Back to Details

alibabacloud-ddos-security-monitor

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

DDoS Security Product Inspection & Monitoring

DDoS安全产品巡检与监控

This skill performs security inspection on DDoS security products under an Alibaba Cloud account, entirely through Aliyun CLI direct OpenAPI calls without any scripts or SDKs.
Architecture: 
antiddos-public (Basic Protection) + ddosbgp (Native Protection) + ddoscoo (Anti-DDoS Pro/Premium) -> CLI OpenAPI -> Inspection Report
本Skill通过Aliyun CLI直接调用OpenAPI,无需任何脚本或SDK,对阿里云账号下的DDoS安全产品执行安全巡检。
架构
antiddos-public (Basic Protection) + ddosbgp (Native Protection) + ddoscoo (Anti-DDoS Pro/Premium) -> CLI OpenAPI -> 巡检报告

Product & API Overview

产品与API概述

ProductCLI CodeUse Case
DDoS Basic Protection
antiddos-public
Default free protection for ECS/SLB, Region param: 
--ddos-region-id
DDoS Native Protection
ddosbgp
Paid upgrade, native IP-level protection, Region param: 
--biz-region-id
or 
--region
DDoS Anti-DDoS Pro/Premium
ddoscoo
Dedicated Anti-DDoS IP, L4/L7 protection, Region param: 
--region
[MUST] Strict product routing isolation: APIs of the three products MUST NEVER be mixed. NEVER substitute 
ddoscoo
APIs for 
ddosbgp
queries or vice versa. If mixing is detected, abort immediately.
[MUST] ddosbgp endpoint routing: 
ddosbgp describe-instance-list
default endpoint does NOT support mainland China Regions. You MUST specify 
--endpoint ddosbgp.cn-hangzhou.aliyuncs.com
for ALL 
describe-instance-list
calls.
[MUST] Easily confused API warning:
ScenarioCorrect CommandWrong Command (FORBIDDEN)
Native Protection attack events
ddosbgp describe-ddos-event
(singular)
ddoscoo describe-ddos-events
Anti-DDoS Pro attack events
ddoscoo describe-ddos-events
(plural)
ddosbgp describe-ddos-event
产品CLI代码适用场景
DDoS Basic Protection
antiddos-public
ECS/SLB默认免费防护,地域参数:
--ddos-region-id
DDoS Native Protection
ddosbgp
付费升级产品,原生IP级防护,地域参数:
--biz-region-id
--region
DDoS Anti-DDoS Pro/Premium
ddoscoo
专用DDoS高防IP,L4/L7防护,地域参数:
--region
[必须] 严格的产品路由隔离:三类产品的API绝对不能混用。绝不能用
ddoscoo
API替代
ddosbgp
查询,反之亦然。若检测到混用,立即终止操作。
[必须] ddosbgp端点路由
ddosbgp describe-instance-list
默认端点不支持中国大陆地域。所有
describe-instance-list
调用必须指定
--endpoint ddosbgp.cn-hangzhou.aliyuncs.com
[必须] 易混淆API警告
场景正确命令错误命令(禁止使用)
原生防护攻击事件
ddosbgp describe-ddos-event
(单数)
ddoscoo describe-ddos-events
高防IP专业版攻击事件
ddoscoo describe-ddos-events
(复数)
ddosbgp describe-ddos-event

Pre-checks

预检查

Aliyun CLI >= 3.3.3 required — see CLI Installation Guide. Credentials required — see CLI Credential Setup. Run 
aliyun configure list
to verify. RAM permissions — see RAM Permission Policies.
[MUST] Permission Failure Handling: On permission errors: 1) Read 
references/ram-policies.md
2) Use 
ram-permission-diagnose
skill 3) Pause until user confirms permissions granted.
[MUST] AI-Mode lifecycle — Enable before any CLI invocation, disable at EVERY exit point:
bash
aliyun configure ai-mode enable
aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-ddos-security-monitor"
需Aliyun CLI >= 3.3.3 — 详见CLI安装指南需配置凭证 — 详见CLI凭证设置。运行
aliyun configure list
验证。 RAM权限 — 详见RAM权限策略
[必须] 权限失败处理:遇到权限错误时:1) 阅读
references/ram-policies.md
2) 使用
ram-permission-diagnose
Skill 3) 暂停操作直至用户确认权限已授予。
[必须] AI-Mode生命周期:在任何CLI调用前启用,在所有退出点禁用:
bash
aliyun configure ai-mode enable
aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-ddos-security-monitor"

