How to query attack events on the Attack Analysis page - Anti-DDoS

After you add your service to your Anti-DDoS Proxy instance, you can view the events and details of attacks that are detected on the instance, to obtain information such as the source IP addresses of attacks, distribution of attack types, and attack distribution by source location. This helps ensure a transparent protection process and improve user experience of protection analysis. You can also specify custom configurations. This topic describes how to query attack events on the Attack Analysis page.

Attack event types

Attack event type	Description
Web Resource Exhaustion	Attackers simulate regular users to send service requests to a web service whose domain name is added to an Anti-DDoS Proxy instance. The attackers frequently access pages that consume a large number of resources in the web service. As a result, the resources of the servers are exhausted, and the web service cannot respond to normal service requests. If attackers send service requests to multiple domain names that are added to an Anti-DDoS Proxy instance at the same time, multiple attack events of the Web Resource Exhaustion type are recorded.
Connection Type	Attackers establish TCP or UDP connections to a service port that is added to an Anti-DDoS Proxy instance. As a result, the servers of the service are overloaded and cannot process new connection requests, and service failures may occur. If attackers send connection requests to multiple service ports that are added to an Anti-DDoS Proxy instance at the same time, multiple events of connection flood attacks are recorded.
Volumetric	Attackers send a multitude of service requests from a large number of zombie servers to the IP address of an Anti-DDoS Proxy instance at the same time. As a result, the network devices and servers are overloaded, and network congestion and service failures may occur. If attackers send service requests to the IP addresses of multiple Anti-DDoS Proxy instances at the same time, multiple volumetric attack events are recorded. Note By default, Anti-DDoS Proxy generates attack events only when the inbound traffic exceeds 1 Gbit/s and the scrubbed traffic reaches 100 Mbit/s. This way, less attack events are generated. If the actual inbound traffic is less than the preceding threshold, no attack events are generated. You can configure a custom alert threshold based on your business requirements. To configure a custom alert threshold, click Set Alert Threshold on the Security Overview page. A custom alert threshold helps solve the issue that no attack events are generated when scrubbed traffic is displayed in the console.

Prerequisites

An Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland) instance is purchased. For more information, see Purchase an Anti-DDoS Proxy instance.
A website service or non-website service is added to Anti-DDoS Proxy. For more information, see Add websites or Manage forwarding rules.

Query attack events

Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
- Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.
- Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland) instance, select Outside Chinese Mainland.
In the left-side navigation pane, choose Investigation > Attack Analysis.
On the Attack Analysis page, select an attack type and a time range to query attack events.
Note
You can query attack events only of the previous 180 days.
Optional. Click View Details in the Actions column to view the details of an attack event.
In the upper-right corner of the Event Details page, you can click Export Report, and then click Export Image or Export to PDF to save the current event details page to your computer in the PNG or PDF format.

If you have any suggestions or questions about the protection effect of an attack event, you can click Effect Feedback in the Actions column of the attack event. We will continue to optimize and improve the protection effect based on your suggestions.

Details of an attack event

Web Resource Exhaustion

You can view event details and configure specific protection items for the domain name of a service.

