I Buy an Elastic Protection Bandwidth and My Elastic IP Address Is Not Attacked for the Whole Month?
- What Happens If the Attack Traffic Exceeds the Elastic Protection Bandwidth?
- Can I Adjust My Elastic Protection Bandwidth From 100 Gbit/s to 200 Gbit/s When I Find 100 Gbit/s Is Insufficient?
- What Is the Charge If My IP Address Is Attacked Many Times a Day?
- How Do I Stop Elastic Protection to Avoid Being Charged for the Elastic Protection Bandwidth?
- How Can I Renew the AAD Service?
- How Can I Unsubscribe from the AAD Service?
- How Should I Automatically Renew AAD?
- Can the Original Configuration Data Be Saved After I Unsubscribe from an AAD Instance?
- How Is the Elastic Bandwidth Charged?
- Getting Started
-
User Guide
-
CNAD Basic (Anti-DDoS) User Guide
- Anti-DDoS Overview
- Using IAM to Grant Anti-DDoS Permissions
- Setting a Traffic Scrubbing Threshold to Intercept Attack Traffic
- Setting DDoS Alarm Notifications
- Enabling DDoS Alarm Notifications
- Enabling Logging
- Adding a Tag to an EIP
- Viewing an EIP Monitoring Report
- Viewing an Interception Report
- Querying Audit Logs
-
CNAD Advanced (CNAD) Operation Guide
- CNAD Overview
- Using IAM to Grant CNAD Permissions
- Purchasing a CNAD Instance
-
Adding a Protection Policy
- Protection Policy Overview
- Configuring a Basic Protection Policy to Intercept Attack Traffic
- Using Watermarks to Defend Against CC Attacks
- Blocking or Permitting Traffic From Specified IP Addresses Using a Blacklist and Whitelist
- Blocking Traffic to a Specified Port
- Blocking Traffic of a Specified Protocol
- Setting a Traffic Handling Policy Based on Fingerprint Features
- Using Advanced Protection Policies to Restrict Abnormal Connections
- Blocking Traffic From Specified Locations
- Adding a Protected Object
- Enabling Alarm Notifications for DDoS Attacks
- Enabling Logging
- Viewing Statistics Reports
- Managing Instances
- Managing Protected Objects
- Viewing Monitoring Metrics
- Querying Audit Logs
-
Advanced Anti-DDoS User Guide
- AAD Overview
- Using IAM to Grant AAD Permissions
- Purchasing an AAD Instance
- Connecting Services to AAD
-
Configuring a Protection Policy
- Protection Policy Overview
- Enabling Basic Web Protection
- Blocking Traffic From Specified Locations
- Blocking Traffic of a Specified Protocol
- Blocking or Allowing Traffic From Specified IP Addresses Using a Blacklist and Whitelist
- Mitigating CC Attacks Using Frequency Control Policies
- Using Intelligent CC Policies to Defend Against CC Attacks
- Enabling Alarm Notifications for DDoS Attacks
- Enabling Logging
- Viewing Statistics
- Managing Instances
- Managing Domain Names
- Certificate Management
- Managing Forwarding Rules
- Viewing Monitoring Metrics
- Querying Audit Logs
- Scheduling Center Quotas
-
CNAD Basic (Anti-DDoS) User Guide
- Best Practices
-
API Reference
- Before You Start
- API Overview
- API Calling
-
API
-
Anti-DDoS Management
- Querying the List of Defense Statuses of EIPs
- Querying Optional Anti-DDoS Defense Policies
- Querying Weekly Defense Statistics
- Querying Configured Anti-DDoS Defense Policies
- Updating Anti-DDoS Defense Policies
- Querying the Traffic of a Specified EIP
- Querying Events of a Specified EIP
- Querying Configured Anti-DDoS Defense Policies
- Anti-DDoS Task Management
- Alarm configuration management
- Default Protection Policy Management
-
Anti-DDoS Management
- Examples
- Appendix
- Out-of-Date APIs
- SDK Reference
-
FAQs
-
General FAQs
- What Are Regions and AZs?
- What Is the Black Hole Policy of HUAWEI CLOUD?
- What are the Relationships Between ADS and Anti-DDoS Traffic Cleaning, CNAD Pro, and AAD?
- What Are the Differences Between Anti-DDoS and Advanced Anti-DDoS?
- What Are a SYN Flood Attack and an ACK Flood Attack?
- What Is a CC Attack?
- What Is a Slow HTTP Attack?
- What Are a UDP Attack and a TCP Attack?
