After you add your service to Anti-DDoS Pro or Anti-DDoS Premium, you can view the events and details of attacks on the Attack Analysis page. This way, you can view the protection status of your service. You can also provide feedback on the protection effect. This topic describes how to view information on the Attack Analysis page.
Prerequisites
- An Anti-DDoS Pro or Anti-DDoS Premium instance is purchased.
For more information, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance.
- Your service is added to Anti-DDoS Pro or Anti-DDoS Premium.
For more information about how to add website services, see Add a website.
For more information about how to add non-website services, such as client gaming, mobile gaming, and app services, see Create forwarding rules.
Background information
The Attack Analysis page displays DDoS attack events and the event details. On the Attack Analysis page, you can view the information about an attack event, such as the attack target, start time and end time of the attack, and peak attack traffic. You can also provide feedback on the protection effect.
- Volumetric attack events: Attackers send a multitude of service requests from a large number
of zombie servers to the IP address of an Anti-DDoS Pro or Anti-DDoS Premium instance
at the same time. As a result, the network devices and servers are overloaded, and
network congestion and service failures may occur.
If attackers send service requests to multiple IP addresses of your Anti-DDoS Pro instances or Anti-DDoS Premium instances at the same time, multiple volumetric attack events are recorded.
- Events of web resource exhaustion attacks: Attackers simulate normal users to send service requests to a web service
whose domain name is added to an Anti-DDoS Pro or Anti-DDoS Premium instance. The
attackers frequently access pages that consume large amounts of resources in the web
service. As a result, the resources of the servers are exhausted, and the web service
cannot respond to normal service requests. For more information about how to add a
domain name to an Anti-DDoS Pro or Anti-DDoS Premium instance, see Add a website.
If attackers send service requests to multiple domain names that are protected by an Anti-DDoS Pro or Anti-DDoS Premium instance at the same time, multiple events of web resource exhaustion attacks are recorded.
- Events of connection flood attacks: Attackers establish TCP or UDP connections to a service port that is added
to an Anti-DDoS Pro or Anti-DDoS Premium instance. As a result, the servers of the
service are overloaded and cannot process new connection requests, and service failures
may occur. For more information about how to add a service port to an Anti-DDoS Pro
or Anti-DDoS Premium instance by using ports, see Create forwarding rules.
If attackers send connection requests to multiple service ports that are added to an Anti-DDoS Pro or Anti-DDoS Premium instance at the same time, multiple events of connection flood attacks are recorded.
You can also view the event details on the Attack Analysis page. The details include the source IP addresses, attack types, and source locations. This allows you to view the attack mitigation process in a visualized manner. This also improves user experience.
Query attack events
View event details of volumetric attacks

- In the upper part of the page, Attack Time, Attack Target, Peak of attack bandwidth (bps), and Peak of attack packet (pps) are displayed. The Attack Target parameter indicates the IP address of an Anti-DDoS
Pro or Anti-DDoS Premium instance.
You can click Mitigation Settings next to Attack Target. On the Protection for Infrastructure tab of the page that appears, you can configure mitigation policies for the Anti-DDoS Pro or Anti-DDoS Premium instance that is attacked. For more information, see Configure the IP address blacklist and whitelist for an Anti-DDoS Pro or Anti-DDoS Premium instance.
- Attack protection details: displays the trends of inbound and outbound traffic, the traffic scrubbing bandwidth, and the packets during the attack. The bps tab displays the trends of inbound and outbound traffic and the traffic scrubbing bandwidth. The pps tab displays the trends of packets.
- Attack source IP: displays the top 10 IP addresses from which the most attacks are launched and the
locations to which the IP addresses belong. You can click More to view information about the top 100 source IP addresses.
Note The top source 100 IP addresses include the source IP addresses of attacks and the source IP addresses of normal requests.
If you want to block traffic from specific IP addresses, click Blacklist Settings in the lower-left corner of the Attack source IP section. On the Protection for Infrastructure tab of the page that appears, configure Blacklist and Whitelist (Instance IP). For more information, see Configure the IP address blacklist and whitelist for an Anti-DDoS Pro or Anti-DDoS Premium instance.
- Attack source ISP: displays the distribution of Internet service providers (ISPs) from which attack
traffic originates. You can click More to view the distribution of requests by ISP.
Notice The Attack source ISP section is available only in the Anti-DDoS Pro console.
- Attack source area: displays the distribution of locations from which attack traffic originates. You
can click More to view the distribution of requests by location.
If you want to block traffic from specific locations, click Geo-blocking Settings in the lower-left corner of the Attack source area section. On the Protection for Infrastructure tab of the page that appears, configure Blocked Regions. For more information, see Configure blocked regions.
- Attack type: displays the distribution of protocols that are used to launch attacks. You can click More to view the distribution of attack types by protocol.
In the upper-right corner of the Details of the incident page, you can click Export Report, and then click Export as PNG or Export as PDF to save the current event details page to your computer in the PNG or PDF format.
