Blocked records - Anti-DDoS - Alibaba Cloud Documentation Center

After configuring protection policies, it can be difficult to verify whether they are in effect or if legitimate traffic is being mistakenly blocked. The Anti-DDoS Native Blocked Records displays details of intercepted attack packets, enabling you to quickly verify protection effectiveness and troubleshoot false positives. This topic describes how to query interception records through the console Blocked Records and explains the meaning of each field and the available filter conditions.

Overview

The Blocked Records displays detailed information about attack packets that your Anti-DDoS Native protection instance has identified and blocked during operation. Through this tool, you can view key fields for each interception record, including timestamp, source and destination IP addresses, protocol type, and the protection module that triggered the action.

Use the Blocked Records to:

Verify that your protection policies are working as expected by confirming that attack packets are correctly intercepted.
Identify false positives and investigate why legitimate traffic may be blocked.
Analyze attack sources and patterns to refine your protection policies.

Note

The Blocked Records is designed for quick inspection of recent interception records. For large-scale log analysis, use the Log Service feature. This tool is exclusive to Anti-DDoS Native instances and displays only instance-level interception records. If you are using Anti-DDoS Proxy or Anti-DDoS Proxy, use Log Service to view more comprehensive access logs and attack logs.

Scope

An Anti-DDoS Native instance is created and Protected Objects is configured.
Only Anti-DDoS Native instances are supported. Anti-DDoS Proxy instances do not support this feature.

Query interception records

Go to the Blocked Records page of the Traffic Security console.
Set filter conditions: On the Blocked Records page, set the following filter conditions as needed:
- Instance: Select an Anti-DDoS Native instance from the drop-down list.
- Time Range: Select a query time range. Records from the past 7 days at most are available.
- Protocol: Select a protocol type, such as All Protocols, TCP, or UDP.
- Source IP Address, Destination IP, Source Port, Destination Port: Switch between these filter criteria based on your needs. Source IP Address is the default filter.

After the query completes, the page displays a list of interception records. The list includes fields such as time window, source IP, destination IP, protocol, source port, destination port, match count, action, and action module. If no interception records exist within the selected time range, a "No Data" message appears in the list area.

Note

If the query returns no results, check the following:

Verify that the instance and time range filter conditions are correct.
Confirm whether the instance has any intercepted packets during the selected time range.

Column	Description
Source IP Address	The IP address from which the attack originated.
Destination IP	The IP address that was targeted by the attack.
Protocol	The transport layer protocol, such as TCP or UDP.
Source Port	The source port number of the attack packet.
Destination Port	The destination port number of the attack packet.
Time Window	The time range during which the packet was intercepted, in the format `YYYY-MM-DD HH:mm`.
Match Count	The cumulative number of times packets with the same characteristics were intercepted.
Mitigate	The action taken on the packet, such as "Intercept".
Mitigation Module	The protection module that triggered the interception (for example, Port Blocking or Byte-Match Filter).

Process interception records

The Blocked Records provides the following two ways to handle intercepted source IPs:

Add to Blacklist: Add the source IP to the IP protection policy blocklist. All subsequent traffic from this IP is directly blocked.
Add to Whitelist: Add the source IP to the IP protection policy allowlist. All subsequent traffic from this IP is allowed through.

In the Operation column of the target interception record, click Add to Blacklist or Add to Whitelist.
Bind a protection policy (optional): If the current source IP is not bound to an IP-specific Mitigation Policy, bind one first, then return to the Blocked Records page and repeat step 1.
Note
Click Bind Policy to navigate to the Protected Objects page.
On the Modify Mitigation Policy tab, select the target IP-specific Mitigation Policy and click OK. After the binding is complete, use the browser back button to return to the Blocked Records page.
If a protection policy is already bound, in the Add to Blacklist or Add to Whitelist dialog box, confirm the Current Associated Policy and Timeout Configuration, then click Add.
Note
- The dialog box displays the timeout configuration information. Blocklisted IPs are automatically removed after the timeout period expires. To modify the timeout duration, go to the Blacklist and Whitelist page of the IP protection policy.
- Changes to the allowlist and blacklist take effect immediately and apply to all other IPs bound to the same policy.

Verify processing results

Go to the Protected Objects page of the Traffic Security console.
In the Actions column for the processed target IP, click IP-specific Mitigation Policy.
On the policy details page, in the Blacklist and Whitelist section, click View.
On the View Blacklist or Whitelist tab, verify whether the target IP exists in the blacklist or whitelist.

Precautions

Interception records are retained for 7 days by default. Records that exceed the retention period cannot be queried.
There is a delay in interception data. Recently intercepted packets may not appear in query results immediately.