- What Are the Differences Between DDoS Attacks and Challenge Collapsar Attacks?
- What Is the Maximum Protection Capacity Provided by Huawei Cloud Anti-DDoS for Free?
- What Can I Do If an IP Address Is Blocked?
- Does Anti-DDoS Support the Transparent Access Mode?
- Does Anti-DDoS Service Provide SDKs?
- How Do I Migrate Instance Resources in an Enterprise Project?
-
CNAD Basic (Anti-DDoS) FAQs
-
About Anti-DDoS
- How Will Anti-DDoS Be Triggered to Scrub Traffic?
- Does Anti-DDoS Traffic Scrubbing Affect Normal Services?
- What Are the Restrictions of Using Anti-DDoS?
- What Is the Protection Capacity of Anti-DDoS?
- What Data Can Be Provided by Anti-DDoS?
- Which Regions Does Anti-DDoS Support?
- What Can Be Protected by Anti-DDoS?
- Can Anti-DDoS Be Used Across Clouds or By Multiple Accounts?
- How to Determine Whether an Attack Occurs?
-
About Basic Functions
- What Would Happen When I Am Under a DDoS Attack Exceeding 500 Mbit/s?
- Which Types of Attacks Does Anti-DDoS Mitigate?
- What Should I Do If My Service Is Frequently Attacked?
- What Is the Difference Between ELB Protection and ECS Protection?
- Why Is the Number of Times of Cleaning Different from the Number of Attacks for the Same Public IP Address?
- Is Anti-DDoS Enabled by Default?
- Does Anti-DDoS Protect a Region or a Single IP Address?
- Do I Need to Release Anti-DDoS Resources When I Delete an Account?
- How Do I View the Traffic Scrubbing Frequency?
- How Can I View Anti-DDoS Protection Statistics?
- How Can I View the Monitoring Data of a Public IP Address in Anti-DDoS?
- How Can I View an Interception Report?
- Can I Disable Anti-DDoS Completely?
- How Do I Check Whether the Inbound Traffics Are Routed Through Anti-DDoS Devices?
- About Threshold and Black Hole
- About Alarm Notification
- About Service Faults
-
About Anti-DDoS
-
CNAD Advanced FAQs
-
Function Consulting
- What Is Unlimited Protection?
- Can CNAD Advanced Protect Non-Huawei Cloud and On-Premises IP Addresses?
- Does CNAD Advanced Protect IPv6 Addresses?
- What Do I Do If an IP Address Protected by CNAD Advanced Is Blocked?
- What Are the Protection Objects of CNAD Advanced?
- How Many Layers of Attacks Can CNAD Advanced Defend Against?
- How Long Does It Take to Switch Traffic from CNAD Advanced Back to AAD?
- Can CNAD Advanced Be Used Across Regions?
- What Is A Dedicated EIP?
- Billing
-
Function Consulting
-
AAD FAQs
-
Function Specifications
- What Service Ports Does AAD Support?
- What Forwarding Protocols Does AAD Support?
- Can I Change My Protection Bandwidths?
- Can an AAD Origin Server Use a CDN CNAME?
- What Is the Maximum Protection Capability When I Purchase 10 Gbit/s as the Basic Protection Bandwidth and 20 Gbit/s as the Elastic Protection Bandwidth?
- Does AAD Use a Public IP Address to Switch Traffic Back to Origin Servers?
- What Is the Maximum Number of Domain Names AAD Can Protect?
- How Much Additional Latency Will Be Incurred When AAD Is Deployed?
- Is There a Limit to the Number of Concurrent Requests?
- How Do I Disable Advanced Anti-DDoS?
-
Access Configuration
- Can I Connect My Service System to AAD If It Is Not Running on HUAWEI CLOUD?
- How Do I Check Whether a Protected Domain Name Is Correctly Configured After I Connect It to AAD?
- What Can I Do When Message "Invalid request" Is Displayed When I Upload an HTTPS/WebSockets Certificate?
- How Do I Convert a Non-PEM Certificate into a PEM One?
- How Do I Enable Both AAD and WAF?
- How Do I Connect My Service System to AAD?
- How Is CNAME-based Access Implemented?
- How Does AAD Distribute Traffic When There Are Multiple Origin Servers?
- How Do I Check Whether a Back-to-Origin IP Address Has Been Whitelisted on My Origin Server?
- How Do I Change the Exposed IP Address of an Origin Server?
- How Do I Query the Back-to-Origin IP Address Range?
