The Attack Analysis page lists every attack event detected on your Anti-DDoS Proxy instance, with details on source IP addresses, attack type distribution, and geographic distribution. For each event, you can drill into details and navigate directly to the relevant mitigation settings to adjust your protection configuration.
Attack events appear only when detection thresholds are met. For Volumetric events, inbound traffic must reach at least 1 Gbit/s and scrubbed traffic must exceed 100 Mbit/s. Traffic below these thresholds is not recorded as an event, even if scrubbed traffic is visible in the console. To lower the threshold, click Set Alert Threshold on the Security Overview page.
Attack event types
Anti-DDoS Proxy records three types of attack events:
| Attack type | Description |
|---|---|
| Web Resource Exhaustion | Attackers simulate legitimate users and repeatedly hit resource-intensive pages on a web service. This exhausts server resources and prevents the service from responding to normal requests. If multiple domain names on the same instance are targeted simultaneously, each domain generates a separate event. |
| Connection Type | Attackers flood a service port with TCP or UDP connections, overloading the server and causing it to reject new connection requests. If multiple ports are targeted simultaneously, each port generates a separate event. |
| Volumetric | Attackers send massive traffic from zombie servers to the IP address of an Anti-DDoS Proxy instance, causing network congestion and service failures. If multiple instance IPs are targeted simultaneously, each IP generates a separate event. |
Prerequisites
Before you begin, make sure you have:
An Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland) instance. For more information, see Purchase an Anti-DDoS Proxy instance.
A website service or non-website service added to the instance — see Add websites or Manage forwarding rules
Query attack events
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance:
Anti-DDoS Proxy (Chinese Mainland): Select Chinese Mainland.
Anti-DDoS Proxy (Outside Chinese Mainland): Select Outside Chinese Mainland.
In the left-side navigation pane, choose Investigation > Attack Analysis.
On the Attack Analysis page, select an attack type and a time range.
You can query events from the previous 180 days only.
(Optional) Click View Details in the Actions column to open the event details page.
To export the event details, click Export Report in the upper-right corner, then select Export Image (PNG) or Export to PDF.
To submit feedback on the protection effect, click Effect Feedback in the Actions column.
Event details
Web Resource Exhaustion
The event details page lets you review attack metrics and configure protection for the affected domain name.
Basic information
| Field | Description |
|---|---|
| Attack Time | The time when the attack occurred. |
| Attack Target | The domain name that was attacked. Click Mitigation Settings next to this field to configure protection for the domain on the Protection for Website Services tab. See Protection for website services. |
| Maximum Requests | The peak request rate during the attack. |
| Total Received Requests | The total requests received in the window around the attack. The window is calculated as follows: the start time is 30 minutes before the attack start time, rounded down to the nearest half-hour; the end time is 30 minutes after the attack end time, rounded up to the nearest half-hour. For example, if the attack starts at 11:20, the start time is 10:30 (11:20 rounds down to 11:00, minus 30 minutes). If the attack ends at 12:20, the end time is 13:00 (12:20 rounds up to 12:30, plus 30 minutes). |
| Total Blocked Requests | The number of requests blocked by Anti-DDoS Proxy during the attack. |
Attack Mitigation Details
Shows the total inbound queries per second (QPS) and the QPS trends attributed to each mitigation module, along with Effective Time of Policy and Blocked Requests for triggered policies. Use the time range selector in the upper-right corner to zoom in on a specific period.
Mitigation modules include Blacklist, Location Blacklist, Frequency Control, Accurate Access Control, and Others. The Others module handles requests that fail CAPTCHA verification and similar checks. For configuration details, see Protection for website services.
Blocked Requests by Protection Module
Shows the distribution of blocked requests across mitigation modules. Click Mitigation Settings in the upper-right corner to configure protection modules. See Protection for website services.
Top 10 Hit Policies
Shows the 10 most frequently triggered mitigation policies and their hit counts. Click More to expand the view to the top 100 policies. Click Mitigation Settings in the upper-right corner to adjust policies. See Protection for website services.
Source Location
Shows the geographic distribution of attack requests. Switch between Global and Chinese Mainland to view by country or by administrative region. Click More to see the full breakdown by location. To block requests from a specific region, click Mitigation Settings and configure the Location Blacklist feature. See Configure the location blacklist (domain names) feature.
URL
Shows the top 5 URLs by request volume, in descending order. Click More to view all requested URLs and their request counts (the expanded view also shows the domain names that each URI belongs to). To configure rate limiting for specific URIs, click Mitigation Settings and configure the Frequency Control feature. See Configure frequency control.
URI Response Time
Shows the top 5 URIs with the longest response times. URI response time is the total time from when the client sends a request to when it receives a complete response. Use this data to tune your HTTP flood mitigation settings. See Configure the HTTP flood mitigation feature.
