What do I do if my traffic is blackholed?

Remotely-triggered blackhole events occur when a DDoS attack’s traffic against a resource reaches a DigitalOcean specified mitigation limit. At that point, DigitalOcean’s traffic scrubbers reach their limit and can no longer mitigate the attack. When this occurs, DigitalOcean temporarily reroutes your traffic (triggers a blackhole) to prevent it from reaching your resources and causing downtime.

While the vast majority of DDoS attacks never reach this threshold, here are some steps you can take if you experience a blackhole event:

  • Document as much about the attack as you can, in order to develop proactive strategies to keep your resources online in the future. This can include documenting things like the geographic source of the attack traffic, protocols used, and packet sizes, which you can later use to build cloud firewall rules or develop app architecture that auto-scales during attacks.
  • Contact DigitalOcean support to report the attack and get assistance troubleshooting. The support team may be able to provide more context on the attack and help you mitigate it in the future.
  • Wait for the attack to end. Most DDoS attacks last between 10 minutes and 2 hours. Wait for at least 1 hour before taking further action. In 2022, 89% of observed attacks lasted less than one hour.
Next steps to take if you receive a message from DigitalOcean support because your Droplet is sending an outgoing flood or DDoS.