What are the Elastic IP Blocking Rules
Background Information
To ensure stable service for all customers, Zenlayer must prevent any single IP address from disrupting the experience of others through abnormal traffic or potential attacks. To this end, an automated anti-abuse protection system has been implemented. It continuously monitors network traffic in real time and applies restrictions when necessary to prevent malicious activity from overloading system resources or degrading overall performance.
IP Blocking is a method used to restrict access to a system or service from a specific IP address. When an IP is blocked, users from that IP cannot access certain websites or services.
IP Blocking Types
Zenlayer currently has the following 3 types of IP blocking:
N Device
The N Device enhances the detection of abnormal communications, attacks, and resource abuse by analyzing network traffic in real time. It can typically block malicious activity within one minute, effectively safeguarding platform security and service stability. This capability is powered by flow sampling technologies (such as sFlow and NetFlow) on core routers. When the bandwidth of a target IP exceeds the defined threshold, the system remotely triggers a blackhole route (RTBH) to drop all traffic to that IP, rapidly mitigating DDoS attacks and maintaining overall network stability.
Trigger Conditions
Excessive Bandwidth Usage
When an elastic IP exceeds a defined bandwidth threshold within a short period of time, Zenlayer may trigger an alert. Whether caused by a sudden business surge or abnormal attack traffic, the platform will assess the situation and intervene if necessary to ensure network stability and security.
Blocking Measures
Temporary Blocking
Upon detecting abnormal traffic, Zenlayer may temporarily block the affected elastic IP. During the block period, some or all network services associated with the IP may be restricted. If the block is triggered by the automated traffic analysis system (via blackhole routing), it will be lifted automatically after two hours. However, if the blackhole route is manually applied by a network engineer, manual removal is required. For services with exceptionally high bandwidth requirements on a single IP, a customized blackhole threshold may be necessary, which must be configured manually by a network engineer.
Concept Explanation
Remote Triggered Black Hole (RTBH) Routing
Remote Triggered Black Hole (RTBH) routing, also known as blackhole routing, is a network security technique designed to defend against Distributed Denial of Service (DDoS) attacks. It works by using the BGP protocol to redirect malicious or unwanted traffic to a "black hole" — a null interface (e.g., null0) — where the traffic is silently discarded. This approach helps prevent the unwanted traffic from reaching its target, effectively mitigating the impact of the attack.
Z Device
The Z Device is a more advanced traffic blocking mechanism compared to the N Device. It uses rate-limiting strategies to control abnormal packet rates, suppressing sudden bursts of high-frequency traffic at the source. This helps ensure the stability of both network infrastructure and platform operations. The Z Device offers faster response times, typically completing blocking actions within 10 seconds, providing stronger real-time protection capabilities.
Trigger Conditions
Excessive Bandwidth Usage If an elastic IP consumes unusually high bandwidth in a short period, it may trigger an alert. This typically indicates abnormal traffic and requires intervention, whether due to a legitimate traffic surge or a malicious attack.
High PPS (Packets Per Second) When a single elastic IP sends packets exceeding a predefined threshold within a given time frame, it may be identified as exhibiting attack-like behavior. High PPS often signals irregular traffic, such as a DDoS attack.
Blocking Measures
Temporary Blocking
Once abnormal traffic is detected, Zenlayer will temporarily block the affected elastic IP. During the block period, some or all services associated with the IP may be restricted. In most cases, the IP will be unblocked automatically within 2 hours.
Abuse
The Abuse refers to any behavior that violates the rules, terms of service, or ethical guidelines of a platform or service. It can include things like attacking, fraudulent website, infringement, malware, or spamming.
Trigger Conditions
Zenlayer currently handle the following types of Abuse:
Attack
Fraudulent Website
Infringement
Malware
Spam
Others
Zenlayer has implemented the following process to prevent abuse.
Concept Explanation
DMCA Digital Millennium Copyright Act, a U.S. copyright law that aims to protect copyrighted content in the digital age. It includes provisions for handling online copyright infringement, such as the process of issuing takedown notices to remove infringing content and counter-notices to challenge such claims.
GCSC Global Customer Support Center, which typically refers to a centralized support unit that provides assistance to customers worldwide. It handles inquiries, resolves issues, and ensures smooth customer service across different regions and time zones.
Last updated