describe-attack¶
Description¶
Describes the details of a DDoS attack.
See also: AWS API Documentation
See ‘aws help’ for descriptions of global parameters.
Synopsis¶
describe-attack
--attack-id <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--cli-auto-prompt <value>]
Options¶
--attack-id (string)
The unique identifier (ID) for the attack that to be described.
--cli-input-json | --cli-input-yaml (string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.
--generate-cli-skeleton (string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.
--cli-auto-prompt (boolean)
Automatically prompt for CLI input parameters.
See ‘aws help’ for descriptions of global parameters.
Examples¶
To retrieve a detailed description of an attack
The following describe-attack example displays details about the DDoS attack with the specified attack ID. You can obtain attack IDs by running the list-attacks command.
aws shield describe-attack --attack-id a1b2c3d4-5678-90ab-cdef-EXAMPLE22222
Output:
{
"Attack": {
"AttackId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
"ResourceArn": "arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/testElb",
"SubResources": [
{
"Type": "IP",
"Id": "192.0.2.2",
"AttackVectors": [
{
"VectorType": "SYN_FLOOD",
"VectorCounters": [
{
"Name": "SYN_FLOOD_BPS",
"Max": 982184.0,
"Average": 982184.0,
"Sum": 11786208.0,
"N": 12,
"Unit": "BPS"
}
]
}
],
"Counters": []
},
{
"Type": "IP",
"Id": "192.0.2.3",
"AttackVectors": [
{
"VectorType": "SYN_FLOOD",
"VectorCounters": [
{
"Name": "SYN_FLOOD_BPS",
"Max": 982184.0,
"Average": 982184.0,
"Sum": 9821840.0,
"N": 10,
"Unit": "BPS"
}
]
}
],
"Counters": []
},
{
"Type": "IP",
"Id": "192.0.2.4",
"AttackVectors": [
{
"VectorType": "SYN_FLOOD",
"VectorCounters": [
{
"Name": "SYN_FLOOD_BPS",
"Max": 982184.0,
"Average": 982184.0,
"Sum": 7857472.0,
"N": 8,
"Unit": "BPS"
}
]
}
],
"Counters": []
},
{
"Type": "IP",
"Id": "192.0.2.5",
"AttackVectors": [
{
"VectorType": "SYN_FLOOD",
"VectorCounters": [
{
"Name": "SYN_FLOOD_BPS",
"Max": 982184.0,
"Average": 982184.0,
"Sum": 1964368.0,
"N": 2,
"Unit": "BPS"
}
]
}
],
"Counters": []
},
{
"Type": "IP",
"Id": "2001:DB8::bcde:4321:8765:0:0",
"AttackVectors": [
{
"VectorType": "SYN_FLOOD",
"VectorCounters": [
{
"Name": "SYN_FLOOD_BPS",
"Max": 982184.0,
"Average": 982184.0,
"Sum": 1964368.0,
"N": 2,
"Unit": "BPS"
}
]
}
],
"Counters": []
},
{
"Type": "IP",
"Id": "192.0.2.6",
"AttackVectors": [
{
"VectorType": "SYN_FLOOD",
"VectorCounters": [
{
"Name": "SYN_FLOOD_BPS",
"Max": 982184.0,
"Average": 982184.0,
"Sum": 1964368.0,
"N": 2,
"Unit": "BPS"
}
]
}
],
"Counters": []
}
],
"StartTime": 1576024927.457,
"EndTime": 1576025647.457,
"AttackCounters": [],
"AttackProperties": [
{
"AttackLayer": "NETWORK",
"AttackPropertyIdentifier": "SOURCE_IP_ADDRESS",
"TopContributors": [
{
"Name": "198.51.100.5",
"Value": 2024475682
},
{
"Name": "198.51.100.8",
"Value": 1311380863
},
{
"Name": "203.0.113.4",
"Value": 900599855
},
{
"Name": "198.51.100.4",
"Value": 769417366
},
{
"Name": "203.1.113.13",
"Value": 757992847
}
],
"Unit": "BYTES",
"Total": 92773354841
},
{
"AttackLayer": "NETWORK",
"AttackPropertyIdentifier": "SOURCE_COUNTRY",
"TopContributors": [
{
"Name": "United States",
"Value": 80938161764
},
{
"Name": "Brazil",
"Value": 9929864330
},
{
"Name": "Netherlands",
"Value": 1635009446
},
{
"Name": "Mexico",
"Value": 144832971
},
{
"Name": "Japan",
"Value": 45369000
}
],
"Unit": "BYTES",
"Total": 92773354841
},
{
"AttackLayer": "NETWORK",
"AttackPropertyIdentifier": "SOURCE_ASN",
"TopContributors": [
{
"Name": "12345",
"Value": 74953625841
},
{
"Name": "12346",
"Value": 4440087595
},
{
"Name": "12347",
"Value": 1635009446
},
{
"Name": "12348",
"Value": 1221230000
},
{
"Name": "12349",
"Value": 1199425294
}
],
"Unit": "BYTES",
"Total": 92755479921
}
],
"Mitigations": []
}
}
For more information, see Reviewing DDoS Incidents in the AWS Shield Advanced Developer Guide.
