Anomaly/Attack Details

Function

The anomaly/attack details record basic information about all anomalies and attacks, and you can locate anomaly or attack events.

Parameter

**Table 1** Query parameters of Anomaly/Attack details
Parameter	Description
Direction	Select Inbound or Outbound the drop-down list.
Device	Select a device from the drop-down list.
Zone	Click , select a Zone on the Zone page that is displayed, and then click OK.
IP Address	Enter the destination IP address. Both IPv4 and IPv6 addresses are applicable. The anomaly/attack details of traffic destined for the IP address are queried.
Time	Click to select the start time and end time of statistics. Or you can change the time values in corresponding text boxes. The end time should be later than the start time and the interval cannot be longer than one year.
Type	Select a log type. The type can be Total, Abnormal, or Attack.
Min. Peak Incoming Traffic	Set the minimum peak incoming traffic.
Min. Peak Attack Traffic	This parameter can be set when only the cleaning device is selected.
Unit	Select a traffic measurement unit. The unit can be pps or kbps. The default unit is pps.

If the traffic of a Zone is different from the normal traffic model, that is, the traffic exceeds the threshold configured in the defense policy, the event is an anomaly event. After a traffic anomaly is detected on the cleaning device, the device has defense enabled and starts to discard packets. That is, an attack event occurs.

Example

Attack type distribution report: Displays all types of attacks on a specified device within a period of time. For multiple attacks of the same type, only the most serious attack is displayed.

If the device is set to bj-Cleaning and the Zone to All, anomaly/attack details within a period of time are displayed, as shown in Figure 1.

Figure 1 Anomaly/attack details

Figure 2 Anomaly/attack log details

If the device is set to bj-Detecting and the Zone is set to All, anomaly/attack details within a period of time are displayed, as shown in Figure 3.

Figure 3 Anomaly/attack details

Figure 4 Anomaly/attack log details

Procedure

Choose Report > Report > Anomaly/Attack Analysis.
Click the Anomaly/Attack Details tab.
Set query parameters.
Click Search. Figure 1 and Figure 3 show the anomaly/attack details.
On the Anomaly/Attack Details page, click to view details on anomaly/attack logs.
- Click to view packet capture files associated with anomaly or attack events.
  
  The AntiDDoS1820-N does not support this function.
  
  You can trace attack sources, resolve packets based on the packet capture files, and download the files to obtain the details on and features of the attacker. In this way, you can work out proper defense policies. For details, see Tracing Attack Sources Through a Packet Capture File, Parsing Packets in a Packet Capture File, and Downloading a Packet Capture File.
  
  You cannot view the packet capture files associated with certain anomaly or attack events.
- Click to view details on an attack.
Optional: Open or save the query results as files, or send queried reports to the specified email address.
- Click to open or save the query results as PDF files. A maximum of 10,000 entries can be displayed.
- Click to open or save the query results as EXCEL files. A maximum of 10,000 entries can be displayed.
- Click to enter a recipient mail address and select an attachment format. Then click OK.