This topic describes how to view the service data and DDoS attack details of an instance and a domain name in the Anti-DDoS Pro or Anti-DDoS Premium console after you add the domain name to Anti-DDoS Pro or Anti-DDoS Premium. This helps you learn protection information about your assets and adjust your DDoS mitigation policies in a timely manner.
Overview
Anti-DDoS Pro and Anti-DDoS Premium allow you to view data within the last 30 days. You can click Traffic Flow Diagram in the upper-right corner of the Security Overview page to learn traffic-related concepts of Anti-DDoS Pro and Anti-DDoS Premium.
Prerequisites
An Anti-DDoS Pro or Anti-DDoS Premium instance is purchased, and your service is added to the Anti-DDoS Pro or Anti-DDoS Premium instance. For more information, see Add a website and Manage forwarding rules.
Instance
Anti-DDoS Pro and Anti-DDoS Premium support the display of service data and DDoS attack details by instance.
- Log on to the Anti-DDoS Pro console.
- In the top navigation bar, select the region where your instance resides.
- Anti-DDoS Pro: If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
- Anti-DDoS Premium: If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium. In the left-side navigation pane, click Security Overview. On the Security Overview page, you can view the following information on the Instance tab.
Section
Description
Bandwidth (marked 1 in the preceding figure)
Anti-DDoS Pro provides the Bandwidth trend chart to show traffic information by bps or pps. You can view the trends of inbound, outbound, and attack traffic of an instance within a specific time range.
Anti-DDoS Premium provides the Overview tab to show bandwidth trends, the Inbound Distribution tab to show the distribution of inbound traffic, and the Outbound Distribution tab to show the distribution of outbound traffic.
Connections (marked 2 in the preceding figure)
Concurrent Connections: the total number of concurrent TCP connections that are established between clients and the instance.
Active: the number of TCP connections in the Established state.
Inactive: the number of TCP connections in all states except the Established state.
New Connections: the number of new TCP connections that are established between clients and the instance per second.
Attack Events, Alert on Exceeded Upper Limits, and Destination Rate Limit Events (marked 3 in the preceding figure)
Attack Events
You can move the pointer over an IP address or a port to view the details of an attack, such as Attack Target, Attack Type, Peak Attack Traffic, and Protection Effect.
Alerts on Exceeded Upper Limits
The following event types of alerts are supported: clean bandwidth, new connections, and concurrent connections. If the purchased specification that corresponds to an event type is exceeded, an alert of this event type is generated. In this case, your business is not affected, and a specification upgrade is recommended. For more information, see Upgrade an instance.
You can click Details in the Status column of an alert to go to the System Logs page to view the details of the alert.
NoteThe alerts on exceeded upper limits are updated at 10:00 (UTC+8) every Monday. After the update, the alerts that were generated on the previous day are displayed. If you configure a notification method, such as internal messages, text messages, or emails, you receive a notification at 10:00 (UTC+8) every Monday. The notification includes the alerts that were generated on the previous day.
Destination Rate Limit Events
If the number of new connections, the number of concurrent connections, or the service bandwidth exceeds the specifications of your instance, rate limiting is triggered, and a destination rate limit event is generated. In this case, your business is affected.
If rate limiting is triggered by service traffic, we recommend that you upgrade the specifications of your instance at the earliest opportunity. For more information, see Upgrade an instance.
If rate limiting is triggered by DDoS attacks, we recommend that you adjust your mitigation policies at the earliest opportunity. For more information, see Configure the IP address blacklist and whitelist for an Anti-DDoS Pro or Anti-DDoS Premium instance.
You can click Details in the Status column of an event to go to the System Logs page to view the details of the event.
Source Locations and Source Service Providers (marked 4 in the preceding figure)
Source Locations: the distribution of source locations from which service traffic is sent.
Source Service Providers: the distribution of Internet service providers (ISPs) from which service traffic is sent.
Domain name
Anti-DDoS Pro and Anti-DDoS Premium support the display of service data and DDoS attack details by domain name.
- Log on to the Anti-DDoS Pro console.
- In the top navigation bar, select the region where your instance resides.
- Anti-DDoS Pro: If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
- Anti-DDoS Premium: If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium. In the left-side navigation pane, click Security Overview. On the Security Overview page, you can view the following information on the Websites tab:
Total QPS by Instance
In the All Domains drop-down list, click the Total QPS by Instance tab, select the required exclusive IP addresses, and then click Confirm.
Section
Description
Requests (marked 1 in the preceding figure)
The trend of queries per second (QPS) is displayed for different instances. The displayed time granularity varies based on the specified time range.
Response Codes (marked 2 in the preceding figure)
The status codes are displayed for different instances. The number of status codes is accumulated within the displayed time granularity. The following list describes status codes:
2XX: The request is successfully received, understood, and accepted by the server.
NoteStatistics on 2XX status codes include the statistics on the 200 status code.
3XX: The client must perform further operations to complete the request. In most cases, a 3XX status code indicates redirection.
4XX: The client may be faulty, which interrupts server processing.
5XX: An error or an exception occurred when the server processes the request.
QPS by Domain
In the All Domains drop-down list, click the QPS by Domain tab, select the required domain names, and then click Confirm.
Section
Description
Requests (marked 1 in the preceding figure)
The QPS trend is displayed for different domain names. The displayed time granularity varies based on the specified time range.
Response Codes (marked 2 in the preceding figure)
The status codes are classified into Anti-DDoS Pro and Anti-DDoS Premium status codes and status codes of origin servers. The number of status codes is accumulated within the displayed time granularity. The following list describes status codes:
2XX: The request is successfully received, understood, and accepted by the server.
NoteStatistics on 2XX status codes include the statistics on the 200 status code.
200: The request succeeded.
3XX: The client must perform further operations to complete the request. In most cases, a 3XX status code indicates redirection.
4XX: The client may be faulty, which interrupts server processing.
404: The server cannot be accessed.
5XX: An error or an exception occurred when the server processes the request.
502: Anti-DDoS Pro or Anti-DDoS Premium attempts to process the request as a proxy server, but receives invalid responses from the upstream server.
503: The server may be overloaded or in temporary maintenance and cannot process the request.
504: Anti-DDoS Pro or Anti-DDoS Premium attempts to process the request as a proxy server, but does not receive responses from the upstream server in a timely manner.
Most Requested URIs and Slow Loading URIs (marked 3 in the preceding figure)
Most Requested URIs: the top 5 URIs that are most frequently requested. The URIs are displayed in descending order. You can click More to view the total number of requests for each URI.
Slow Loading URIs: the top 5 URIs based on the response time, in milliseconds. The URIs are displayed in descending order. You can click More to view the total response time for each URI.
Mitigation Events (marked 4 in the preceding figure)
This section displays the scrubbing events that occur at the application layer. You can move the pointer over a domain name to view the attack details, such as Domains, Peak Attack Traffic, and Attack Type.
Source Locations (marked 5 in the preceding figure)
This section displays the distribution of source locations from which requests are sent.
Cache Hit Rate (marked 6 in the preceding figure)
You can view the trend chart of cache hit rates only after you enable the static page caching feature. For more information, see Anti-DDoS Lab.