View information on the Attack Analysis page - Anti-DDoS Pro & Premium User Guide| Alibaba Cloud Documentation Center

After you add your service to Anti-DDoS Pro or Anti-DDoS Premium, you can view the events and details of attacks on the Attack Analysis page. This way, you can view the protection status of your service. You can also provide feedback on the protection effect. This topic describes how to view information on the Attack Analysis page.

Prerequisites

An Anti-DDoS Pro or Anti-DDoS Premium instance is purchased.
For more information, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance.
Your service is added to Anti-DDoS Pro or Anti-DDoS Premium.
For more information about how to add website services, see Add a website.

For more information about how to add non-website services, such as client gaming, mobile gaming, and app services, see Create forwarding rules.

Background information

The Attack Analysis page displays DDoS attack events and the event details. On the Attack Analysis page, you can view the information about an attack event, such as the attack target, start time and end time of the attack, and peak attack traffic. You can also provide feedback on the protection effect.

DDoS attack events are classified into the following types:

Volumetric attack events: Attackers send a multitude of service requests from a large number of zombie servers to the IP address of an Anti-DDoS Pro or Anti-DDoS Premium instance at the same time. As a result, the network devices and servers are overloaded, and network congestion and service failures may occur.
If attackers send service requests to multiple IP addresses of your Anti-DDoS Pro instances or Anti-DDoS Premium instances at the same time, multiple volumetric attack events are recorded.
Events of web resource exhaustion attacks: Attackers simulate normal users to send service requests to a web service whose domain name is added to an Anti-DDoS Pro or Anti-DDoS Premium instance. The attackers frequently access pages that consume large amounts of resources in the web service. As a result, the resources of the servers are exhausted, and the web service cannot respond to normal service requests. For more information about how to add a domain name to an Anti-DDoS Pro or Anti-DDoS Premium instance, see Add a website.
If attackers send service requests to multiple domain names that are protected by an Anti-DDoS Pro or Anti-DDoS Premium instance at the same time, multiple events of web resource exhaustion attacks are recorded.
Events of connection flood attacks: Attackers establish TCP or UDP connections to a service port that is added to an Anti-DDoS Pro or Anti-DDoS Premium instance. As a result, the servers of the service are overloaded and cannot process new connection requests, and service failures may occur. For more information about how to add a service port to an Anti-DDoS Pro or Anti-DDoS Premium instance by using ports, see Create forwarding rules.
If attackers send connection requests to multiple service ports that are added to an Anti-DDoS Pro or Anti-DDoS Premium instance at the same time, multiple events of connection flood attacks are recorded.

You can also view the event details on the Attack Analysis page. The details include the source IP addresses, attack types, and source locations. This allows you to view the attack mitigation process in a visualized manner. This also improves user experience.

Query attack events

Log on to the Anti-DDoS Pro console.
In the top navigation bar, select the region where your instance resides.
- Mainland China: If you select this region, the Anti-DDoS Pro console appears.
- Outside Mainland China: If you select this region, the Anti-DDoS Premium console appears.
You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
In the left-side navigation pane, choose Investigation > Attack Analysis.
On the Attack Analysis page, select an attack type and a time range to query attack events.
The following attack types and time ranges are supported:
- Attack type: Web Resource Exhaustion Attack, Connection Flood Attack, Volumetric Attack, or All attack types.
- Time range: One Day, Seven Days, or One Month. You can also specify a custom time range. A custom time range must be within the last 180 days.
The Attack Analysis page displays the following information:
- In the upper part of the page, Peak of Volumetric Attack (bps), Peak of Connection Flood Attack (cps), and Peak of Web Resource Exhaustion Attack (qps) are displayed.
- In the lower part of the page, attack events are displayed. The information about each attack event includes Attack type, Attack target, Starting and ending time, and Peak of Attack.
If you have suggestions or questions about the protection effect on an attack event, click Feedback in the Actions column to submit your feedback. All your suggestions are appreciated.

You can view the details about an attack event. You can click View details in the Actions column of an attack event to view the event details. For more information, see View event details of volumetric attacks, View event details of web resource exhaustion attacks, and View event details of connection flood attacks.

