[ aws . shield ]

describe-attack

Description

Describes the details of a DDoS attack.

See also: AWS API Documentation

See ‘aws help’ for descriptions of global parameters.

Synopsis

  describe-attack
--attack-id <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--cli-auto-prompt <value>]

Options

--attack-id (string)

The unique identifier (ID) for the attack that to be described.

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

--cli-auto-prompt (boolean) Automatically prompt for CLI input parameters.

See ‘aws help’ for descriptions of global parameters.

Examples

To retrieve a detailed description of an attack

The following describe-attack example displays details about the DDoS attack with the specified attack ID. You can obtain attack IDs by running the list-attacks command.

aws shield describe-attack --attack-id a1b2c3d4-5678-90ab-cdef-EXAMPLE22222

Output:

{
    "Attack": {
        "AttackId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
        "ResourceArn": "arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/testElb",
        "SubResources": [
            {
                "Type": "IP",
                "Id": "192.0.2.2",
                "AttackVectors": [
                    {
                        "VectorType": "SYN_FLOOD",
                        "VectorCounters": [
                            {
                                "Name": "SYN_FLOOD_BPS",
                                "Max": 982184.0,
                                "Average": 982184.0,
                                "Sum": 11786208.0,
                                "N": 12,
                                "Unit": "BPS"
                            }
                        ]
                    }
                ],
                "Counters": []
            },
            {
                "Type": "IP",
                "Id": "192.0.2.3",
                "AttackVectors": [
                    {
                        "VectorType": "SYN_FLOOD",
                        "VectorCounters": [
                            {
                                "Name": "SYN_FLOOD_BPS",
                                "Max": 982184.0,
                                "Average": 982184.0,
                                "Sum": 9821840.0,
                                "N": 10,
                                "Unit": "BPS"
                            }
                        ]
                    }
                ],
                "Counters": []
            },
            {
                "Type": "IP",
                "Id": "192.0.2.4",
                "AttackVectors": [
                    {
                        "VectorType": "SYN_FLOOD",
                        "VectorCounters": [
                            {
                                "Name": "SYN_FLOOD_BPS",
                                "Max": 982184.0,
                                "Average": 982184.0,
                                "Sum": 7857472.0,
                                "N": 8,
                                "Unit": "BPS"
                            }
                        ]
                    }
                ],
                "Counters": []
            },
            {
                "Type": "IP",
                "Id": "192.0.2.5",
                "AttackVectors": [
                    {
                        "VectorType": "SYN_FLOOD",
                        "VectorCounters": [
                            {
                                "Name": "SYN_FLOOD_BPS",
                                "Max": 982184.0,
                                "Average": 982184.0,
                                "Sum": 1964368.0,
                                "N": 2,
                                "Unit": "BPS"
                            }
                        ]
                    }
                ],
                "Counters": []
            },
            {
                "Type": "IP",
                "Id": "2001:DB8::bcde:4321:8765:0:0",
                "AttackVectors": [
                    {
                        "VectorType": "SYN_FLOOD",
                        "VectorCounters": [
                            {
                                "Name": "SYN_FLOOD_BPS",
                                "Max": 982184.0,
                                "Average": 982184.0,
                                "Sum": 1964368.0,
                                "N": 2,
                                "Unit": "BPS"
                            }
                        ]
                    }
                ],
                "Counters": []
            },
            {
                "Type": "IP",
                "Id": "192.0.2.6",
                "AttackVectors": [
                    {
                        "VectorType": "SYN_FLOOD",
                        "VectorCounters": [
                            {
                                "Name": "SYN_FLOOD_BPS",
                                "Max": 982184.0,
                                "Average": 982184.0,
                                "Sum": 1964368.0,
                                "N": 2,
                                "Unit": "BPS"
                            }
                        ]
                    }
                ],
                "Counters": []
            }
        ],
        "StartTime": 1576024927.457,
        "EndTime": 1576025647.457,
        "AttackCounters": [],
        "AttackProperties": [
            {
                "AttackLayer": "NETWORK",
                "AttackPropertyIdentifier": "SOURCE_IP_ADDRESS",
                "TopContributors": [
                    {
                        "Name": "198.51.100.5",
                        "Value": 2024475682
                    },
                    {
                        "Name": "198.51.100.8",
                        "Value": 1311380863
                    },
                    {
                        "Name": "203.0.113.4",
                        "Value": 900599855
                    },
                    {
                        "Name": "198.51.100.4",
                        "Value": 769417366
                    },
                    {
                        "Name": "203.1.113.13",
                        "Value": 757992847
                    }
                ],
                "Unit": "BYTES",
                "Total": 92773354841
            },
            {
                "AttackLayer": "NETWORK",
                "AttackPropertyIdentifier": "SOURCE_COUNTRY",
                "TopContributors": [
                    {
                        "Name": "United States",
                        "Value": 80938161764
                    },
                    {
                        "Name": "Brazil",
                        "Value": 9929864330
                    },
                    {
                        "Name": "Netherlands",
                        "Value": 1635009446
                    },
                    {
                        "Name": "Mexico",
                        "Value": 144832971
                    },
                    {
                        "Name": "Japan",
                        "Value": 45369000
                    }
                ],
                "Unit": "BYTES",
                "Total": 92773354841
            },
            {
                "AttackLayer": "NETWORK",
                "AttackPropertyIdentifier": "SOURCE_ASN",
                "TopContributors": [
                    {
                        "Name": "12345",
                        "Value": 74953625841
                    },
                    {
                        "Name": "12346",
                        "Value": 4440087595
                    },
                    {
                        "Name": "12347",
                        "Value": 1635009446
                    },
                    {
                        "Name": "12348",
                        "Value": 1221230000
                    },
                    {
                        "Name": "12349",
                        "Value": 1199425294
                    }
                ],
                "Unit": "BYTES",
                "Total": 92755479921
            }
        ],
        "Mitigations": []
    }
}

