After you add your service to your Anti-DDoS Proxy instance, you can view the events and details of attacks that are detected on the instance. This helps you obtain information such as the source IP addresses of attacks, distribution of attack types, and distribution of source locations. This helps ensure a transparent protection process and improve user experience of protection analysis. You can also customize the configurations based on your business requirements. This topic describes how to query attack events on the Attack Analysis page.
Attack event types
Attack event type | Description |
Web Resource Exhaustion | Attackers simulate regular users to send service requests to a web service whose domain name is added to an Anti-DDoS Proxy instance. The attackers frequently access pages that consume a large number of resources in the web service. As a result, the resources of the servers are exhausted, and the web service cannot respond to normal service requests. If attackers send service requests to multiple domain names that are added to an Anti-DDoS Proxy instance at the same time, multiple events of web resource exhaustion attacks are recorded. |
Connection Type | Attackers establish TCP or UDP connections to a service port that is added to an Anti-DDoS Proxy instance. As a result, the servers of the service are overloaded and cannot process new connection requests, and service failures may occur. If attackers send connection requests to multiple service ports that are added to an Anti-DDoS Proxy instance at the same time, multiple events of connection flood attacks are recorded. |
Volumetric | Attackers send a multitude of service requests from a large number of zombie servers to the IP address of an Anti-DDoS Proxy instance at the same time. As a result, the network devices and servers are overloaded, and network congestion and service failures may occur. If attackers send service requests to the IP addresses of multiple Anti-DDoS Proxy instances at the same time, multiple volumetric attack events are recorded. |
Prerequisites
An Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland) instance is purchased. For more information, see Purchase an Anti-DDoS Proxy instance.
A website service or non-website service is added to Anti-DDoS Proxy. For more information, see Add websites or Manage forwarding rules.
Query attack events
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.
Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland), select Outside Chinese Mainland.
In the left-side navigation pane, choose .
On the Attack Analysis page, select an attack type and a time range to query attack events.
NoteYou can query attack events only of the previous 180 days.
Optional. Click View Details in the Actions column to view the details of an attack event. For more information, see View the event details of web resource exhaustion attacks, View the event details of connection flood attacks, and View the event details of volumetric attacks.
If you have any suggestions or questions about the protection effect of an attack event, you can click Effect Feedback in the Actions column of the attack event. We will continue to optimize and improve the protection effect based on your suggestions.
Event details of web resource exhaustion attacks
You can view event details and configure specific protection items for the domain name of a service.
Information | Description |
Attack Time | The point in time when the attack occurs. |
Attack Target | The domain name that is attacked. You can click Mitigation Settings to the right of Attack Target. On the Protection for Website Services tab of the page that appears, you can configure mitigation policies for the domain name that is attacked. For more information, see Protection for website services. |
Attack Mitigation Details | This section displays the total inbound queries per second (QPS), the trends of the QPS that trigger the policies of different protection modules during the attack, and Effective Time of Policy and Blocked Requests of the triggered policies. In the upper-right corner of the Attack protection details section, you can specify a time range to query. The protection modules include Blacklist, Location Blacklist, Frequency Control, Accurate Access Control, and Others. The Others protection module blocks requests such as the requests that fail CAPTCHA verification. For more information about how to configure different protection modules, see Protection for website services. |
Attacker IP Address | This section displays the top 10 IP addresses from which the most suspicious connections are established and the locations to which the IP addresses belong. You can click More to view information about the top 100 source IP addresses. Note You can view only the top 100 source IP addresses of attacks. If you want to block traffic from an IP address, click Mitigation Settings in the lower-left corner of the Attacker IP Address section. Then, configure the Blacklist/Whitelist (Domain Names) policy. For more information, see Configure the IP address blacklist and whitelist for an Anti-DDoS Proxy instance. |
Source Location | This section displays the distribution of locations from which attack requests originate. You can switch between Global and Chinese Mainland to view locations by country or by administrative region in China. You can click More to view the distribution of requests by location. If you want to block requests from a location, click Mitigation Settings in the lower-left corner of the Source Locations section. Then, configure the Location Blacklist (Domain Names) policy. For more information, see Configure blocked regions. |
URL | This section displays the top five URLs that receive the most requests. The URLs are displayed in descending order of the number of received requests. You can click More to view all requested URLs and the distribution of the URLs. After you click More, the requested URIs and the domain names to which the URIs belong are displayed. If you want to configure throttling policies for specific URIs, click Mitigation Settings in the lower-left corner of the URL section. Then, configure the Frequency Control policy. For more information, see Configure frequency control. |
Blocked Requests by Protection Module | This section displays the distribution of attack requests that are blocked by different protection modules. You can click Mitigation Settings in the lower-left corner of the Blocked Requests by Protection Module section and configure policies for different protection modules. For more information about, see Protection for website services. |
Top 10 Hit Policies | This section displays the distribution of top 10 protection policies that are most frequently triggered. You can click More to view the distribution of the top 100 protection policies that are most frequently triggered. You can click Mitigation Settings in the lower-left corner of the Top 10 Hit Policies section and configure policies for different protection modules. For more information about, see Protection for website services. |
In the upper-right corner of the Event Details page, you can click Export Report, and then click Export Image or Export to PDF to save the current event details page to your computer in the PNG or PDF format.