Output¶
Attack -> (structure)
The attack that is described.
AttackId -> (string)
The unique identifier (ID) of the attack.
ResourceArn -> (string)
The ARN (Amazon Resource Name) of the resource that was attacked.
SubResources -> (list)
If applicable, additional detail about the resource being attacked, for example, IP address or URL.
(structure)
The attack information for the specified SubResource.
Type -> (string)
The
SubResourcetype.Id -> (string)
The unique identifier (ID) of the
SubResource.AttackVectors -> (list)
The list of attack types and associated counters.
(structure)
A summary of information about the attack.
VectorType -> (string)
The attack type, for example, SNMP reflection or SYN flood.
VectorCounters -> (list)
The list of counters that describe the details of the attack.
(structure)
The counter that describes a DDoS attack.
Name -> (string)
The counter name.
Max -> (double)
The maximum value of the counter for a specified time period.
Average -> (double)
The average value of the counter for a specified time period.
Sum -> (double)
The total of counter values for a specified time period.
N -> (integer)
The number of counters for a specified time period.
Unit -> (string)
The unit of the counters.
Counters -> (list)
The counters that describe the details of the attack.
(structure)
The counter that describes a DDoS attack.
Name -> (string)
The counter name.
Max -> (double)
The maximum value of the counter for a specified time period.
Average -> (double)
The average value of the counter for a specified time period.
Sum -> (double)
The total of counter values for a specified time period.
N -> (integer)
The number of counters for a specified time period.
Unit -> (string)
The unit of the counters.
StartTime -> (timestamp)
The time the attack started, in Unix time in seconds. For more information see timestamp .
EndTime -> (timestamp)
The time the attack ended, in Unix time in seconds. For more information see timestamp .
AttackCounters -> (list)
List of counters that describe the attack for the specified time period.
(structure)
The counter that describes a DDoS attack.
Name -> (string)
The counter name.
Max -> (double)
The maximum value of the counter for a specified time period.
Average -> (double)
The average value of the counter for a specified time period.
Sum -> (double)
The total of counter values for a specified time period.
N -> (integer)
The number of counters for a specified time period.
Unit -> (string)
The unit of the counters.
AttackProperties -> (list)
The array of AttackProperty objects.
(structure)
Details of the described attack.
AttackLayer -> (string)
The type of distributed denial of service (DDoS) event that was observed.
NETWORKindicates layer 3 and layer 4 events andAPPLICATIONindicates layer 7 events.AttackPropertyIdentifier -> (string)
Defines the DDoS attack property information that is provided. The
WORDPRESS_PINGBACK_REFLECTORandWORDPRESS_PINGBACK_SOURCEvalues are valid only for WordPress reflective pingback DDoS attacks.TopContributors -> (list)
The array of Contributor objects that includes the top five contributors to an attack.
(structure)
A contributor to the attack and their contribution.
Name -> (string)
The name of the contributor. This is dependent on the
AttackPropertyIdentifier. For example, if theAttackPropertyIdentifierisSOURCE_COUNTRY, theNamecould beUnited States.Value -> (long)
The contribution of this contributor expressed in Protection units. For example
10,000.Unit -> (string)
The unit of the
Valueof the contributions.Total -> (long)
The total contributions made to this attack by all contributors, not just the five listed in the
TopContributorslist.Mitigations -> (list)
List of mitigation actions taken for the attack.
(structure)
The mitigation applied to a DDoS attack.
MitigationName -> (string)
The name of the mitigation taken for this attack.