Describes the details of a DDoS attack.
See also: AWS API Documentation
See ‘aws help’ for descriptions of global parameters.
describe-attack
--attack-id <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
--attack-id
(string)
The unique identifier (ID) for the attack that to be described.
--cli-input-json
| --cli-input-yaml
(string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton
. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml
.
--generate-cli-skeleton
(string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input
, prints a sample input JSON that can be used as an argument for --cli-input-json
. Similarly, if provided yaml-input
it will print a sample input YAML that can be used with --cli-input-yaml
. If provided with the value output
, it validates the command inputs and returns a sample output JSON for that command.
See ‘aws help’ for descriptions of global parameters.
To retrieve a detailed description of an attack
The following describe-attack
example displays details about the DDoS attack with the specified attack ID. You can obtain attack IDs by running the list-attacks
command.
aws shield describe-attack --attack-id a1b2c3d4-5678-90ab-cdef-EXAMPLE22222
Output:
{
"Attack": {
"AttackId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
"ResourceArn": "arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/testElb",
"SubResources": [
{
"Type": "IP",
"Id": "192.0.2.2",
"AttackVectors": [
{
"VectorType": "SYN_FLOOD",
"VectorCounters": [
{
"Name": "SYN_FLOOD_BPS",
"Max": 982184.0,
"Average": 982184.0,
"Sum": 11786208.0,
"N": 12,
"Unit": "BPS"
}
]
}
],
"Counters": []
},
{
"Type": "IP",
"Id": "192.0.2.3",
"AttackVectors": [
{
"VectorType": "SYN_FLOOD",
"VectorCounters": [
{
"Name": "SYN_FLOOD_BPS",
"Max": 982184.0,
"Average": 982184.0,
"Sum": 9821840.0,
"N": 10,
"Unit": "BPS"
}
]
}
],
"Counters": []
},
{
"Type": "IP",
"Id": "192.0.2.4",
"AttackVectors": [
{
"VectorType": "SYN_FLOOD",
"VectorCounters": [
{
"Name": "SYN_FLOOD_BPS",
"Max": 982184.0,
"Average": 982184.0,
"Sum": 7857472.0,
"N": 8,
"Unit": "BPS"
}
]
}
],
"Counters": []
},
{
"Type": "IP",
"Id": "192.0.2.5",
"AttackVectors": [
{
"VectorType": "SYN_FLOOD",
"VectorCounters": [
{
"Name": "SYN_FLOOD_BPS",
"Max": 982184.0,
"Average": 982184.0,
"Sum": 1964368.0,
"N": 2,
"Unit": "BPS"
}
]
}
],
"Counters": []
},
{
"Type": "IP",
"Id": "2001:DB8::bcde:4321:8765:0:0",
"AttackVectors": [
{
"VectorType": "SYN_FLOOD",
"VectorCounters": [
{
"Name": "SYN_FLOOD_BPS",
"Max": 982184.0,
"Average": 982184.0,
"Sum": 1964368.0,
"N": 2,
"Unit": "BPS"
}
]
}
],
"Counters": []
},
{
"Type": "IP",
"Id": "192.0.2.6",
"AttackVectors": [
{
"VectorType": "SYN_FLOOD",
"VectorCounters": [
{
"Name": "SYN_FLOOD_BPS",
"Max": 982184.0,
"Average": 982184.0,
"Sum": 1964368.0,
"N": 2,
"Unit": "BPS"
}
]
}
],
"Counters": []
}
],
"StartTime": 1576024927.457,
"EndTime": 1576025647.457,
"AttackCounters": [],
"AttackProperties": [
{
"AttackLayer": "NETWORK",
"AttackPropertyIdentifier": "SOURCE_IP_ADDRESS",
"TopContributors": [
{
"Name": "198.51.100.5",
"Value": 2024475682
},
{
"Name": "198.51.100.8",
"Value": 1311380863
},
{
"Name": "203.0.113.4",
"Value": 900599855
},
{
"Name": "198.51.100.4",
"Value": 769417366
},
{
"Name": "203.1.113.13",
"Value": 757992847
}
],
"Unit": "BYTES",
"Total": 92773354841
},
{
"AttackLayer": "NETWORK",
"AttackPropertyIdentifier": "SOURCE_COUNTRY",
"TopContributors": [
{
"Name": "United States",
"Value": 80938161764
},
{
"Name": "Brazil",
"Value": 9929864330
},
{
"Name": "Netherlands",
"Value": 1635009446
},
{
"Name": "Mexico",
"Value": 144832971
},
{
"Name": "Japan",
"Value": 45369000
}
],
"Unit": "BYTES",
"Total": 92773354841
},
{
"AttackLayer": "NETWORK",
"AttackPropertyIdentifier": "SOURCE_ASN",
"TopContributors": [
{
"Name": "12345",
"Value": 74953625841
},
{
"Name": "12346",
"Value": 4440087595
},
{
"Name": "12347",
"Value": 1635009446
},
{
"Name": "12348",
"Value": 1221230000
},
{
"Name": "12349",
"Value": 1199425294
}
],
"Unit": "BYTES",
"Total": 92755479921
}
],
"Mitigations": []
}
}
For more information, see Reviewing DDoS Incidents in the AWS Shield Advanced Developer Guide.