Information	Description
Basic information about an attack event	Attack Time: the point in time when the attack occurs. Attack Target: the domain name that is attacked. You can click Mitigation Settings to the right of Attack Target. On the Protection for Website Services tab of the page that appears, you can configure mitigation settings for the domain name that is attacked. For more information, see Protection for website services. Maximum Requests: the peak number of requests during the attack. Total Received Requests: the total number of requests received within a period of time before and after the attack. The following list describes the time range for the statistics: Start time: the point in time that is half an hour earlier than the attack occurrence time that is truncated to the previous half-hour. For example, if the attack occurs at 11:20, the occurrence time is truncated to 11:00. Thus, the start time is 10:30. If the attack occurs at 11:40, the occurrence time is truncated to 11:30. Thus, the start time is 11:00. End time: the point in time that is half an hour later than the attack end time that is truncated to the next half-hour. For example, if the attack ends at 12:20, the attack end time is truncated to 12:30. Thus, the end time is 13:00. If the attack ends at 12:40, the attack end time is truncated to 13:00. Thus, the end time is 13:30. Total Blocked Requests: the number of requests blocked by the Anti-DDoS Proxy instance during the attack.
Attack Mitigation Details	This section displays the total inbound queries per second (QPS), the trends of the QPS that triggers the policies of different mitigation modules during the attack, and Effective Time of Policy and Blocked Requests of the triggered policies. In the upper-right corner of the Attack Mitigation Details section, you can specify a time range to query. The mitigation modules include Blacklist, Location Blacklist, Frequency Control, Accurate Access Control, and Others. The Others mitigation module blocks requests such as the requests that fail CAPTCHA verification. For more information about how to configure different protection modules, see Protection for website services.
Blocked Requests by Protection Module	This section displays the distribution of attack requests that are blocked by different protection modules. You can click Mitigation Settings in the upper-right corner of the Blocked Requests by Protection Module section and configure settings for different protection modules. For more information about how to configure different protection modules, see Protection for website services.
Top 10 Hit Policies	This section displays the top 10 mitigation policies that are most frequently hit and the numbers of hits. You can click More to view the hits of the top 100 mitigation policies that are most frequently hit. You can click Mitigation Settings in the upper-right corner of the Top 10 Hit Policies section and configure policies for different protection modules. For more information about how to configure different protection modules, see Protection for website services.
Source Location	This section displays the distribution of attack requests by source location. You can switch between Global and Chinese Mainland to view locations by country or by administrative region in China. You can click More to view the attack request proportions of different source locations. If you want to block requests from a location, click Mitigation Settings in the upper-right corner of the Source Location section. Then, configure the Location Blacklist (Domain Names) feature. For more information, see Configure the location blacklist (domain names) feature.
URL	This section displays the top five URLs that receive the most requests. The URLs are displayed in descending order of the number of received requests. You can click More to view all requested URLs and the request numbers of the URLs. After you click More, the requested URIs and the domain names to which the URIs belong are displayed. If you want to configure rate limiting settings for specific URIs, click Mitigation Settings in the upper-right corner of the URL section. Then, configure the Frequency Control feature. For more information, see Configure frequency control.
URI Response Time	This section displays the top five URIs with the maximum response times. URI response time is the total time from when the client sends a request to obtain the resource of a specific URI to when the client receives a response from the server and the request is complete. You can configure the HTTP flood mitigation feature based on this section. For more information, see Configure the HTTP flood mitigation feature.
Attacker IP Address	This section displays the top 10 IP addresses from which the most suspicious connections are established and the locations to which the IP addresses belong. You can click More to view information about the top 100 source IP addresses. Note You can view only the top 100 source IP addresses of attacks. If you want to block traffic from an IP address, click Mitigation Settings in the upper-right corner of the Attacker IP Address section. Then, configure the Blacklist/Whitelist (Domain Names) feature. For more information, see Configure the blacklist/whitelist (domain names) feature.
User-Agent	This section displays the top five User-Agent entries that are most frequently contained in requests. User-Agent indicates the browser-related information such as the browser identifier, rendering engine identifier, and version information of the client that initiates access requests. You can configure the HTTP flood mitigation feature based on this section. For more information, see Configure the HTTP flood mitigation feature.
Referer	This section displays the top five Referer entries that are most frequently contained in access requests. Referer indicates the source URLs of access requests. You can configure the HTTP flood mitigation feature based on this section. For more information, see Configure the HTTP flood mitigation feature.
HTTP-Method	This section displays the top five request methods that are most frequently used in access requests. You can configure the HTTP flood mitigation feature based on this section. For more information, see Configure the HTTP flood mitigation feature.
Client Fingerprint	This section displays the top five client fingerprints that are most frequently used for access requests. Client fingerprints are calculated by using Alibaba Cloud-developed algorithms based on the TLS fingerprints of the client that initiates requests. Client fingerprints are used to match access requests for protection. You can configure the HTTP flood mitigation feature based on this section. For more information, see Configure the HTTP flood mitigation feature.

