View annual reports of Anti-DDoS Origin - Anti-DDoS - Alibaba Cloud Documentation Center

This topic describes how to view the attack protection report of Anti-DDoS Origin over the past year.

Report description

Limits: You can view only data that is generated after August 8, 2024 in statistical reports.
Supported instances: The report includes data of the Anti-DDoS Origin 1.0 (Subscription) instances in the Chinese mainland.
Sampling note: The attack analysis data includes sample data, which may cause statistical bias.

Log on to the Traffic Security console and open the Satistical Reports page.
Select Anti-DDoS Origin, specify the instance, region, and time range, and click the icon.
Note
You can select one or more instances within a specified region. You cannot select all instances in all regions.
Click Export Report in the upper-right corner to download the report in image or PDF format.

Metric	Description
Data Metrics	Peak Traffic of Single Attack Event: The peak inbound traffic (bit/s) of a single attack event within the query time of the selected instance. The peak inbound traffic includes attack traffic and service traffic. Peak pps of Single Attack Event: The peak inbound traffic (packets per second) of a single attack event within the query time of the selected instance. The peak inbound traffic includes attack traffic and service traffic. Blackhole Filtering Events: The total count of blackhole filtering events within the query time of the selected instance. Blackhole Filtering Duration: The total duration of all blackhole filtering events within the query time of the selected instance. Anti-DDoS Origin Protection Duration: The life span of the selected instance. When there are multiple instances, the longest life span is displayed.
Traffic Scrubbing Events	This metric refers to the total count and type distribution of traffic scrubbing events within the query time of the selected instance. Blackhole filtering events are excluded.
Protected Assets	This metric refers to the number of protected assets that are assigned public IP addresses. This data is independent of the search time and reflects real-time information as of the previous day (T-1).

Metric

Description

Traffic Trend in bit/s

Total inbound traffic: All inbound traffic (bit/s), including both service and attack traffic.
Outbound: Outbound service traffic (bit/s).

Top 5 Source Regions of Network Layer Attacks

The top 5 source regions are ranked based on the number of requests from all attacker IP addresses.

Statistical logic:

Calculate the ratio of requests from attacker IP addresses to the total number of requests in a single attack event within a single province or country.
Rank the ratios and select the top 5.
- For each province or country, retain only the largest ratio.
- Retain data from 5 different provinces or countries.

Metric	Description
Attack Type Distribution	Calculate the attack type distribution based on the number of attack types, excluding blackhole filtering events.
Top 10 Attack Source ISPs	Calculate the distribution of global attack source Internet service providers (ISPs) based on the number of requests from attack sources in attack events, which include traffic scrubbing events and blackhole filtering events.
Volumetric Attacks by Peak Attack Throughput	Calculate the number of events across different peak attack throughput ranges. Blackhole filtering events are excluded. The ranges are 0-30G, 30-100G, 100-300G, 300-600G, and above 600G.
Attack Duration Distribution	Calculate the number of events across different attack duration ranges. Blackhole filtering events are excluded. The ranges are 0-30 minutes, 30-60 minutes, 1-3 hours, 3-12 hours, and above 12 hours.

Metric

Description

Top 20 Source IP Addresses by Peak Attack Throughput

This metric displays the source IP addresses that generate the top 20 peak attack throughput. The following statistical logic is used:

Rank the numbers of discarded requests from attacker IP addresses in a single attack event by using sample traffic.
Rank the numbers of requests discarded across multiple attack events.
Select the top 20 source IP addresses based on the largest request numbers.
For each source IP address, retain only the single largest request number.
Limit the results to a maximum of 20 distinct source IP addresses.

Top 10 Destination IP Addresses by Peak Attack Throughput

This metric identifies the destination IP addresses that receive the top 10 peak attack throughput. The following statistical logic is used:

Rank the peak inbound traffic (bit/s) of the destination IP addresses in a single attack event by using sample traffic.
Rank the peak inbound traffic (bit/s) across multiple attack events.
Select the top 10 destination IP addresses based on the highest peak inbound traffic.
For each destination IP address, retain only the single highest peak inbound traffic.
Limit the results to a maximum of 10 distinct destination IP addresses.

The following statistical logic is used fo decide the Top 10 Destination Ports by Attack:

Rank the numbers of requests discarded based on their destination ports (IP addresses and ports) by using sample traffic of a single attack event.
Rank the numbers of requests discarded across multiple attack events.
Select the top 10 destination ports with the largest numbers of discarded requests.
For each destination port, retain only the maximum number of discarded requests.
Limit the results to a maximum of 10 distinct destination ports.

All attack events within the query time of the selected instance are listed. You can go to the Attack Analysis page to view event details.

For more information about the metrics of Anti-DDoS Proxy, see Statistical report (Anti-DDoS Proxy).