How to view the service data and DDoS attack details of an instance and a domain name in the Anti-DDoS Proxy console - Anti-DDoS

This topic describes how to view the service data and DDoS attack details of an instance and a domain name in the Anti-DDoS Proxy console after you add the domain name to Anti-DDoS Proxy. This helps you learn protection information about your assets and adjust your DDoS mitigation policies in a timely manner.

Overview

Anti-DDoS Proxy allows you to view data within the last 30 days. You can click Traffic Relationships and Description in the upper-right corner of the Security Overview page to learn traffic-related concepts of Anti-DDoS Proxy.

Prerequisites

An Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland) instance is purchased. For more information, see Purchase an Anti-DDoS Proxy instance.
A website service or non-website service is added to Anti-DDoS Proxy. For more information, see Add websites or Manage forwarding rules.

Instance

Anti-DDoS Proxy displays information about services and DDoS attack details by instance.

Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
- Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.
- Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland), select Outside Chinese Mainland.

In the left-side navigation pane, click Security Overview. On the Instance tab of the Security Overview page, view the following information.

安全总览-实例-cn

Section	Description
Bandwidth (marked 1 in the preceding figure)	Anti-DDoS Proxy (Chinese Mainland) provides the Bandwidth trend chart to show traffic information by bps or pps. You can view the trends of inbound, outbound, attack, and rate limit traffic of an instance within a specific time range. Anti-DDoS Proxy (Outside Chinese Mainland) provides the Overview tab to show bandwidth trends, the Inbound Traffic Distribution tab to show the distribution of inbound traffic, and the Outbound Traffic Distribution tab to show the distribution of outbound traffic.
Connections (marked 2 in the preceding figure)	Concurrent Connections: the total number of concurrent TCP connections that are established between clients and the instance. Active: the number of TCP connections in the Established state Inactive: the number of TCP connections in all states except for the Established state. New Connections: the number of new TCP connections that are established between clients and the instance per second.
Network Layer Attack Events, Alert on Exceeded Upper Limits, and Destination Rate Limit Events (marked 3 in the preceding figure)	Network Layer Attack Events You can move the pointer over an IP address or a port to view the details of an attack, such as Attack Target, Attack Type, Peak Attack Traffic, and Protection Effect. Alerts on Exceeded Upper Limits The following event types of alerts are supported: clean bandwidth, new connections, and concurrent connections. If the purchased specification that corresponds to an event type is exceeded, an alert of this event type is generated. In this case, your business is not affected, and a specification upgrade is recommended. For more information, see Upgrade an instance. You can click Details in the Status column of an alert to go to the System Logs page to view the details of the alert. Note The alerts on exceeded upper limits are updated at 10:00 (UTC+8) every Monday. After the update, the alerts that were generated on the previous day are displayed. If you configure a notification method, such as internal messages, text messages, or emails, you receive a notification at 10:00 (UTC+8) every Monday. The notification includes the alerts that were generated on the previous day. Destination Rate Limit Events If the number of new connections, the number of concurrent connections, or the service bandwidth exceeds the specifications of your instance, rate limiting is triggered, and a destination rate limit event is generated. In this case, your business is affected. If rate limiting is triggered by service traffic, we recommend that you upgrade the specifications of your instance at the earliest opportunity. For more information, see Upgrade an instance. If rate limiting is triggered by DDoS attacks, we recommend that you adjust your mitigation policies at the earliest opportunity. For more information, see Configure the IP address blacklist and whitelist for an Anti-DDoS Proxy instance. You can click Details in the Status column of an alert to go to the System Logs page to view the details of the alert.
Service Distribution by Location and Service Distribution by ISP (marked 4 in the preceding figure)	Service Distribution by Location: the distribution of source locations from which service traffic is sent. Service Distribution by ISP: the distribution of Internet service providers (ISPs) from which service traffic is sent.

Domain name

Anti-DDoS Proxy displays information about services and details of DDoS attack events by domain name.

Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
- Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.
- Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland), select Outside Chinese Mainland.

In the left-side navigation pane, click Security Overview. On the Websites tab of the Security Overview page, view the following information.

Total QPS by Instance

In the All Domain Names drop-down list, click the Total QPS by Instance tab, select the required exclusive IP addresses, and then click OK. 安全总览-全部实例QPS

Section

Description

Request Rate (QPS) (marked 1 in the preceding figure)

The trend of queries per second (QPS) is displayed for different instances. The displayed time granularity varies based on the specified time range.

Status Codes and Requests (marked 2 in the preceding figure)

The status codes are displayed for different instances. The number of status codes is accumulated within the displayed time granularity. The following list describes status codes:

2XX: The request is successfully received, understood, and accepted by the server.
Note
Statistics on 2XX status codes include the statistics on the 200 status code.
3XX: The client must perform further operations to complete the request. In most cases, a 3XX status code indicates redirection.
4XX: The client may be faulty, which interrupts server processing.
5XX: An error or an exception occurred when the server processes the request.

QPS by Domain

In the All Domain Names drop-down list, click the QPS by Domain tab, select the required domain names, and then click OK.

安全总览-域名-cn

Section	Description
Request Rate (QPS) (marked 1 in the preceding figure)	The QPS trend is displayed for different domain names. The displayed time granularity varies based on the specified time range.
Bandwidth (marked 2 in the preceding figure)	This section displays the trend charts of the outbound and inbound peak bandwidth of the domain name.
Status Codes and Requests (marked 3 in the preceding figure)	The status codes are classified into Anti-DDoS Proxy status codes and status codes of origin servers. The trend chart of the accumulated numbers of requests with specific status codes within a specific time range. The following list describes status codes: 2XX: The request is successfully received, understood, and accepted by the server. Note Statistics on 2XX status codes include the statistics on status code 200. 200: The request succeeded. 3XX: The client must perform further operations to complete the request. In most cases, a 3XX status code indicates redirection. 4XX: The client may be faulty, which interrupts server processing. 404: The server cannot be accessed. 5XX: An error or an exception occurred when the server processes the request. 502: Anti-DDoS Proxy attempts to process the request as a proxy server, but receives invalid responses from the upstream server. 503: The server may be overloaded or in temporary maintenance and cannot process the request. 504: Anti-DDoS Proxy attempts to process the request as a proxy server, but does not receive responses from the upstream server in a timely manner.
URI Requests and URI Response Time (marked 4 in the preceding figure)	The top 5 URIs that are most frequently requested and the top 5 URIs based on the response time. You can click More to view more data.
Application Layer Scrubbing Events (marked 5 in the preceding figure)	This section displays the scrubbing events that occur at the application layer. You can move the pointer over a domain name to view the attack details, such as the information about the domain name, peak attack traffic, and attack type.
Source Location (marked 6 in the preceding figure)	This section displays the distribution of source locations from which requests are sent.
Cache Hit Ratio (marked 7 in the preceding figure)	You can view the trend chart of cache hit rates only after you enable the static page caching feature. For more information, see Anti-DDoS Lab.