My traffic has been blackholed, what do I do?

Remotely-triggered blackhole events occur when a DDoS attack’s traffic against a resource reaches a DigitalOcean specified mitigation limit. At that point, DigitalOcean’s traffic scrubbers reach their limit and can no longer mitigate the attack. When this occurs, DigitalOcean temporarily reroutes your traffic (triggers a blackhole) to prevent it from reaching your resources and causing downtime.

While the vast majority of DDoS attacks never reach this threshold, here are some steps you can take if you experience a blackhole event:

  • Document as much about the attack as you can, in order to develop proactive strategies to keep your resources online in the future. This can include documenting things like the geographic source of the attack traffic, protocols used, and packet sizes, which you can later use to build cloud firewall rules or develop app architecture that auto-scales during attacks.
  • Contact DigitalOcean support to report the attack and get assistance troubleshooting. The support team may be able to provide more context on the attack and help you mitigate it in the future.
  • Wait for the attack to end. Most DDoS attacks last between 10 minutes and 2 hours. Wait for at least 1 hour before taking further action. In 2022, 89% of observed attacks lasted less than one hour.
You can disable the address on your Droplet from the command line or through updating your Droplet’s eth1 interface configuration.
Ensure your Droplet’s public and private network interfaces are correctly named eth0 and eth1.
Reserved IPs do not support SMTP traffic.