edit-icon download-icon

Risk warning

Last Updated: Jan 19, 2018

The Web application firewall provides security reports that contain risk warning and it displays the information about the common attacks on your service. You can log on to the Web application firewall console and access the Risk Warning page to view information such as risk request category, features, destination interface address, and source IP address. This document describes the supported warning types and corresponding protective measures.

Hacker attack

Risk warning provides the hacker profiling function based on Alibaba Cloud big data analytics and the attack source tracing capability. This function identifies and records the malicious behaviors and activities of recognized hackers on your website. These behaviors include footprints, scans, and attacks. A hacker can be an individual or it can be a group of hackers, with real identities. When you receive such alarms, it means your website is hacked by a “recorded hacker”.

hacker attack

Dots in the figure indicate the activity of hackers on the corresponding date. Click a specific dot to view the detailed attack record. Where:

  • Different lines stand for different hackers. Click hacker information to view the characteristics of the hacker.
  • The severity of the hazard is gauged by the color of the dot. Darker the color, more severe is the hazard.
  • The size of the dots indicates frequency of attacks during the day. Bigger dots indicate more attacks and smaller dots, lesser attacks.


The attack displayed in the report is intercepted by WAF. You do not need to worry about it. We recommend that you pay attention to non-web services security on the server because the hackers may try various options (for example, SSH and database port) to penetrate in to your website.

WordPress attack

Risk warning detects WordPress attacks according to attack features described in Prevent WordPress bounce attacks. If the number of such warnings keep increasing, chances are more that your server is attacked.


Configure HTTP flood protection according to the defense suggestions provided in the preceding document.

Suspected attack

Based on the exception detection algorithm of big data analytics, WAF screens suspicious access requests, which may include abnormal parameter names, types, sequences, special symbols, and statements, for you to perform further analysis and provide protection based on service features.

The risk warnings highlight the abnormal portion. For example, the request shown in the following figure includes two repeated parameters and is not connected with the conventional “&” symbol.

Suspected attack


The alarm here reports a suspicious request, which may be a normal request of a special service or a variant attack. Analyze the alarm based on features of your service.

Robots script

WAF supports detecting features of common machine script tools, such as Python2.2 and HttpClient. If you have not submit a large number of requests through the test tool recently, the alarm number indicates the number of malicious requests received or detected from some machine script tools. It may also include the tools used to test the traffic pressure or initiate HTTP flood attacks.


Check whether HTTP flood attacks exist by analyzing logs and intercept malicious attacks based on protection algorithms such as HTTP ACL Policy and HTTP flood protection emergency mode.

Bot attack

WAF supports detecting crawler requests (including valid crawlers such as Baidu spider). If the number of this alarms is high, the number of requests increases abnormally on the server, and the CPU usage increases, the website may encounter malicious crawler requests or HTTP flood attacks that are masqueraded as crawlers.


Based on logs and server performance analysis, check whether HTTP flood attacks or malicious crawler requests exist. For more information, see Intercept malicious crawlers. WAF does not incept valid crawler (for example, Baidu crawler) requests.

SMS abuse

WAF supports detecting requests on interfaces such as the short message registration interface and short message verification interface. If you receive more alarms, chances are higher that your short message interface is being abused (causing high short message overhead).


Click View Details to view specific requests. You can analyze whether the invocation is normal service invocation based on the source IP address and interface to which most requests are sent. If not, we recommend that you use Custom HTTP flood protection to protect the abused interfaces.

Thank you! We've received your feedback.