Homepage
DevelopersGlossarySign Up

What are the Elastic IP Blocking Rules

Background Information

To ensure stable service for all customers, Zenlayer must prevent any single IP address from disrupting the experience of others through abnormal traffic or potential attacks. To this end, an automated anti-abuse protection system has been implemented. It continuously monitors network traffic in real time and applies restrictions when necessary to prevent malicious activity from overloading system resources or degrading overall performance.

IP Blocking is a method used to restrict access to a system or service from a specific IP address. When an IP is blocked, users from that IP cannot access certain websites or services.

IP Blocking Types

Zenlayer currently has the following 3 types of IP blocking:

N Device

The N Device enhances the detection of abnormal communications, attacks, and resource abuse by analyzing network traffic in real time. It can typically block malicious activity within one minute, effectively safeguarding platform security and service stability. This capability is powered by flow sampling technologies (such as sFlow and NetFlow) on core routers. When the bandwidth of a target IP exceeds the defined threshold, the system remotely triggers a blackhole route (RTBH) to drop all traffic to that IP, rapidly mitigating DDoS attacks and maintaining overall network stability.

Trigger Conditions

Excessive Bandwidth Usage

When an elastic IP exceeds a defined bandwidth threshold within a short period of time, Zenlayer may trigger an alert. Whether caused by a sudden business surge or abnormal attack traffic, the platform will assess the situation and intervene if necessary to ensure network stability and security.

Blocking Measures

Temporary Blocking

Upon detecting abnormal traffic, Zenlayer may temporarily block the affected elastic IP. During the block period, some or all network services associated with the IP may be restricted. If the block is triggered by the automated traffic analysis system (via blackhole routing), it will be lifted automatically after two hours. However, if the blackhole route is manually applied by a network engineer, manual removal is required. For services with exceptionally high bandwidth requirements on a single IP, a customized blackhole threshold may be necessary, which must be configured manually by a network engineer.

Concept Explanation

Remote Triggered Black Hole (RTBH) Routing

Remote Triggered Black Hole (RTBH) routing, also known as blackhole routing, is a network security technique designed to defend against Distributed Denial of Service (DDoS) attacks. It works by using the BGP protocol to redirect malicious or unwanted traffic to a "black hole" — a null interface (e.g., null0) — where the traffic is silently discarded. This approach helps prevent the unwanted traffic from reaching its target, effectively mitigating the impact of the attack.

Z Device

The Z Device is a more advanced traffic blocking mechanism compared to the N Device. It uses rate-limiting strategies to control abnormal packet rates, suppressing sudden bursts of high-frequency traffic at the source. This helps ensure the stability of both network infrastructure and platform operations. The Z Device offers faster response times, typically completing blocking actions within 10 seconds, providing stronger real-time protection capabilities.

Trigger Conditions

  • Excessive Bandwidth Usage If an elastic IP consumes unusually high bandwidth in a short period, it may trigger an alert. This typically indicates abnormal traffic and requires intervention, whether due to a legitimate traffic surge or a malicious attack.

  • High PPS (Packets Per Second) When a single elastic IP sends packets exceeding a predefined threshold within a given time frame, it may be identified as exhibiting attack-like behavior. High PPS often signals irregular traffic, such as a DDoS attack.

Blocking Measures

Temporary Blocking

Once abnormal traffic is detected, Zenlayer will temporarily block the affected elastic IP. During the block period, some or all services associated with the IP may be restricted. In most cases, the IP will be unblocked automatically within 2 hours.

Abuse

The Abuse refers to any behavior that violates the rules, terms of service, or ethical guidelines of a platform or service. It can include things like attacking, fraudulent website, infringement, malware, or spamming.

Trigger Conditions

Zenlayer currently handle the following types of Abuse:

  • Attack

  • Fraudulent Website

  • Infringement

  • Malware

  • Spam

  • Others

Zenlayer has implemented the following process to prevent abuse.

Drawing

Concept Explanation

  • DMCA Digital Millennium Copyright Act, a U.S. copyright law that aims to protect copyrighted content in the digital age. It includes provisions for handling online copyright infringement, such as the process of issuing takedown notices to remove infringing content and counter-notices to challenge such claims.

  • GCSC Global Customer Support Center, which typically refers to a centralized support unit that provides assistance to customers worldwide. It handles inquiries, resolves issues, and ensures smooth customer service across different regions and time zones.

Note

If you disputes the removal of infringing content, you may send a DMCA counter-notice to Zenlayer.

PreviousAccess an Elastic Compute InstanceNextElastic Compute Release Notes

Last updated