- Can I Migrate Enterprise Project Resources After Adding the Protected Domain Name?
- Can I Build My Own Anti-DDoS System Using HUAWEI CLOUD ECSs?
- How Do the AAD Blacklist and Whitelist Protect Customer's Servers?
- Do I Still Need to Configure the Blacklist and Whitelist in WAF Protection Policies After Configuring Them in DDoS Protection Policies?
- How Do I Use a Domain Name to Access Both IPv4 and IPv6 Services?
- What Should I Do If I Receive a Message Stating That the Domain Name Already Exists When Trying to Connect?
-
Faults
- What Should I Do When Encountering an Access Freezing, Delay, or Failure?
- Why Is Error 504 Displayed When I Access a Website After AAD Is Configured?
- How Do I Identify the Type of Attacks?
- What Should I Do If Error 500, 502, or 504 Is Reported When I Access My Website After I Enable Basic Web Protection for My Domain Name?
- What Can I Do If I Failed to Configure a Forwarding Rule?
- What Can I Do If My UDP Traffic Is Blocked?
- How Do I Unblock the Access That Has Been Automatically Blocked Due to the Threshold-Overtopped Attack Traffic?
- Why Can't I Specify Certain Ports When Configuring the Forwarding Rule?
- Error Message "Received fatal alert" Is Displayed After a Domain Name Is Bound to AAD
-
Product
- What Is a Protected IP Address?
- Does AAD Support Weighted Back-to-Origin?
- Can AAD Be Used Across Regions?
- What Is a CNAME Record?
- What is BGP?
- What Is the Origin Server Port of AAD?
- What Is the Origin Server IP Address?
- What Website IP Addresses Is Protected by AAD?
- What Is Service Bandwidth?
- What Is a Forwarding Protocol?
- Are Services Interrupted When They Are Being Connected to AAD?
- Can a Domain Name Be Bound to Multiple AAD Instances?
- Why Does the High-Defense IP Address Actually Receive Access Requests from a Client After AAD Is Deployed?
- Why Does the Attack Traffic Volume Increase After AAD Is Deployed?
- Will the Origin Server Be Exposed When the Attack Traffic Volume Increases After AAD Is Deployed?
- How Does AAD Protect Origin Server IP Addresses?
- Does AAD Support Two-Way SSL Authentication?
- Can I Modify or Delete the Certificates Uploaded to AAD?
- What Will Happen If My Service Traffic Exceeds the Configured Service Bandwidth?
- Is Advanced Anti-DDoS Software or Hardware?
- Does AAD Support IPv6 Protection?
- Why Is the Traffic of AAD Inconsistent with That of ELB?
-
Fees
- How Is AAD Billed?
- Why Does My Payment Status Not Update After I Make a Payment?
- Will I Be Charged If I Buy an Elastic Protection Bandwidth and My Elastic IP Address Is Not Attacked for the Whole Month?
- What Happens If the Attack Traffic Exceeds the Elastic Protection Bandwidth?
- Can I Adjust My Elastic Protection Bandwidth From 100 Gbit/s to 200 Gbit/s When I Find 100 Gbit/s Is Insufficient?
- What Is the Charge If My IP Address Is Attacked Many Times a Day?
- How Do I Stop Elastic Protection to Avoid Being Charged for the Elastic Protection Bandwidth?
- How Can I Renew the AAD Service?
- How Can I Unsubscribe from the AAD Service?
- How Should I Automatically Renew AAD?
- Can the Original Configuration Data Be Saved After I Unsubscribe from an AAD Instance?
- How Is the Elastic Bandwidth Charged?
-
Function Specifications
-
General FAQs
- Videos
-
More Documents
-
User Guide (Ankara Region)
- Service Overview
- Enabling Anti-DDoS
- Viewing a Public IP Address
- Enabling Alarm Notification
- Configuring an Anti-DDoS Protection Policy
- Viewing a Monitoring Report
- Viewing an Interception Report
-
FAQs
-
About Anti-DDoS
- What Is Anti-DDoS?
- What Are a SYN Flood Attack and an ACK Flood Attack?
- What Is a CC Attack?
- What Is a Slow HTTP Attack?
- What Are a UDP Attack and a TCP Attack?
- What Is the Million-level IP Address Blacklist Database?
- How Will Anti-DDoS Be Triggered to Scrub Traffic?
- Does Anti-DDoS Traffic Cleaning Affect Normal Services?
- How Does Anti-DDoS Scrub Traffic?
- What Are the Restrictions of Anti-DDoS?
