Help Center/ Anti-DDoS Service/ User Guide/ Advanced Anti-DDoS User Guide/ Managing Protection Logs/ Viewing Protection Details
Updated on 2024-09-26 GMT+08:00
View PDF
Share

Viewing Protection Details

Scenarios

After your services are connected to AAD, you can view the DDoS and CC protection details of different lines in an AAD instance on the dashboard to learn about the current network security state.

On the Dashboard page, you can view the following protection details:
  • DDoS Attack Protection

    The Dashboard page gives an overview of the peak ingress traffic, peak attack traffic, and number of DDoS attacks, and shows the attack type distribution, DDoS attack events, and top 5 attack types scrubbed on two tab pages Traffic and Packet Rate.

  • CC Attack Protection

    The Dashboard page gives an overview of number of requests and attacks, attack type distribution, and top 5 attacked source IP addresses.

Precautions

  • The protection details cannot be downloaded.
  • On the Dashboard page, you can view the following protection details of the following time ranges:
    • DDoS Attack Protection

      You can select an AAD instance and a line to view the DDoS protection details of last 24 hours, last 3 days, last 7 days, last 30 days, or a custom period (maximum of last 90 days).

    • CC Attack Protection

      You can select a specific domain name or all domain names from the domain name drop-down list to view the CC protection details of yesterday, today, last 3 days, last 7 days, or last 30 days.

Prerequisites

You have purchased an AAD instance.

Viewing DDoS Attack Protection Details

  1. Log in to the management console.
  2. Select a region in the upper part of the page, click in the upper left corner of the page, and choose Security & Compliance > Anti-DDoS Service. The Anti-DDoS Service Center page is displayed.
  3. In the navigation pane on the left, choose Advanced Anti-DDoS > Dashboard. The Dashboard page is displayed.
  4. Click the DDoS Attack Protection tab.
  5. Select an instance, line, and time range (last 24 hours, last 3 days, last 7 days, last 30 days, or a custom period). Table 1 describes the related parameters.

    Table 1 Parameter description

    Parameter

    Description

    Peak Ingress Traffic

    Maximum traffic accessing the specified IP address of a specified instance per second

    Peak Attack Traffic

    Maximum traffic attacking the specified IP address of a specified instance per second

    DDoS Attacks

    Number of DDoS attacks launched on the specified IP address of a specified instance

    Traffic

    Trend charts of received traffic and attack traffic

    Packet Rate

    Trend charts of received packets and attack packets

    Attack Type Distribution

    Types of attack events

    • You can click Attacks then click any colored section in the displayed circle to see the type, count, and percentage of an attack.
    • You can click Attack traffic then click any colored section in the displayed circle to see the type, traffic, and traffic percentage of an attack.

    Top 5 Attack Types Scrubbed (Kbit/s)

    Top 5 attack types that have been scrubbed

    DDoS Attack Event

    Details about DDoS attacks

    • Click Details next to the attack source IP address to view the complete attack source IP address list.
    • Click View Dynamic Blacklist to view the blacklisted IP addresses that are in attack.
    • Click Export to export the security event report.
    NOTE:

    Note the following points about the attack source field in the DDoS attack event report:

    • The attack sources of ongoing attacks may not be displayed.
    • Some attack events contain only some attack types. Their attack sources are not displayed.
    • Attack sources are sampled randomly. Not all attack source information is displayed.

    Blackhole Event

    Blocked IP address, blocking status, blocking start time, and blocking end time.

    Click Export to export the blackhole event report.

    In the traffic or packet chart on the DDoS Attack Protection page, the display granularity varies according to the query interval. The details are as follows:

    • Query time < 20 minutes: The display granularity is 1 minute.
    • 20 minutes < Query time < 40 minutes: The display granularity is 2 minutes.
    • 40 minutes < Query time < 60 minutes: The display granularity is 3 minutes.
    • 1 hour < Query time ≤ 6 hours: The display granularity is 5 minutes.
    • 6 hours < Query time ≤ 24 hours: The display granularity is 10 minutes.
    • 1 day < Query time ≤ 7 days: The display granularity is 30 minutes.
    • 7 days < Query time ≤ 15 days: The display granularity is 1 hour.
    • 15 days < Query time ≤ 30 days: The display granularity is 14 hours.

Viewing CC Attack Protection Details

  1. Log in to the management console.
  2. Select a region in the upper part of the page, click in the upper left corner of the page, and choose Security & Compliance > Anti-DDoS Service. The Anti-DDoS Service Center page is displayed.
  3. In the navigation pane on the left, choose Advanced Anti-DDoS > Dashboard. The Dashboard page is displayed.
  4. Click the CC Attack Protection tab.
  5. Select a domain name and time range. For details about related parameters, see Table 2.

    Figure 1 CC Attack Protection
    Table 2 Parameter description

    Parameter

    Description

    Requests

    Total number of requests to a specified domain name

    If you select All domain names, the total number of requests to all domain names with WAF enabled is collected.

    Peak Request Rate

    Maximum number of requests to a specified domain name per second

    If you select All domain names, the maximum number of requests to all domain names with WAF enabled is collected per second.

    Attacks

    Number of attacks towards a specified domain name

    QPS

    Average number of requests per second for the domain name.

    Queries Per Second (QPS) indicates the number of requests per second. For example, an HTTP GET request is also called a query.

    Bandwidth

    Average: average value of the outbound bandwidth and the inbound bandwidth.

    Peak: peak value of the outbound bandwidth and the inbound bandwidth.

    Response Code
    • AAD Response: indicates the response code returned by AAD to the client and the number of responses.
    • Origin Server Response: indicates the response code returned by the origin server to AAD and the number of responses.

    Attacking Sources

    Number of sources that attack a specified domain name

    Request Statistics
    • Requests: trend chart for the access requests
    • Attacks: trend chart for attacks

    Attack Type Distribution

    Types of attack events

    • You can click any colored area in the attack distribution circle under Attack Type Distribution to view the type, count, and proportion of an attack.
    • To stop displaying information about a specific type of attacks, click the legend with the same color to the right of the circle.

    Attack Type Distribution (Times)

    Number of attacks of different types.

    Top 100 Attack Source IP Addresses

    Top 100 attack source IP addresses.

    TOP 100 URLs

    Top 100 attacked URLs.

    Attack Event

    For details about attack event parameters, see Table 3.

    Click Export to export the attack event report.
    Table 3 Attack event parameters

    Parameter

    Description

    Target

    Specifies an attacked domain name.

    Attacked URL

    Specifies the URL of the protected domain name, for example, /4b87ef.

    Attack Type

    Indicates the type of the attack, for example, frequency control.

    Time

    Time when the attack occurred.

    Protective Action

    Protective actions.

    • Block
    • Log only
    • Verification code

    Source IP

    Indicates the IP address of the attacker.

Parent topic: Managing Protection Logs