Security Center supports the attack awareness feature. The feature lists and analyzes the attacks against your assets. This topic describes the statistics provided by the attack analysis feature. The statistics include the total number of attacks, distribution of attack types, top 5 attack sources, top 5 attacked assets, and the attack list.
Only the Enterprise and Ultimate editions of Security Center support this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.
The attack awareness feature provides basic attack detection and prevention based on the protection capabilities of Alibaba Cloud. After Security Center detects basic attacks, Security Center blocks and handles the attacks. The attack statistics are displayed on the Attack Awareness page. You do not need to handle the attacks. You can analyze or troubleshoot the attacks that may cause major risks based on the source addresses. We recommend that you develop a more refined and precise defense system to optimize your firewalls and enhance your business security.
You can log on to the Security Center console and choose to view the details about the attacks against your assets in the specified time range.
- Attacks: the total number of attacks against your assets.
- Attack Type Distribution: the attack types and the number of attacks of each type.
- Top 5 Attack Sources: the top 5 IP addresses that are most frequently used to launch attacks.
- Top 5 Attacked Assets: the top 5 assets that encountered the most attacks.
- Attack list: the details about all attacks. The details include the attack time, source IP address, attacked asset, attack type, and attack status.
On the Attack Awareness page, you can specify a time range to view the attack details. You can view the attack analysis statistics of the current day, last 7 days, or last 30 days. You can also set Time Range to Custom to view the statistics of a time range within the last 30 days.
- After you purchase an Alibaba Cloud service, you must wait approximately 3 hours until the attack statistics of the Alibaba Cloud service are synchronized to Security Center. After the synchronization is complete, you can view the attack details.
- The attack statistics that are analyzed by the attack awareness feature are collected by Security Center, Alibaba Cloud, and Web Application Firewall (WAF). You must activate WAF before WAF can collect the attack statistics.
Attack Type Distribution
Top 5 Attack Sources
Top 5 Attacked Assets
Parameters in the attack list
|Attacked At||The time when the attack is detected.|
|Attack Source||The source IP address and region from which the attack is initiated.|
|Attacked Asset||The name, public IP address, and private IP address of the attacked asset.|
|Attack Method||The HTTP request method that is used to initiate the attack. The methods include POST and GET.|
|Port||The port that the attacked asset uses. This parameter is displayed only when the type of the attack is SSH brute-force attack.|
|Attack Type||The type of the attack, such as SSH brute-force attack or code running.|
|Attack Status||The status of the attack. Security Center uses the protection capabilities of Alibaba Cloud to block common attacks. The status of a blocked attack is Blocked. The intrusion events are displayed on the Alerts page.|
In the attack list, you can perform the following operations:
- Search for an attack
To search for an attack and view the details about the attack, specify search conditions above the attack list. Search conditions include the attack type, attacked asset, source IP address, and port number.
- View the details about an attacked asset
To view the details about an attacked asset, move the pointer over the name of the attacked asset in the Attacked Asset column.
- Export the attack list
To export and save the attack list to your computer, click the icon in the upper-left corner of the attack list. The exported file is in the Excel format.
- Disable a defense rule
To disable the defense rule that automatically blocks an attack of the AntSword Communication with Webshells, Chopper Communication with Webshells, or XISE Communication with Webshells type, perform the following operations: Move the pointer over the icon in the Attack Type column. In the Are you sure that you want to disable the rule? dialog box, click Go to the Malicious behavior Defense page. On the Malicious behavior Defense page, disable the defense rule.