- About Basic Functions
- About Alarm notification
-
About Anti-DDoS
-
API Reference (Ankara Region)
- Before You Start
- API Overview
- API Calling
-
API
-
Anti-DDoS APIs
- Querying Optional Anti-DDoS Defense Policies
- Enabling Anti-DDoS
- Querying Configured Anti-DDoS Defense Policies
- Updating Anti-DDoS Defense Policies
- Querying Anti-DDoS Tasks
- Querying the List of Defense Statuses of EIPs
- Querying the Defense Status of a Specified EIP
- Querying the Traffic of a Specified EIP
- Querying Events of a Specified EIP
- Querying Weekly Defense Statistics
- Alarm Reminding APIs
-
Anti-DDoS APIs
- Appendix
- Change History
-
User Guide (Ankara Region)
- General Reference
Copied.
Black Hole Policy
To protect the usability of Huawei Cloud services in general, if the attack traffic on the cloud server exceeds the threshold, a black hole will be triggered to block all accesses from the Internet for a certain period of time.
What Is a Black Hole?
A black hole refers to a situation where access to a cloud server is blocked by Huawei Cloud because attack traffic targeting a cloud server exceeds a certain threshold.
Why Is the Blackhole Policy Required?
DDoS attacks will interrupt user services and cause adverse impacts on the AAD data center. Defense against DDoS attacks is costly on bandwidth consumption.
Bandwidth is purchased by HUAWEI CLOUD from carriers, and those carriers bill for bandwidth even if it was part of DDoS attack. Huawei Cloud provides Cloud Native Anti-DDoS Basic (Anti-DDoS) for free to protect your resources against DDoS attacks below a certain threshold, but if an attack exceeds a certain size, we will route the traffic to a black hole.
How Do I Deactivate a Black Hole?
When a server (ECS) enters is put in the black hole, you handle it by referring to Table 1.
|
Anti-DDoS Edition |
Deactivation Policy |
Deactivation Method |
|---|---|---|
|
Cloud Native Anti-DDoS Basic (Anti-DDoS)  NOTE:
Anti-DDoS is enabled by default. |
|
You need to wait until the system deactivates it automatically. |
|
Cloud Native Anti-DDoS Pro |
The system automatically deactivates the black hole 24 hours after the access to a cloud server is blocked. |
You need to wait until the system deactivates it automatically. |
|
Advanced Anti-DDoS |
Contact Huawei Cloud technical support to unblock in advance. You are advised to increase the elastic bandwidth to avoid being black-holed again. |
You can upgrade the elastic protection bandwidth to deactivate the blackhole. |
Black Hole Threshold
The black hole threshold refers to the basic attack mitigation capability provided by Huawei Cloud. When the scale of attack exceeds the threshold, Huawei Cloud executes a black hole policy to block the attacked IP address.
Scrubbing Principles
The system detects attack traffic in real time. Once detecting an attack on a cloud host, the system diverts the service traffic from the original network path to the Huawei Cloud DDoS scrubbing system. The Huawei Cloud DDoS scrubbing system identifies the traffic of the attacking IP address, discards attack traffic, and forwards normal traffic to the target IP address to mitigate the damage to the server.
Self-Service Unblocking Rules
NOTE:
If you have purchased Anti-DDoS Service (CNAD Advanced), you will be rewarded with three self-service blackhole-deactivation quotas for free every month. If the quotas are not used up in the current month, they will be cleared at the end of the month.
- There is a minimum block duration after which you can unblock a blocked IP address. The minimum block duration for the first time you unblock an IP address in a day is 30 minutes. Minimum block duration = 2 (n-1) x 30 minutes (n indicates the number of times you want to unblock the same IP address)
For example, a 30-minute block duration is required for the first time you unblock an IP address, a 60-minute block duration for the second time, and a 120-minute block duration for the third time.
- For the same protected IP address, if it is blocked again less than 30 minutes after it is unblocked, you can unblock it 2n x 30 minutes later (n indicates the number of times you are unblocking it).
For example, if the IP address has been unblocked once at 10:20, and is blocked again at 10:40, the interval between the two time points is less than 30 minutes. This is the second time you unblock the IP address on the day. The IP address cannot be unblocked until the 120-minute block duration expires at 12: 40 (2x2x30 minutes after 10:40).
NOTICE:
If you have unblocked any other IP address within 30 minutes, you cannot unblock the IP address even if the preceding conditions are met.
- Anti-DDoS Service automatically adjusts the allowed IP unblocking attempts and the interval based on the risk control.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
