After you add your service to your Anti-DDoS Pro or Anti-DDoS Premium instance, you can view the events and details of attacks that are detected on the instance. This way, you can view the protection status of your service and customize the configuration based on your business requirements. This topic describes how to query attack events on the Attack Analysis page.

Background information

On the Attack Analysis page, you can view the target, start time, end time, peak traffic, and event details of an attack. This helps you understand information such as the source IP addresses of attacks, distribution of attack types, and distribution of source locations. This helps ensure transparent protection process and improve user experience of protection analysis.

DDoS attack events are classified into the following types:
Attack event typeDescription
Events of web resource exhaustion attacksAttackers simulate normal users to send service requests to a web service whose domain name is added to an Anti-DDoS Pro or Anti-DDoS Premium instance. The attackers frequently access pages that consume a large number of resources in the web service. As a result, the resources of the servers are exhausted, and the web service cannot respond to normal service requests.

If attackers send service requests to multiple domain names that are added to an Anti-DDoS Pro or Anti-DDoS Premium instance at the same time, multiple events of web resource exhaustion attacks are recorded.

Events of connection flood attacksAttackers establish TCP or UDP connections to a service port that is added to an Anti-DDoS Pro or Anti-DDoS Premium instance. As a result, the servers of the service are overloaded and cannot process new connection requests, and service failures may occur.

If attackers send connection requests to multiple service ports that are added to an Anti-DDoS Pro or Anti-DDoS Premium instance at the same time, multiple events of connection flood attacks are recorded.

Volumetric attack eventsAttackers send a multitude of service requests from a large number of zombie servers to the IP address of an Anti-DDoS Pro or Anti-DDoS Premium instance at the same time. As a result, the network devices and servers are overloaded, and network congestion and service failures may occur.

If attackers send service requests to the IP addresses of multiple Anti-DDoS Pro or Anti-DDoS Premium instances at the same time, multiple volumetric attack events are recorded.

Prerequisites

Query attack events

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region where your instance resides.
    • Anti-DDoS Pro: If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
    • Anti-DDoS Premium: If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
    You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
  3. In the left-side navigation pane, choose Investigation > Attack Analysis.
  4. On the Attack Analysis page, select an attack type and a time range to query attack events.
    • Attack type: You can select Web Resource Exhaustion Attack, Connection Flood Attack, Volumetric Attack, or All attack types.
    • Time range: You can select One Day, Seven Days, or One Month. You can also specify a custom time range. A custom time range must be within the last 180 days.
    The Attack Analysis page displays the following information:
    • In the upper part of the page, Peak of Volumetric Attack (bps), Peak of Connection Flood Attack (cps), and Peak of Web Resource Exhaustion Attack (qps) are displayed.
    • In the lower part of the page, attack events are displayed. The information about each attack event includes Attack type, Attack target, Starting and ending time, and Peak of Attack.

    You can view the details of an attack event. You can click View details in the Actions column of an attack event to view the event details. For more information, see View the event details of web resource exhaustion attacks, View the event details of connection flood attacks, and View the event details of volumetric attacks.

    If you have any suggestions or questions about the protection effect of an attack event, you can click Feedback in the Actions column of the attack event. We will continue to optimize and improve the protection effect based on your suggestions.

View the event details of web resource exhaustion attacks

On the Attack Analysis page, find an event of the Web Resource Exhaustion Attack type and click View details in the Actions column of the event. On the Details of the incident page, view the event details and perform required operations.
Note You can query the event details of web resource exhaustion attacks that occur after 00:00 on July 15, 2021.
The following table describes the information that is displayed on the Details of the incident page.
InformationDescription
Attack TimeThe point in time when the attack occurs.
Attack TargetThe domain name that is attacked.

You can click Mitigation Settings to the right of Attack Target. On the Protection for Website Services tab of the page that appears, you can configure mitigation policies for the attacked domain name. For more information, see Protection for website services.

Attack protection detailsThis section displays the total inbound queries per second (QPS), the trends of the QPS that trigger the policies of different protection modules during the attack, and Effective Time of Policy and Blocked Requests of the triggered policies. In the upper-right corner of the Attack protection details section, you can specify a time range to query.

The protection modules include Blacklist, Location Blacklist, Frequency control, Fine-grained Access Control, and Others. The Others protection module blocks requests such as the requests that fail CAPTCHA verification. For more information about how to configure different protection modules, see Protection for website services.

Source LocationsThis section displays the distribution of locations from which attack requests originate. You can switch between Global and Mainland China to view locations by country or by administrative region in China. You can click More to view the distribution of requests by location.

If you want to block requests from specific locations, click Mitigation Settings in the lower-left corner of the Source Locations section. On the Protection for Website Services tab of the page that appears, configure Location Blacklist (Domain Names). For more information, see Configure a location blacklist for a domain name.

URLThis section displays the top five URLs that receive the most requests. The URLs are displayed in descending order of the number of received requests. You can click More to view all requested URLs and the distribution of the URLs. After you click More, the requested URIs and the domain names to which the URIs belong are displayed.

If you want to configure throttling policies for specific URIs, click Mitigation Settings in the lower-left corner of the URL section. On the Protection for Website Services tab of the page that appears, configure Frequency Control. For more information, see Configure frequency control.

Blocked Requests by Protection ModuleThis section displays the distribution of attack requests that are blocked by different protection modules.

