All Products
Search
Document Center

Anti-DDoS:Security Overview

Last Updated:Nov 20, 2024

This topic describes how to view the service data and DDoS attack details of an instance and a domain name in the Anti-DDoS Proxy console after you add the domain name to Anti-DDoS Proxy. This helps you learn protection information about your assets and adjust your DDoS mitigation policies in a timely manner.

Overview

Anti-DDoS Proxy allows you to view data within the last 30 days. You can click Traffic Relationships and Description in the upper-right corner of the Security Overview page to learn traffic-related concepts of Anti-DDoS Proxy.

Prerequisites

Instance

Anti-DDoS Proxy displays information about services and DDoS attack details by instance.

  1. Log on to the Anti-DDoS Proxy console.

  2. In the top navigation bar, select the region of your instance.

    • Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.

    • Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland) instance, select Outside Chinese Mainland.

  3. In the left-side navigation pane, click Security Overview. On the Instance tab of the Security Overview page, view the following information.

    安全总览-实例-cn

    Section

    Description

    Bandwidth (marked 1 in the preceding figure)

    • Anti-DDoS Proxy (Chinese Mainland) provides the Bandwidth trend chart to show traffic information by bps or pps. You can view the trends of inbound, outbound, attack, and rate limit traffic of an instance within a specific time range.

    • Anti-DDoS Proxy (Outside Chinese Mainland) provides the Overview tab to show bandwidth trends, the Inbound Traffic Distribution tab to show the distribution of inbound traffic, and the Outbound Traffic Distribution tab to show the distribution of outbound traffic.

    Connections (marked 2 in the preceding figure)

    • Concurrent Connections: the total number of concurrent TCP connections that are established between clients and the instance.

      • Active: the number of TCP connections in the Established state.

      • Inactive: the number of TCP connections in all states except for the Established state.

    • New Connections: the number of new TCP connections that are established between clients and the instance per second.

    Network Layer Attack Events, Alert on Exceeded Upper Limits, and Destination Rate Limit Events (marked 3 in the preceding figure)

    • Network Layer Attack Events

      You can move the pointer over an IP address or a port to view the details of an attack, such as Attack Target, Attack Type, Peak Attack Traffic, and Protection Effect.

    • Alerts on Exceeded Upper Limits

      The following event types of alerts are supported: clean bandwidth, new connections, and concurrent connections. If the purchased specification that corresponds to an event type is exceeded, an alert of this event type is generated. In this case, your business is not affected, and a specification upgrade is recommended. For more information, see Upgrade an instance.

      You can click Details in the Status column of an alert to go to the System Logs page to view the details of the alert.

      Note

      The alerts on exceeded upper limits are updated at 10:00 (UTC+8) every Monday. After the update, the alerts that were generated on the previous day are displayed. If you configure a notification method, such as internal messages, text messages, or emails, you receive a notification at 10:00 (UTC+8) every Monday. The notification includes the alerts that were generated on the previous day.

    • Destination Rate Limit Events

      If the number of new connections, the number of concurrent connections, or the service bandwidth exceeds the specifications of your instance, rate limiting is triggered, and a destination rate limit event is generated. In this case, your business is affected.

      You can click Details in the Status column of an event to go to the System Logs page to view the details of the event.

    Service Distribution by Location and Service Distribution by ISP (marked 4 in the preceding figure)

    • Service Distribution by Location: the distribution of source locations from which service traffic is sent.

    • Service Distribution by ISP: the distribution of Internet service providers (ISPs) from which service traffic is sent.

Domain name

Anti-DDoS Proxy displays information about services and details of DDoS attack events by domain name.

  1. Log on to the Anti-DDoS Proxy console.

  2. In the top navigation bar, select the region of your instance.

    • Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.

    • Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland) instance, select Outside Chinese Mainland.

  3. In the left-side navigation pane, click Security Overview. On the Websites tab of the Security Overview page, view the following information.

    • Total QPS by Instance

      In the All Domain Names drop-down list, click the Total QPS by Instance tab, select the required exclusive IP addresses, and then click OK.安全总览-全部实例QPS

      Section

      Description

      Request Rate (QPS) (marked 1 in the preceding figure)

      The trend of queries per second (QPS) is displayed for different instances. The displayed time granularity varies based on the specified time range.

      Status Codes and Requests (marked 2 in the preceding figure)

      The status codes are displayed for different instances. The number of status codes is accumulated within the displayed time granularity. The following list describes status codes:

      • 2XX: The request is successfully received, understood, and accepted by the server.