View event details of web resource exhaustion attacks
- In the upper part of the page, Attack Time, Attack Target, Peak Requests (QPS), Total Received Requests, and Total Blocked Requests are displayed. The Attack Target parameter indicates the domain name that is added
to an Anti-DDoS Pro or Anti-DDoS Premium instance.
You can click Mitigation Settings next to Attack Target. On the Protection for Website Services tab of the page that appears, you can configure mitigation policies for the attacked domain name. For more information, see Use the intelligent protection feature.
- Attack protection details: displays the total inbound queries per second (QPS), the trends of the QPS that
trigger the policies of different protection modules during the attack, and Effective Time of Policies and Blocked Requests of the triggered policies.
The protection modules include Blacklist, Blocked Regions, Frequency Control, Accurate Access Control, and Others. The Others protection module blocks requests such as the requests that fail CAPTCHA verification. For more information about how to configure different protection modules, see Use the intelligent protection feature.
In the upper-right corner of the Attack protection details section, you can specify a time range to query.
- Source Areas of Attacks: displays the distribution of locations from which attack requests originate. You
can switch between Global and Mainland China to view locations by country or by administrative region in China. You can click
More to view the distribution of requests by location.
If you want to block requests from specific locations, click Mitigation Settings in the lower-left corner of the Source Areas of Attacks section. On the Protection for Website Services tab of the page that appears, configure Blocked Regions (Domain Names). For more information, see Configure blocked regions for domain names.
- URL: displays the top five URLs that receive the most requests. The URLs are displayed
in descending order of the number of received requests. You can click More to view all requested URLs and the distribution of the URLs. After you click More,
the requested URIs and the domain names to which the URIs belong are displayed.
If you want to configure throttling policies for specific URIs, click Mitigation Settings in the lower-left corner of the URL section. On the Protection for Website Services tab of the page that appears, configure Frequency Control. For more information, see Configure frequency control.
- Requests Blocked by Protection Modules: displays the distribution of requests that are blocked by different protection modules.
You can click Mitigation Settings in the lower-left corner of the Requests Blocked by Protection Modules section. On the Protection for Website Services tab of the page that appears, configure policies for different protection modules. For more information, see Use the intelligent protection feature.
- Top 10 Policies: displays the distribution of the top 10 policies that are most frequently triggered.
You can click More to view the distribution of the top 100 protection policies that are most frequently
triggered.
You can click Mitigation Settings in the lower-left corner of the Top 10 Policies section. On the Protection for Website Services tab of the page that appears, configure policies for different protection modules. For more information, see Use the intelligent protection feature.
In the upper-right corner of the Details of the incident page, you can click Export Report, and then click Export as PNG or Export as PDF to save the current event details page to your computer in the PNG or PDF format.
View event details of connection flood attacks
- In the upper part of the page, Attack Time, Attack Target, Maximum Concurrent Connections, and Maximum New Connections are displayed. The Attack Target parameter indicates the IP address and port number
of an Anti-DDoS Pro or Anti-DDoS Premium instance. The value of the Maximum Concurrent
Connections parameter indicates the maximum number of concurrent connections. The
value of the Maximum New Connections parameter indicates the maximum number of new
connections per second.
You can click Mitigation Settings next to Attack Target. On the Protection for Infrastructure tab of the page that appears, you can configure mitigation policies for the Anti-DDoS Pro or Anti-DDoS Premium instance that is attacked. For more information, see Configure the IP address blacklist and whitelist for an Anti-DDoS Pro or Anti-DDoS Premium instance.
- Attack protection details: displays the trends of new connections and concurrent connections.
The trend of new connections displays suspicious connections that are blocked by different mitigation policies. The mitigation policies include Blacklist, Blocked Regions, and Speed Limit for Source. The Speed Limit for Source policy includes Source Concurrent Connection Rate Limit, PPS Limit for Source, and Bandwidth Limit for Source. For more information about how to configure the mitigation policies, see Configure the IP address blacklist and whitelist for an Anti-DDoS Pro or Anti-DDoS Premium instance, Configure blocked regions, and Configure the speed limit for source IP addresses.
The trend of concurrent connections displays active and inactive connections.
In the upper-right corner of the Attack protection details section, you can specify a time range to query.
- Attack source IP: displays the top five IP addresses from which the most suspicious connections are
established and the locations to which the IP addresses belong. You can click More to view information about the top 100 source IP addresses of attacks.
Note You can view only the top 100 source IP addresses of attacks.
If you want to block traffic from an IP address, you can configure the Blacklist and Whitelist (Instance IP) policy for the instance that is attacked. For more information, see Configure the IP address blacklist and whitelist for an Anti-DDoS Pro or Anti-DDoS Premium instance.
- Attack type: displays the distribution of protocols that are used to initiate attacks. You can click More to view the distribution of attack types by protocol.
- Attack source area: displays the distribution of locations from which attack requests originate. You
can click More to view the distribution of requests by location.
If you want to block requests from a location, you can configure the Blocked Regions policy for the instance that is attacked. For more information, see Configure blocked regions.
In the upper-right corner of the Details of the incident page, you can click Export Report, and then click Export as PNG or Export as PDF to save the current event details page to your computer in the PNG or PDF format.