Attack -> (structure)
The attack that is described.
AttackId -> (string)
The unique identifier (ID) of the attack.
ResourceArn -> (string)
The ARN (Amazon Resource Name) of the resource that was attacked.
SubResources -> (list)
If applicable, additional detail about the resource being attacked, for example, IP address or URL.
(structure)
The attack information for the specified SubResource.
Type -> (string)
The
SubResource
type.Id -> (string)
The unique identifier (ID) of the
SubResource
.AttackVectors -> (list)
The list of attack types and associated counters.
(structure)
A summary of information about the attack.
VectorType -> (string)
The attack type, for example, SNMP reflection or SYN flood.
VectorCounters -> (list)
The list of counters that describe the details of the attack.
(structure)
The counter that describes a DDoS attack.
Name -> (string)
The counter name.
Max -> (double)
The maximum value of the counter for a specified time period.
Average -> (double)
The average value of the counter for a specified time period.
Sum -> (double)
The total of counter values for a specified time period.
N -> (integer)
The number of counters for a specified time period.
Unit -> (string)
The unit of the counters.
Counters -> (list)
The counters that describe the details of the attack.
(structure)
The counter that describes a DDoS attack.
Name -> (string)
The counter name.
Max -> (double)
The maximum value of the counter for a specified time period.
Average -> (double)
The average value of the counter for a specified time period.
Sum -> (double)
The total of counter values for a specified time period.
N -> (integer)
The number of counters for a specified time period.
Unit -> (string)
The unit of the counters.
StartTime -> (timestamp)
The time the attack started, in Unix time in seconds. For more information see timestamp .
EndTime -> (timestamp)
The time the attack ended, in Unix time in seconds. For more information see timestamp .
AttackCounters -> (list)
List of counters that describe the attack for the specified time period.
(structure)
The counter that describes a DDoS attack.
Name -> (string)
The counter name.
Max -> (double)
The maximum value of the counter for a specified time period.
Average -> (double)
The average value of the counter for a specified time period.
Sum -> (double)
The total of counter values for a specified time period.
N -> (integer)
The number of counters for a specified time period.
Unit -> (string)
The unit of the counters.
AttackProperties -> (list)
The array of AttackProperty objects.
(structure)
Details of the described attack.
AttackLayer -> (string)
The type of distributed denial of service (DDoS) event that was observed.
NETWORK
indicates layer 3 and layer 4 events andAPPLICATION
indicates layer 7 events.AttackPropertyIdentifier -> (string)
Defines the DDoS attack property information that is provided. The
WORDPRESS_PINGBACK_REFLECTOR
andWORDPRESS_PINGBACK_SOURCE
values are valid only for WordPress reflective pingback DDoS attacks.TopContributors -> (list)
The array of contributor objects that includes the top five contributors to an attack.
(structure)
A contributor to the attack and their contribution.
Name -> (string)
The name of the contributor. This is dependent on the
AttackPropertyIdentifier
. For example, if theAttackPropertyIdentifier
isSOURCE_COUNTRY
, theName
could beUnited States
.Value -> (long)
The contribution of this contributor expressed in Protection units. For example
10,000
.Unit -> (string)
The unit of the
Value
of the contributions.Total -> (long)
The total contributions made to this attack by all contributors, not just the five listed in the
TopContributors
list.Mitigations -> (list)
List of mitigation actions taken for the attack.
(structure)
The mitigation applied to a DDoS attack.
MitigationName -> (string)
The name of the mitigation taken for this attack.