View event details of volumetric attacks

On the Attack Analysis page, find a Volumetric Attack event and click View details in the Actions column. The Details of the incident page appears. You can view the event details and configure protection settings.

Notice You can query the event details of volumetric attacks that occur after 00:00 on September 30, 2020.

Event details of volumetric attacks (Anti-DDoS Pro)

The Details of the incident page displays the following information:

In the upper part of the page, Attack Time, Attack Target, Peak of attack bandwidth (bps), and Peak of attack packet (pps) are displayed. The Attack Target parameter indicates the IP address of an Anti-DDoS Pro or Anti-DDoS Premium instance.
You can click Mitigation Settings next to Attack Target. On the Protection for Infrastructure tab of the page that appears, you can configure mitigation policies for the Anti-DDoS Pro or Anti-DDoS Premium instance that is attacked. For more information, see Configure the IP address blacklist and whitelist for an Anti-DDoS Pro or Anti-DDoS Premium instance.
Attack protection details: displays the trends of inbound and outbound traffic, the traffic scrubbing bandwidth, and the packets during the attack. The bps tab displays the trends of inbound and outbound traffic and the traffic scrubbing bandwidth. The pps tab displays the trends of packets.
Attack source IP: displays the top 10 IP addresses from which the most attacks are launched and the locations to which the IP addresses belong. You can click More to view information about the top 100 source IP addresses.

Note The top source 100 IP addresses include the source IP addresses of attacks and the source IP addresses of normal requests.

If you want to block traffic from specific IP addresses, click Blacklist Settings in the lower-left corner of the Attack source IP section. On the Protection for Infrastructure tab of the page that appears, configure Blacklist and Whitelist (Instance IP). For more information, see Configure the IP address blacklist and whitelist for an Anti-DDoS Pro or Anti-DDoS Premium instance.
Attack source ISP: displays the distribution of Internet service providers (ISPs) from which attack traffic originates. You can click More to view the distribution of requests by ISP.

Notice The Attack source ISP section is available only in the Anti-DDoS Pro console.
Attack source area: displays the distribution of locations from which attack traffic originates. You can click More to view the distribution of requests by location.
If you want to block traffic from specific locations, click Geo-blocking Settings in the lower-left corner of the Attack source area section. On the Protection for Infrastructure tab of the page that appears, configure Blocked Regions. For more information, see Configure blocked regions.
Attack type: displays the distribution of protocols that are used to launch attacks. You can click More to view the distribution of attack types by protocol.

In the upper-right corner of the Details of the incident page, you can click Export Report, and then click Export as PNG or Export as PDF to save the current event details page to your computer in the PNG or PDF format.

View event details of web resource exhaustion attacks

On the Attack Analysis page, find a Web Resource Exhaustion Attack event and click View details in the Actions column. The Details of the incident page appears.You can view the event details and configure protection settings.

Notice You can query the event details of web resource exhaustion attacks that occur after 00:00 on July 15, 2021.

The Details of the incident page displays the following information:

In the upper part of the page, Attack Time, Attack Target, Peak Requests (QPS), Total Received Requests, and Total Blocked Requests are displayed. The Attack Target parameter indicates the domain name that is added to an Anti-DDoS Pro or Anti-DDoS Premium instance.
You can click Mitigation Settings next to Attack Target. On the Protection for Website Services tab of the page that appears, you can configure mitigation policies for the attacked domain name. For more information, see Use the intelligent protection feature.
Attack protection details: displays the total inbound queries per second (QPS), the trends of the QPS that trigger the policies of different protection modules during the attack, and Effective Time of Policies and Blocked Requests of the triggered policies.
The protection modules include Blacklist, Blocked Regions, Frequency Control, Accurate Access Control, and Others. The Others protection module blocks requests such as the requests that fail CAPTCHA verification. For more information about how to configure different protection modules, see Use the intelligent protection feature.

