When a DDoS attack targets your Alibaba Cloud assets, the Event Center gives you a single place to check whether scrubbing or blackhole filtering is active, review attack metrics, and understand how protection responded — without switching between products or dashboards.
Prerequisites
Before you begin, ensure that you have:
An Alibaba Cloud account with one or more assets assigned a public IP address (ECS, SLB, EIP, NAT, IPv6 gateway, simple application servers, WAF, GA, or AnycastEIP)
Access to the Traffic Security console
View attack events
Log on to the Traffic Security console.
In the left-side navigation pane, click Event Center.
At the top of the page, set the time range for Attack Start Time. Select a preset range such as Last 30 Days, or specify a custom start and end date.
The page displays two summary sections:
Ongoing: Shows any currently active attack events and their protection status. When no attack is in progress, this section displays your security status, the time of the last attack, and security recommendations.
Statistics: Shows the total number of events, blackhole filtering events, and scrubbing events within the selected time range.
(Optional) Filter the event list using any combination of the following criteria.
Filter Description Event type Traffic Scrubbing or Blackhole. Traffic scrubbing is triggered when the traffic scrubbing threshold in bits per second (bps) or packets per second (pps) is reached. For details, see Cancel traffic scrubbing. Blackhole filtering is triggered when traffic exceeds the maximum mitigation capability of the asset's public IP address. For details, see Alibaba Cloud blackhole filtering policy. Asset type ECS, SLB, EIP, NAT, IPv6 gateway, simple application servers, WAF, GA, or AnycastEIP Event status In Progress or Ended IP address Enter the public IP address of the asset The event list includes the following columns.
Column Description Asset The public IP address and instance ID of the affected asset Event The attack type (such as volumetric) and event type (traffic scrubbing or blackhole) Time The start time, end time, and duration of the event Attack metrics The trigger threshold and peak value in bps/pps DDoS plan The Anti-DDoS package associated with the asset (Optional) In the Actions column, click View Details to open the Event Details pane.
The pane contains the following sections.
Basic information
Displays the attack target IP address, event type, status, attack type, protection package, mitigation capability assessment, trigger threshold (bps/pps), and start and end times. For scrubbing events, the peak attack throughput is also shown.
Traffic
Displays a trend graph of traffic during the attack event.
NoteIf the asset has been released, the message You cannot view traffic details because the asset is removed from the current account. appears instead of the graph.
Trend graphs are not available for events that occurred more than 7 days ago (IPv4 assets) or more than 3 hours ago (IPv6 assets).
AnycastEIP assets do not support traffic trend graphs in the event details.
Mitigate
Displays the result of the action taken in response to the attack.
For blackhole filtering events: shows the blackhole duration and the thresholds that trigger blackhole filtering in Anti-DDoS Basic. Click Upgrade Anti-DDoS Plan to increase your mitigation capacity.
For scrubbing events: shows the attack duration, peak scrubbing bandwidth, and mitigation result.
Attack event analysis
Provides an AI-generated analysis (for reference only) that includes a summary of the attack type, an explanation of how the attack works, and mitigation suggestions. Use this to understand attack features and inform your mitigation strategy.