For more information, see Reviewing DDoS Incidents in the AWS Shield Advanced Developer Guide.

Output

Attack -> (structure)

The attack that is described.

AttackId -> (string)

The unique identifier (ID) of the attack.

ResourceArn -> (string)

The ARN (Amazon Resource Name) of the resource that was attacked.

SubResources -> (list)

If applicable, additional detail about the resource being attacked, for example, IP address or URL.

(structure)

The attack information for the specified SubResource.

Type -> (string)

The SubResource type.

Id -> (string)

The unique identifier (ID) of the SubResource .

AttackVectors -> (list)

The list of attack types and associated counters.

(structure)

A summary of information about the attack.

VectorType -> (string)

The attack type, for example, SNMP reflection or SYN flood.

VectorCounters -> (list)

The list of counters that describe the details of the attack.

(structure)

The counter that describes a DDoS attack.

Name -> (string)

The counter name.

Max -> (double)

The maximum value of the counter for a specified time period.

Average -> (double)

The average value of the counter for a specified time period.

Sum -> (double)

The total of counter values for a specified time period.

N -> (integer)

The number of counters for a specified time period.

Unit -> (string)

The unit of the counters.

Counters -> (list)

The counters that describe the details of the attack.

(structure)

The counter that describes a DDoS attack.

Name -> (string)

The counter name.

Max -> (double)

The maximum value of the counter for a specified time period.

Average -> (double)

The average value of the counter for a specified time period.

Sum -> (double)

The total of counter values for a specified time period.

N -> (integer)

The number of counters for a specified time period.

Unit -> (string)

The unit of the counters.

StartTime -> (timestamp)

The time the attack started, in Unix time in seconds. For more information see timestamp .

EndTime -> (timestamp)

The time the attack ended, in Unix time in seconds. For more information see timestamp .

AttackCounters -> (list)

List of counters that describe the attack for the specified time period.

(structure)

The counter that describes a DDoS attack.

Name -> (string)

The counter name.

Max -> (double)

The maximum value of the counter for a specified time period.

Average -> (double)

The average value of the counter for a specified time period.

Sum -> (double)

The total of counter values for a specified time period.

N -> (integer)

The number of counters for a specified time period.

Unit -> (string)

The unit of the counters.

AttackProperties -> (list)

The array of AttackProperty objects.

(structure)

Details of the described attack.

AttackLayer -> (string)

The type of distributed denial of service (DDoS) event that was observed. NETWORK indicates layer 3 and layer 4 events and APPLICATION indicates layer 7 events.

AttackPropertyIdentifier -> (string)

Defines the DDoS attack property information that is provided. The WORDPRESS_PINGBACK_REFLECTOR and WORDPRESS_PINGBACK_SOURCE values are valid only for WordPress reflective pingback DDoS attacks.

TopContributors -> (list)

The array of Contributor objects that includes the top five contributors to an attack.

(structure)

A contributor to the attack and their contribution.

Name -> (string)

The name of the contributor. This is dependent on the AttackPropertyIdentifier . For example, if the AttackPropertyIdentifier is SOURCE_COUNTRY , the Name could be United States .

Value -> (long)

The contribution of this contributor expressed in Protection units. For example 10,000 .

Unit -> (string)

The unit of the Value of the contributions.

Total -> (long)

The total contributions made to this attack by all contributors, not just the five listed in the TopContributors list.

Mitigations -> (list)

List of mitigation actions taken for the attack.

(structure)

The mitigation applied to a DDoS attack.

MitigationName -> (string)

The name of the mitigation taken for this attack.