How to view DDoS attack events, such as traffic scrubbing and blackhole filtering, and related statistics for Alibaba Cloud assets that are assigned public IP addresses. - Anti-DDoS

This topic describes how to view DDoS attack events, such as traffic scrubbing and blackhole filtering, and related statistics for Alibaba Cloud assets that are assigned public IP addresses.

Procedure

Log on to the Traffic Security console.
In the left-side navigation pane, click Event Center.

At the top of the page, you can set the time range for Attack Start Time. You can select a preset time range, such as Last 30 Days, or specify a custom start and end date. The page contains the following sections:

Ongoing: This section shows if there are any ongoing attack events and their protection status. When no events are in progress, this section displays the security status, the time of the last attack, and security recommendations.
Statistics: This section shows the total number of events, blackhole filtering events, and scrubbing events within the specified time range.

You can filter the event list using the following criteria.

Filter	Description
Event Type	Filter by event type. Options: Traffic Scrubbing or Blackhole. Traffic Scrubbing: Triggered when the traffic scrubbing threshold in bits per second (bps) or packets per second (pps) is reached. For more information, see Cancel traffic scrubbing. Blackhole: Triggered when traffic exceeds the maximum mitigation capability of the asset's public IP address. For more information, see Alibaba Cloud blackhole filtering policy.
Asset Type	Filter by asset type. Options: ECS, SLB, EIP, NAT, IPv6 gateway, simple application servers, WAF, GA, AnycastEIP.
Event Status	Filter by event status. Options: In Progress or Ended.
IP Address	Enter the public IP address of the asset to search.

The following table describes the columns in the event list.

Item	Description
Asset	Information about the asset under a DDoS attack, including its public IP address and instance ID.
Event	The attack type, such as volumetric, and the event type (traffic scrubbing or blackhole) of the attack event.
Time	The start time, end time, and duration of the attack event.
Attack Metrics	The trigger threshold and peak value (bps/pps) of the attack event.
DDoS Plan	Information about the Anti-DDoS package that the asset currently uses.

Optional: In the Actions column, click View Details to open the Event Details pane and view the following information:
- Basic Information: This section displays the attack target IP address, event type (traffic scrubbing or blackhole), status, attack type, protection package, mitigation capability assessment, trigger threshold (bps/pps), and start and end times. For scrubbing events, the peak attack throughput is also displayed.
- Traffic: This section displays a trend graph of traffic during the attack event.
  Note
  - If your asset has been released, the message You cannot view traffic details because the asset is removed from the current account. is displayed.
  - Trend graphs are not available for attack events that occurred more than 7 days ago (for IPv4 assets) or 3 hours ago (for IPv6 assets).
  - If the asset is an AnycastEIP, you cannot view its traffic trend in the event details.
- Mitigate: This section displays the result of the action taken in response to the attack event.
  - For blackhole filtering events, this section displays the blackhole duration and the thresholds that trigger blackhole filtering in Anti-DDoS Basic. You can click Upgrade Anti-DDoS Plan to enhance mitigation capabilities.
  - For scrubbing events, this section displays the attack duration, peak scrubbing bandwidth, and mitigation result.
- Attack Event Analysis: This section provides an AI-generated attack analysis (for reference only) that includes a summary of the attack type, an explanation of how the attack works, and mitigation suggestions. This helps you understand the attack features and develop targeted mitigation policies.