In the upper-right corner of the Attack protection details section, you can specify a time range to query.
Source Areas of Attacks: displays the distribution of locations from which attack requests originate. You can switch between Global and Mainland China to view locations by country or by administrative region in China. You can click More to view the distribution of requests by location.
If you want to block requests from specific locations, click Mitigation Settings in the lower-left corner of the Source Areas of Attacks section. On the Protection for Website Services tab of the page that appears, configure Blocked Regions (Domain Names). For more information, see Configure blocked regions for domain names.
URL: displays the top five URLs that receive the most requests. The URLs are displayed in descending order of the number of received requests. You can click More to view all requested URLs and the distribution of the URLs. After you click More, the requested URIs and the domain names to which the URIs belong are displayed.
If you want to configure throttling policies for specific URIs, click Mitigation Settings in the lower-left corner of the URL section. On the Protection for Website Services tab of the page that appears, configure Frequency Control. For more information, see Configure frequency control.
Requests Blocked by Protection Modules: displays the distribution of requests that are blocked by different protection modules.
You can click Mitigation Settings in the lower-left corner of the Requests Blocked by Protection Modules section. On the Protection for Website Services tab of the page that appears, configure policies for different protection modules. For more information, see Use the intelligent protection feature.
Top 10 Policies: displays the distribution of the top 10 policies that are most frequently triggered. You can click More to view the distribution of the top 100 protection policies that are most frequently triggered.
You can click Mitigation Settings in the lower-left corner of the Top 10 Policies section. On the Protection for Website Services tab of the page that appears, configure policies for different protection modules. For more information, see Use the intelligent protection feature.

View event details of connection flood attacks

On the Attack Analysis page, find a Connect Flood Attack event and click View details in the Actions column. The Details of the incident page appears.You can view the event details and configure protection settings.

Notice You can query the event details of connection flood attacks that occur after 00:00 on September 20, 2021.

The Details of the incident page displays the following information:

In the upper part of the page, Attack Time, Attack Target, Maximum Concurrent Connections, and Maximum New Connections are displayed. The Attack Target parameter indicates the IP address and port number of an Anti-DDoS Pro or Anti-DDoS Premium instance. The value of the Maximum Concurrent Connections parameter indicates the maximum number of concurrent connections. The value of the Maximum New Connections parameter indicates the maximum number of new connections per second.
You can click Mitigation Settings next to Attack Target. On the Protection for Infrastructure tab of the page that appears, you can configure mitigation policies for the Anti-DDoS Pro or Anti-DDoS Premium instance that is attacked. For more information, see Configure the IP address blacklist and whitelist for an Anti-DDoS Pro or Anti-DDoS Premium instance.
Attack protection details: displays the trends of new connections and concurrent connections.
The trend of new connections displays suspicious connections that are blocked by different mitigation policies. The mitigation policies include Blacklist, Blocked Regions, and Speed Limit for Source. The Speed Limit for Source policy includes Source Concurrent Connection Rate Limit, PPS Limit for Source, and Bandwidth Limit for Source. For more information about how to configure the mitigation policies, see Configure the IP address blacklist and whitelist for an Anti-DDoS Pro or Anti-DDoS Premium instance, Configure blocked regions, and Configure the speed limit for source IP addresses.

The trend of concurrent connections displays active and inactive connections.

In the upper-right corner of the Attack protection details section, you can specify a time range to query.
Attack source IP: displays the top five IP addresses from which the most suspicious connections are established and the locations to which the IP addresses belong. You can click More to view information about the top 100 source IP addresses of attacks.

Note You can view only the top 100 source IP addresses of attacks.

If you want to block traffic from an IP address, you can configure the Blacklist and Whitelist (Instance IP) policy for the instance that is attacked. For more information, see Configure the IP address blacklist and whitelist for an Anti-DDoS Pro or Anti-DDoS Premium instance.
Attack type: displays the distribution of protocols that are used to initiate attacks. You can click More to view the distribution of attack types by protocol.
Attack source area: displays the distribution of locations from which attack requests originate. You can click More to view the distribution of requests by location.
If you want to block requests from a location, you can configure the Blocked Regions policy for the instance that is attacked. For more information, see Configure blocked regions.