View annual reports for Anti-DDoS Origin - Anti-DDoS - Alibaba Cloud Documentation Center

This topic describes how to view attack protection reports for Anti-DDoS Origin from the previous year.

Report statistics

Timestamp range:
- Anti-DDoS Origin (Non-Global): You can query data from August 8, 2024, onward.
- Anti-DDoS Origin (Global): You can query data from September 17, 2025, onward.
Data precision: Attack analysis is based on data sampling, which may result in statistical errors.

View and download statistical reports

Go to the Statistical Reports page of the Traffic Security console.
Select Anti-DDoS Origin, set the instance, region, and timestamp range, and then click the icon.
Note
You can select one or more instances in a specific region. You cannot select all instances across all regions.
In the upper-right corner, click Export Report to export the report in an image or PDF format.

Metric descriptions

Overall operational metrics

Metric	Description
Data Metrics	Peak Traffic of Single Attack Event: The peak inbound traffic in bit/s for a single attack event within the selected timestamp range. This includes both attack traffic and service traffic. Peak pps of Single Attack Event: The peak inbound traffic in packets per second (pps) for a single attack event within the selected timestamp range. This includes both attack traffic and service traffic. Blackhole Filtering Events: The total number of blackhole filtering events for the selected instance within the selected timestamp range. Blackhole Filtering Duration: The total duration of all blackhole filtering events for the selected instance within the selected timestamp range. Anti-DDoS Origin Protection Duration: The uptime of the selected instance. If multiple instances are selected, the longest uptime is displayed.
Traffic Scrubbing Events	The total number and type distribution of scrubbing events for the selected instance within the selected timestamp range. This does not include blackhole filtering events.
Protected Assets	The number of protected assets (IP addresses). This data is independent of the selected time range and shows real-time data from the previous day (T-1).

Traffic metrics

Metric

Description

Traffic Trend in bit/s

Inbound Traffic (TOTAL): All inbound traffic in bit/s. This includes both normal service traffic and attack traffic.
Outbound Service Traffic: Normal outbound service traffic in bit/s.

Top 5 Source Regions of Network Layer Attacks

The top 5 source regions of attacks, ranked by the number of requests from source IP addresses.

China: Statistics are grouped by province.
Locations Outside China: Statistics are grouped by country.

Statistical logic:

For each attack event, the system calculates the percentage of requests from each source region (province or country).
The system ranks these percentages across all events to find the top 5.
- Only the largest value is retrieved for each province or country.
- The final list contains five unique regions.

Attack distribution

Metric	Description
Attack Type Distribution	The distribution of attacks, calculated based on the number of occurrences for each attack type. This does not include blackhole filtering events.
Top 10 Attack Source ISPs	The distribution percentage of global Internet Service Providers (ISPs) for attack sources, based on the number of origin requests in attack events. Attack events include both scrubbing and blackhole filtering events.
Volumetric Attacks by Peak Attack Throughput	The number of events corresponding to different peak attack throughput ranges. This does not include blackhole filtering events. The ranges are: 0 Gbit/s to 30 Gbit/s, 30 Gbit/s to 100 Gbit/s, 100 Gbit/s to 300 Gbit/s, 300 Gbit/s to 600 Gbit/s, and above 600 Gbit/s.
Attack Duration Distribution	The number of events corresponding to different attack duration ranges. This does not include blackhole filtering events. The ranges are: 0 to 30 minutes, 30 to 60 minutes, 1 to 3 hours, 3 to 12 hours, and above 12 hours.

Attack ranking metrics

Metric

Description

Top 20 Source IP Addresses by Peak Attack Throughput

This metric displays the top 20 source IP addresses that have the highest peak attack throughput. The ranking is determined by the following logic:

For a single attack event, the system uses sampled traffic to rank source IP addresses by the number of discarded requests.
The system then compares the number of discarded requests across multiple attack events to select the top 20 source IP addresses. For each IP address, only the highest count is used, and a maximum of 20 unique source IP addresses are retained.

Top 10 Destination IP Addresses by Peak Attack Throughput

This metric displays the top 10 destination IP addresses that have the highest peak attack throughput. The ranking is determined by the following logic:

For a single attack event, the system uses sampled traffic to rank destination IP addresses by their peak inbound traffic in bit/s.
The system then compares the peak traffic in bit/s across multiple attack events to select the top 10 destination IP addresses. For each IP address, only the highest peak traffic value is used, and a maximum of 10 unique destination IP addresses are retained.

Protection metrics

Top 10 Destination Ports by Attack

The Top 10 Destination Ports by Attack are ranked as follows:

For a single attack event, the system uses sampled traffic to rank destinations (IP address and port) by the number of discarded requests.
The system then compares the number of discarded requests across multiple attack events to select the top 10 destinations. For each destination, only the highest count is used, and a maximum of 10 unique destinations are retained.

Attack events

This section lists all attack events for the selected instance within the specified timestamp range. Click View Details in the Actions column of an event to go to the Attack Analysis page for more details.

References

For more information about the report metrics for Anti-DDoS Pro and Anti-DDoS Premium, see Statistical reports (Anti-DDoS Pro and Anti-DDoS Premium).