Event details of connection flood attacks
You can view event details and configure specific protection items for an Anti-DDoS Proxy instance.
Information | Description |
Attack Time | The point in time when the attack occurs. |
Attack Target | The IP address and port of the instance that is attacked. You can click Mitigation Settings to the right of Attack Target. On the Protection for Infrastructure tab of the page that appears, you can configure mitigation policies for the instance that is attacked. For more information, see Protection for infrastructure. |
Attack Mitigation Details | This section displays the trends of New Connections and Concurrent Connections. In the upper-right corner of the Attack protection details section, you can specify a time range to query. The trend of new connections displays suspicious connections that are blocked by different mitigation policies. The mitigation policies include Blacklist, Location Blacklist, and Rate Limit for Source. The Rate Limit for Source policy includes New Connections Limit for Source, Concurrent Connections Limit for Source, PPS Limit for Source, and Bandwidth Limit for Source. For more information about how to configure the mitigation policies, see Configure the IP address blacklist and whitelist for an Anti-DDoS Proxy instance, Configure blocked regions, and Configure the speed limit for source IP addresses. The trend of concurrent connections displays Active and Inactive connections. |
Attack Source IP Addresses | This section displays the top five IP addresses from which the most suspicious connections are established and the locations to which the IP addresses belong. You can click More to view information about the top 100 source IP addresses of attacks. Note You can view only the top 100 source IP addresses of attacks. If you want to block traffic from an IP address, you can configure the Blacklist and Whitelist (IP address-based) policy for the instance that is attacked. For more information, see Configure the IP address blacklist and whitelist for an Anti-DDoS Proxy instance. |
Attack Type | This section displays the distribution of protocols over which attack traffic originates. You can click More to view the distribution of attack types by protocol. |
Attack Source Location | This section displays the distribution of locations from which attack requests are initiated. You can click More to view the distribution of requests by location. If you want to block requests from a location, you can configure the Location Blacklist policy for the instance that is attacked. For more information, see Configure blocked regions. |
In the upper-right corner of the Event Details page, you can click Export Report, and then click Export Image or Export to PDF to save the current event details page to your computer in the PNG or PDF format.
Event details of volumetric attacks
You can view event details and configure specific protection itmes for an Anti-DDoS Proxy instance.
Information | Description |
Attack Time | The point in time when the attack occurs. |
Attack Target | The IP address of the instance that is attacked. You can click Mitigation Settings to the right of Attack Target. On the Protection for Infrastructure tab of the page that appears, you can configure mitigation policies for the instance that is attacked. For more information, see Protection for infrastructure. |
Attack Mitigation Details | The bps tab displays the trends of inbound and outbound bandwidth and the traffic scrubbing bandwidth. The pps tab displays the trends of inbound and outbound packets and the traffic scrubbing packets. |
Source IP Address | This section displays the top 10 IP addresses from which the most requests are initiated and the locations to which the IP addresses belong. You can click More to view information about the top 100 source IP addresses. Note The top 100 source IP addresses include the source IP addresses of attacks and the source IP addresses of normal requests. If you want to block traffic from specific IP addresses, click Blacklist Settings in the lower-left corner of the Source IP Address section. Then, configure the Blacklist and Whitelist (IP address-based) policy. For more information, see Configure the IP address blacklist and whitelist for an Anti-DDoS Proxy instance. |
Attack Source ISP | This section displays the distribution of Internet service providers (ISPs) from which attack traffic originates. You can click More to view the distribution of requests by ISP. Note The Attack Source ISP section is available only in the Anti-DDoS Proxy (Chinese Mainland) console. |
Attack Source Location | This section displays the distribution of locations from which attack traffic originates. You can click More to view the distribution of requests by location. If you want to block traffic from specific locations, click Location Blacklist Settings in the lower-left corner of the Attack source area section. Then, configure the Location Blacklist policy. For more information, see Configure blocked regions. |
Attack Type | This section displays the distribution of protocols over which attack traffic originates. You can click More to view the distribution of attack types by protocol. |
Destination Port | This section displays the proportion of the attacked ports. You can click More to view the proportion of each attacked port. |
In the upper-right corner of the Event Details page, you can click Export Report, and then click Export Image or Export to PDF to save the current event details page to your computer in the PNG or PDF format.