The Adv. Mitigation Logs page shows how your advanced mitigation sessions have been consumed. Each row represents a DDoS attack event and shows whether it used a session, the attack's peak bandwidth, and the events that occurred during the attack window. Use this page to audit session usage and review historical attack activity.
Prerequisites
Before you begin, make sure that:
Advanced mitigation sessions are included free of charge with your instance, or you have purchased global advanced mitigation sessions
Your instance is one of the supported types:
Product Supported plans Anti-DDoS Pro (the Chinese mainland) Pro Anti-DDoS Premium (outside the Chinese mainland) Insurance mitigation plan, Unlimited mitigation plan, Sec-CMA (including Sec-CMA 1.0, Sec-CMA (Basic), Sec-CMA 2.0 (Insurance), and Sec-CMA 2.0 (Unlimited))
Query limits
| Limit | Details |
|---|---|
| Query time range | Last 90 days |
| View event details | Available only for attacks within the last 30 days. For older events, the View Events button is dimmed and event details cannot be accessed. |
View advanced mitigation logs
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
Anti-DDoS Proxy (Chinese Mainland): Select Chinese Mainland.
Anti-DDoS Proxy (Outside Chinese Mainland): Select Outside Chinese Mainland.
In the left-side navigation pane, choose Investigation > Adv. Mitigation Logs.
On the Adv. Mitigation Logs page, select the target instance and the time range for your query.
The log table displays the following fields:
Field Description Protection Time The time range during which the DDoS attack event occurred. Instance The ID of the instance to which the attacked asset's public IP address is added. Peak Volume The peak bandwidth of the DDoS attack. Included Events The number of blackhole filtering events or scrubbing events that occurred during the attack window. Status Whether the attack event consumed an advanced mitigation session. Used means the attack has ended and a session was consumed. In Use means the attack is ongoing and a session is currently being consumed. Actions For attacks within the last 30 days, click View Events to open the Attack Analysis page and review event details. For more information, see View information on the Attack Analysis page.