        Note

        Statistics on 2XX status codes include the statistics on the 200 status code.

      • 3XX: The client must perform further operations to complete the request. In most cases, a 3XX status code indicates redirection.

      • 4XX: The client may be faulty, which interrupts server processing.

      • 5XX: An error or an exception occurred when the server processes the request.

    • QPS by Domain

      In the All Domain Names drop-down list, click the QPS by Domain tab, select the required domain names, and then click OK.

      安全总览-域名-cn

      Section

      Description

      Request Rate (QPS) (marked 1 in the preceding figure)

      The QPS trend is displayed for different domain names. The displayed time granularity varies based on the specified time range.

      Bandwidth (marked 2 in the preceding figure)

      This section displays the trend charts of the outbound and inbound peak bandwidth of the domain name.

      Note

      Only the payload field is counted, which may result in discrepancies with the instance-level BPS trend chart.

      Status Codes and Requests (marked 3 in the preceding figure)

      The status codes are classified into Anti-DDoS Proxy status codes and status codes of origin servers. The trend chart of the accumulated numbers of requests with specific status codes within a specific time range. The following list describes status codes:

      • 2XX: The request is successfully received, understood, and accepted by the server.

        Note

        Statistics on 2XX status codes include the statistics on status code 200.

      • 200: The request succeeded.

      • 3XX: The client must perform further operations to complete the request. In most cases, a 3XX status code indicates redirection.

      • 4XX: The client may be faulty, which interrupts server processing.

      • 404: The server cannot be accessed.

      • 5XX: An error or an exception occurred when the server processes the request.

      • 502: Anti-DDoS Proxy attempts to process the request as a proxy server, but receives invalid responses from the upstream server.

      • 503: The server may be overloaded or in temporary maintenance and cannot process the request.

      • 504: Anti-DDoS Proxy attempts to process the request as a proxy server, but does not receive responses from the upstream server in a timely manner.

      URI Requests and URI Response Time (marked 4 in the preceding figure)

      The top 5 URIs that are most frequently requested and the top 5 URIs based on the response time. You can click More to view more data. This section contains the URI Requests, URI Response Time, User-Agent, Referer, HTTP-Method, Client Fingerprint, HTTP/2 Fingerprint, JA3 Fingerprint, and JA4 Fingerprint tabs. For more information, see Configure the HTTP flood mitigation feature.

      Note

      For URI Response Time, the five URIs with the maximum response times are displayed.

      Application Layer Scrubbing Events (marked 5 in the preceding figure)

      This section displays the scrubbing events that occur at the application layer. You can move the pointer over a domain name to view the attack details, such as the information about the domain name, peak attack traffic, and attack type.

      Source Location (marked 6 in the preceding figure)

      This section displays the distribution of source locations from which requests are sent.

      Cache Hit Ratio (marked 7 in the preceding figure)

      You can view the trend chart of cache hit rates only after you enable the static page caching feature. For more information, see Anti-DDoS Lab.

Configure an alert threshold

By default, Anti-DDoS Proxy generates attack events only when the inbound traffic exceeds 1 Gbit/s and the scrubbed traffic reaches 100 Mbit/s. This way, less attack events are generated. If the actual inbound traffic is less than the preceding threshold, no attack events are generated. You can also configure a custom alert threshold based on your business requirements. A custom alert threshold helps solve the issue that no attack events are generated when scrubbed traffic is displayed in the console.

  1. Log on to the Anti-DDoS Proxy console.

  2. In the top navigation bar, select the region of your instance.

    • Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.

    • Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland) instance, select Outside Chinese Mainland.

  3. In the left-side navigation pane, click Security Overview. In the upper-right corner of the Security Overview page, click Set Alert Threshold. In the Set Alert Threshold panel, configure a custom alert threshold.

    imageYou can configure Inbound Traffic based on your business requirements, as shown in the preceding figure.

    • The Inbound Threshold parameter indicates the total inbound traffic of a single IP address in Anti-DDoS Proxy.

    • Inbound traffic includes attack traffic and service traffic.

    • If the actual inbound traffic is greater than or equal to the specified threshold and the scrubbed traffic exceeds 100 Mbit/s, an event is generated.

    • You can configure a custom alert threshold only if Anti-DDoS Proxy instances use IPv4 addresses.