Help Center/ Content Delivery Network/ Best Practices/ Analyzing Malicious Access Addresses Through Logs
Updated on 2025-05-19 GMT+08:00
View PDF
Share

Analyzing Malicious Access Addresses Through Logs

Scenario

If your domain name is attacked, you can analyze logs generated during the attack period to help you harden security configurations, such as referer validation and IP address access control list (ACL).

CDN logs contain user access information. An example of CDN logs is as follows: 
[05/Feb/2018:07:54:52 +0800] x.x.x.x 1 "-" "HTTP/1.1" "GET" "www.test.com" "/test/1234.apk" 206 720 HIT "Mozilla/5.0 (Linux; U; Android 6.0; zh-cn; EVA-AL10 Build/HUAWEIEVA-AL10) AppleWebKit/533.1 (KHTML, like Gecko) Mobile Safari/533.1" "bytes=-256" x.x.x.x

Table 1 describes each field (from left to right) in the log.

Table 1 Fields in CDN logs

No.

Description

Example

1

Log generation time

[05/Feb/2018:07:54:52 +0800]

2

Access IP address

x.x.x.x

3

Time to last byte (ms)

1

4

Referer information

-

5

HTTP protocol identifier

HTTP/1.1

6

HTTP request method

GET

7

Acceleration domain name

www.test.com

8

Request path

/test/1234.apk

9

HTTP status code

206

10

Response size (bytes)

720

11

Cache hit status

HIT

12

User-Agent information, which helps servers recognize the OS, OS version, CPU, browser, and browser's version information

Mozilla/5.0 (Linux; U; Android 6.0; en-us; EVA-AL10 Build/HUAWEIEVA-AL10) AppleWebKit/533.1 (KHTML, like Gecko) Mobile Safari/533.1

13

Range information, which specifies the positions of the first and last bytes for the data to be returned.

bytes can be expressed by the following three methods:

  • bytes=x-y: requesting content from the xth to yth byte.
  • bytes=-y: requesting content from the last y bytes.
  • bytes=x-: requesting content from the xth to the last byte.

bytes=-256

14

Server IP address: IP address of the CDN server that sends the response.

x.x.x.x

Procedure

  1. Log in to Huawei Cloud console. Choose Service List > Content Delivery & Edge Computing > Content Delivery Network.

    The CDN console is displayed.

  2. In the navigation pane, choose Logs.
  3. Select the acceleration domain name and specify the time range for the query.
  4. Click Download in the row of the desired log to download the log file to a local computer.
  5. After the logs are downloaded, open them in Excel, filter the fields that you are interested in, and analyze them.
    • Resources accessed by users: If the requested resources are centralized and visitor IP addresses are scattered, new resources may be added.
    • Visitor IP addresses: If most requests are initiated by some IP address segments, the access traffic is heavy, and some URLs are mostly accessed, these visitor IP addresses may be malicious. In this case, you can add these IP addresses to the blacklist. For details, see IP ACL.
    • User-Agent information: Check whether uncommon User-Agent headers exist to determine whether requests are attacks. If they are attacks, configure a User-Agent ACL.
    • You can also use other fields, such as referer and cache hit status, or use multiple fields, to determine the common access features and harden corresponding protection measures.