Connection Type

You can view event details and configure specific protection items for an Anti-DDoS Proxy instance.

Information	Description
Attack Time	The point in time when the attack occurs.
Attack Target	The IP address and port of the instance that is attacked. You can click Mitigation Settings to the right of Attack Target. On the Protection for Infrastructure tab of the page that appears, you can configure mitigation settings for the instance that is attacked. For more information, see Protection for infrastructure.
Attack Mitigation Details	This section displays the trends of New Connections and Concurrent Connections. In the upper-right corner of the Attack Mitigation Details section, you can specify a time range to query. The trend of new connections displays suspicious connections that are blocked by different mitigation settings. The mitigation settings include Blacklist, Location Blacklist, and Rate Limit for Source. The Rate Limit for Source setting includes New Connections Limit for Source, Concurrent Connections Limit for Source, PPS Limit for Source, and Bandwidth Limit for Source. For more information about how to configure the mitigation settings, see Configure the blacklist and whitelist (IP address-based) feature, Configure the location blacklist feature, and Configure the speed limit for source IP addresses. The trend of concurrent connections displays Active and Inactive connections.
Attack Source IP Addresses	This section displays the top five IP addresses from which the most suspicious connections are established and the locations to which the IP addresses belong. You can click More to view information about the top 100 source IP addresses of attacks. Note You can view only the top 100 source IP addresses of attacks. If you want to block traffic from an IP address, you can configure the Blacklist and Whitelist (IP address-based) feature for the instance that is attacked. For more information, see Configure the blacklist and whitelist (IP address-based) feature.
Attack Type	This section displays the distribution of attack requests by protocol. You can click More to view the attack request proportions of different protocols.
Attack Source Location	This section displays the distribution of attack requests by source location. You can click More to view the attack request proportions of different source locations. If you want to block requests from a location, you can configure the Location Blacklist feature for the instance that is attacked. For more information, see Configure the location blacklist feature.

Volumetric

You can view event details and configure specific protection items for an Anti-DDoS Proxy instance.

Information	Description
Attack Time	The point in time when the attack occurs.
Attack Target	The IP address of the instance that is attacked. You can click Mitigation Settings to the right of Attack Target. On the Protection for Infrastructure tab of the page that appears, you can configure mitigation settings for the instance that is attacked. For more information, see Protection for infrastructure.
Attack Mitigation Details	The bps tab displays the trends of inbound and outbound bandwidth and the traffic scrubbing bandwidth. The pps tab displays the trends of inbound and outbound packets and the traffic scrubbing packets. Note Alerts are generated only when the inbound traffic is no less than 1 Gbit/s and the scrubbed traffic exceeds 100 Mbit/s.
Source IP Address	This section displays the top 10 IP addresses from which the most requests are initiated and the locations to which the IP addresses belong. You can click More to view information about the top 100 source IP addresses. Note The top 100 source IP addresses include the source IP addresses of attacks and the source IP addresses of normal requests. If you want to block traffic from specific IP addresses, click Blacklist Settings in the lower-left corner of the Source IP Address section. Then, configure the Blacklist and Whitelist (IP address-based) feature. For more information, see Configure the blacklist and whitelist (IP address-based) feature.
Attack Source ISP	This section displays the distribution of attack requests by Internet service providers (ISPs) from which attack traffic originates. You can click More to view the attack request proportions of different ISPs. Note The Attack Source ISP section is available only in the Anti-DDoS Proxy (Chinese Mainland) console.
Attack Source Location	This section displays the distribution of attack requests by source location. You can click More to view the attack request proportions of different source locations. If you want to block traffic from specific locations, click Location Blacklist Settings in the lower-left corner of the Attack Source Location section. Then, configure the Location Blacklist feature. For more information, see Configure the location blacklist feature.
Attack Type	This section displays the distribution of attack requests by protocol. You can click More to view the attack request proportions of different protocols.
Destination Port	This section displays the proportions of the attacked ports. You can click More to view the proportion of each attacked port.