Attacker IP Address
Shows the top 10 source IP addresses by suspicious connection count, along with their geographic locations. Click More to expand the view to the top 100 source IPs.
Only the top 100 source IP addresses are available.
To block traffic from a specific IP address, click Mitigation Settings and configure the Blacklist and Whitelist feature. See Configure blacklists and whitelists for domain names.
Request characteristics
The following sections each show the top 5 values for a request attribute. Use these to identify attack patterns and tune your HTTP flood mitigation settings. See Configure the HTTP flood mitigation feature.
| Section | What it shows |
|---|---|
| User-Agent | The top 5 User-Agent strings in incoming requests. User-Agent identifies the browser, rendering engine, and version of the client. |
| Referer | The top 5 Referer header values. Referer identifies the source URL of each request. |
| HTTP-Method | The top 5 HTTP methods used in incoming requests. |
| Client Fingerprint | The top 5 client fingerprints. Fingerprints are derived from TLS fingerprints using Alibaba Cloud-developed algorithms, and are used to match requests for protection. |
| HTTP/2 Fingerprint | The top 5 HTTP/2 fingerprints used in incoming requests. |
| JA3 Fingerprint | The top 5 JA3 fingerprints. JA3 is a standard TLS fingerprinting method that identifies TLS clients such as browsers, mobile apps, and malware. |
| JA4 Fingerprint | The top 5 JA4 fingerprints. JA4 extends JA3 with additional context (browser version, operating system) to reduce false positives and more accurately distinguish real users from attackers. |
Connection Type
The event details page lets you review connection metrics and configure protection for the affected instance.
| Field or section | Description |
|---|---|
| Attack Time | The time when the attack occurred. |
| Attack Target | The IP address and port of the instance that was attacked. Click Mitigation Settings next to this field to configure protection on the Protection for Infrastructure tab. See Protection for infrastructure. |
| Attack Mitigation Details | Shows trends for New Connections and Concurrent Connections. The new connections trend breaks down suspicious blocked connections by mitigation setting: Blacklist, Location Blacklist, and Rate Limit for Source (which includes New Connections Limit for Source, Concurrent Connections Limit for Source, PPS Limit for Source, and Bandwidth Limit for Source). The concurrent connections trend shows Active and Inactive connections. Use the time range selector in the upper-right corner to focus on a specific period. For configuration details, see Configure blacklists and whitelists for IP addresses, Configure the location blacklist feature, and Configure the speed limit for source IP addresses. |
| Attack Source IP Addresses | Shows the top 5 source IP addresses by suspicious connection count, along with their geographic locations. Click More to expand to the top 100 source IPs. Note Only the top 100 source IP addresses are available. To block a specific IP, configure the Blacklist and Whitelist (IP address-based) feature. See Configure blacklists and whitelists for IP addresses. |
| Attack Type | Shows the distribution of attack requests by protocol. Click More to see the full breakdown. |
| Attack Source Location | Shows the distribution of attack requests by source location. Click More to see the full breakdown. To block requests from a specific region, configure the Location Blacklist feature. See Configure the location blacklist feature. |
Volumetric
The event details page lets you review traffic metrics and configure protection for the affected instance.
Alerts are generated only when inbound traffic is no less than 1 Gbit/s and scrubbed traffic exceeds 100 Mbit/s.
| Field or section | Description |
|---|---|
| Attack Time | The time when the attack occurred. |
| Attack Target | The IP address of the instance that was attacked. Click Mitigation Settings next to this field to configure protection on the Protection for Infrastructure tab. See Protection for infrastructure. |
| Attack Mitigation Details | The bps tab shows inbound bandwidth, outbound bandwidth, and traffic scrubbing bandwidth trends. The pps tab shows inbound packet, outbound packet, and traffic scrubbing packet trends. |
| Source IP Address | Shows the top 10 source IP addresses by request count, along with their geographic locations. Click More to expand to the top 100. Note The top 100 list includes only attack source IPs. To block specific IPs, click Blacklist Settings in the lower-left corner and configure the Blacklist and Whitelist (IP address-based) feature. See Configure blacklists and whitelists for IP addresses. |
| Attack Source ISP | Shows the distribution of attack traffic by Internet service provider (ISP). Click More to see the full breakdown. Note This section shows attack traffic only and is available only in the Anti-DDoS Proxy (Chinese Mainland) console. |
| Attack Source Location | Shows the distribution of attack requests by source location. Click More to see the full breakdown. Note This section shows attack traffic only. To block traffic from specific locations, click Location Blacklist Settings in the lower-left corner and configure the Location Blacklist feature. See Configure the location blacklist feature. |
| Attack Type | Shows the distribution of inbound requests by protocol. Click More to see the full breakdown. Note Inbound requests include both attack and normal traffic. |
| Destination Port | Shows the proportion of each destination port across all inbound requests. Click More to see the full breakdown. Note Inbound requests include both attack and normal traffic. |