You can click Mitigation Settings in the lower-left corner of the Blocked Requests by Protection Module section. On the Protection for Website Services tab of the page that appears, configure policies for different protection modules. For more information, see Protection for website services.

Top 10 Hit PoliciesThis section displays the distribution of top 10 protection policies that are most frequently triggered. You can click More to view the distribution of the top 100 protection policies that are most frequently triggered.

You can click Mitigation Settings in the lower-left corner of the Top 10 Hit Policies section. On the Protection for Website Services tab of the page that appears, configure policies for different protection modules. For more information, see Protection for website services.

In the upper-right corner of the Details of the incident page, you can click Export Report, and then click Export Image or Export to PDF to save the current event details page to your computer in the PNG or PDF format.

View the event details of connection flood attacks

On the Attack Analysis page, find an event of the Volumetric Attack type and click View details in the Actions column. On the Details of the incident page appears, view the event details and perform required operations.
Note You can query the event details of connection flood attacks that occur after 00:00 on September 20, 2021.
The following table describes the information that is displayed on the Details of the incident page.
InformationDescription
Attack TimeThe point in time when the attack occurs.
Attack TargetThe IP address and port of the instance that is attacked.

You can click Mitigation Settings to the right of Attack Target. On the Protection for Infrastructure tab of the page that appears, you can configure mitigation policies for the instance that is attacked. For more information, see Protection for infrastructure.

Attack protection detailsThis section displays the trends of new connections and concurrent connections. In the upper-right corner of the Attack protection details section, you can specify a time range to query.

The trend of new connections displays suspicious connections that are blocked by different mitigation policies. The mitigation policies include Blacklist, Location Blacklist, and Speed Limit for Source. The Speed Limit for Source policy includes Source New Connection Rate Limit, Source Concurrent Connection Rate Limit, PPS Limit for Source, and Bandwidth Limit for Source. For more information about how to configure the mitigation policies, see Configure the IP address blacklist and whitelist for an Anti-DDoS Pro or Anti-DDoS Premium instance, Configure blocked regions, and Configure the speed limit for source IP addresses.

The trend of concurrent connections displays active and inactive connections.

Attack Source IP AddressesThis section displays the top five IP addresses from which the most suspicious connections are established and the locations to which the IP addresses belong. You can click More to view information about the top 100 source IP addresses of attacks.
Note You can view only the top 100 source IP addresses of attacks.

If you want to block traffic from an IP address, you can configure the Blacklist and Whitelist (Instance IP) policy for the instance that is attacked. For more information, see Configure the IP address blacklist and whitelist for an Anti-DDoS Pro or Anti-DDoS Premium instance.

Attack typeThis section displays the distribution of protocols over which attack traffic originates. You can click More to view the distribution of attack types by protocol.
Attack source areaThis section displays the distribution of locations from which attack requests are initiated. You can click More to view the distribution of requests by location.

If you want to block requests from a location, you can configure the Location Blacklist policy for the instance that is attacked. For more information, see Configure blocked regions.

In the upper-right corner of the Details of the incident page, you can click Export Report, and then click Export Image or Export to PDF to save the current event details page to your computer in the PNG or PDF format.

View the event details of volumetric attacks

On the Attack Analysis page, find an event of the Volumetric Attack type and click View details in the Actions column. On the Details of the incident page, view the event details and perform required operations.
Note You can query the event details of volumetric attacks that occur after 00:00 on September 30, 2020.
The following table describes the information that is displayed on the Details of the incident page.
InformationDescription
Attack TimeThe point in time when the attack occurs.
Attack TargetThe IP address of the instance that is attacked.

You can click Mitigation Settings to the right of Attack Target. On the Protection for Infrastructure tab of the page that appears, you can configure mitigation policies for the instance that is attacked. For more information, see Protection for infrastructure.

bps and ppsThe tabs display the trends of inbound and outbound traffic, the traffic scrubbing bandwidth, and the packets during the attack. The bps tab displays the trends of inbound and outbound traffic and the traffic scrubbing bandwidth. The pps tab displays the trends of packets.
Source IP (Top 10)This section displays the top 10 IP addresses from which the most requests are initiated and the locations to which the IP addresses belong. You can click More to view information about the top 100 source IP addresses.
Note The top 100 source IP addresses include the source IP addresses of attacks and the source IP addresses of normal requests.

If you want to block traffic from specific IP addresses, click Blacklist Settings in the lower-left corner of the Source IP (Top 10) section. On the Protection for Infrastructure tab of the page that appears, configure the Blacklist and Whitelist (Instance IP) policy. For more information, see Configure the IP address blacklist and whitelist for an Anti-DDoS Pro or Anti-DDoS Premium instance.

Attack source ISPThis section displays the distribution of Internet service providers (ISPs) from which attack traffic originates. You can click More to view the distribution of requests by ISP.
Note The Attack source ISP section is available only in the Anti-DDoS Pro console.
Attack source areaThis section displays the distribution of locations from which attack traffic originates. You can click More to view the distribution of requests by location.

If you want to block traffic from specific locations, click Geo-blocking Settings in the lower-left corner of the Attack source area section. On the Protection for Infrastructure tab of the page that appears, configure the Location Blacklist policy. For more information, see Configure blocked regions.

Attack typeThis section displays the distribution of protocols over which attack traffic originates. You can click More to view the distribution of attack types by protocol.

In the upper-right corner of the Details of the incident page, you can click Export Report, and then click Export Image or Export to PDF to save the current event details page to your computer in the PNG or PDF format.