This topic describes the attack source tracing feature of Security Center. The attack source tracing feature automatically traces the sources of attack events and provides original data previews.

Background information

The attack source tracing feature is integrated with logs of multiple Alibaba Cloud services and uses the big data analysis engine to process, aggregate, and visualize data. This generates a link diagram of intrusions and helps you find the causes of intrusions and make urgent decisions at the earliest opportunity. Attack source tracing applies to urgent responses and source tracing in scenarios such as web intrusions, worm events, ransomware, and active connections to malicious download sources in the cloud.

Currently, attack source tracing can trace the sources of all types of alert events. For more information, see Alert types.

Note Three months after a security alert is triggered, the attack source tracing information about the event that triggers the alert is automatically deleted. View the attack source tracing information about alert events in a timely manner.

Limits

  • Attack source tracing is based on the big data analysis engine. The attack source tracing information about some attacks may not be displayed because the attacks do not form an attack chain. In this case, you can directly view the alert details.
  • Security Center automatically handles alerts such as malicious processes and the alert status is automatically set to Blocked. By default, the attack source tracing information about malicious processes is not provided.Security Center cannot trace malicious processes.

Procedure

  1. Log on to the Security center console.
  2. In the left-side navigation pane, click Detection > Alerts.
  3. On the Alerts page, find the target alert event and click The Attack Source Tracing icon.
    Diagnosis

    Click the Diagnosis tab to view the attack name, attack type, affected resources, source IP address of the attack, HTTP request details, and attack request details.

    The Diagnosis tab

    On the Diagnosis tab, you can view the information about each node in the link diagram of the attack source tracing event. Click a node and the Node Attributes page appears. On this page, you can view relevant information about the node.

    Node information

Attack source tracing examples

  • Worm propagation events
    The following figure shows the source IP address of a worm propagation event: 185.234. *. *. The attacker uses SSH brute-force attacks to log on to the target server and runs the curl command through bash to download and run mining programs on the server.Worm propagation
  • Web intrusion events
    The following figure shows the source IP address of a web intrusion event: 202.144. *. *. The attacker exploits web vulnerabilities to insert webshells and mining programs to the target Linux server. Meanwhile, the attacker writes code to the crond command to make the attack persistent. The node information on the Diagnosis tab helps you understand this process more clearly. In addition, you can view multiple IP addresses of the attacker and the URL information of malicious download sources on the Diagnosis tab.Web intrusion
    Click an HTTP attack node to view the details. Traffic data indicates that the attacker exploits unauthorized Apache Solr access vulnerabilities to call API operations and run system commands. To block the attack, you can fix the Apache Solr access vulnerabilities.View nodes