Parameter Confirmation

参数确认

IMPORTANT: ALL user-customizable parameters MUST be confirmed with the user before execution.
ParameterRequired/OptionalDescriptionDefault
Inspection product scopeOptionalBasic/Native/Anti-DDoS Pro, default allAll
Time rangeOptionalInspection time windowLast 24 hours
Comparison modeOptionalDay-over-day / week-over-week / customDay-over-day
Basic Protection instance-typeOptionalecs/slb/eip/ipv6/swas/waf/ga_basicecs
重要说明:所有用户可自定义的参数必须在执行前与用户确认。
参数必填/可选描述默认值
巡检产品范围可选Basic/Native/Anti-DDoS Pro,默认全部全部
时间范围可选巡检时间窗口最近24小时
对比模式可选同比/环比/自定义同比
Basic Protection实例类型可选ecs/slb/eip/ipv6/swas/waf/ga_basicecs

Region Strategy

地域策略

[MUST] ddosbgp Region traversal (dynamic + hardcoded fallback):
  • Hardcoded baseline (12 Regions, MUST NOT be reduced): 
    cn-hangzhou cn-shanghai cn-beijing cn-shenzhen cn-hongkong ap-southeast-1 ap-southeast-2 ap-southeast-3 ap-southeast-5 ap-northeast-1 us-west-1 eu-central-1
  • Dynamic expansion: Call 
    aliyun ddosbgp describe-regions
    (NOT ECS), union with baseline (only add, never subtract). If dynamic fetch fails, use baseline directly.
  • Count validation: Final list >= 12 Regions. ALL must be traversed, NEVER break due to empty/error.
antiddos-public: Query from 
cn-hangzhou
only (centralized). ddoscoo: MUST query both 
cn-hangzhou
+ 
ap-southeast-1
.
[必须] ddosbgp地域遍历(动态+硬编码 fallback)
  • 硬编码基准地域(12个地域,不得减少):
    cn-hangzhou cn-shanghai cn-beijing cn-shenzhen cn-hongkong ap-southeast-1 ap-southeast-2 ap-southeast-3 ap-southeast-5 ap-northeast-1 us-west-1 eu-central-1
  • 动态扩展:调用
    aliyun ddosbgp describe-regions
    (非ECS接口),与基准地域取并集(仅添加,不删除)。若动态获取失败,直接使用基准地域。
  • 数量验证:最终地域列表≥12个。所有地域必须遍历,不得因空结果或错误中断。
antiddos-public:仅从
cn-hangzhou
查询(集中式)。 ddoscoo:必须同时查询
cn-hangzhou
+ 
ap-southeast-1

Core Inspection Workflow

核心巡检流程

Phase 1: Environment, Credential & Permission Pre-check

阶段1:环境、凭证与权限预检查

bash
undefined
bash
undefined

1.1 Check CLI version + enable AI-Mode

1.1 Check CLI version + enable AI-Mode

aliyun version aliyun configure ai-mode enable aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-ddos-security-monitor"
aliyun version aliyun configure ai-mode enable aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-ddos-security-monitor"

1.2 Set global timeout and enable auto plugin install

1.2 Set global timeout and enable auto plugin install

aliyun configure set --auto-plugin-install true --connect-timeout 10 --read-timeout 30 aliyun plugin update
aliyun configure set --auto-plugin-install true --connect-timeout 10 --read-timeout 30 aliyun plugin update

1.3 Check credential configuration

1.3 Check credential configuration

aliyun configure list
aliyun configure list

1.4 Validate permissions (one call per product)

1.4 Validate permissions (one call per product)

aliyun antiddos-public describe-instance-ip-address
--ddos-region-id cn-hangzhou --instance-type ecs --current-page 1 --page-size 1 aliyun ddosbgp describe-instance-list --page-no 1 --page-size 1 --region cn-hangzhou --endpoint ddosbgp.cn-hangzhou.aliyuncs.com aliyun ddoscoo describe-instances --page-number 1 --page-size 1 --region cn-hangzhou aliyun ddoscoo describe-instances --page-number 1 --page-size 1 --region ap-southeast-1

- Normal JSON -> permission OK | `Forbidden.RAM` / `NoPermission` -> see [RAM Policies](references/ram-policies.md)

> **[MUST] Abort rule**: If any pre-check fails 3 consecutive times, run `aliyun configure ai-mode disable`, output error report, and terminate.
aliyun antiddos-public describe-instance-ip-address
--ddos-region-id cn-hangzhou --instance-type ecs --current-page 1 --page-size 1 aliyun ddosbgp describe-instance-list --page-no 1 --page-size 1 --region cn-hangzhou --endpoint ddosbgp.cn-hangzhou.aliyuncs.com aliyun ddoscoo describe-instances --page-number 1 --page-size 1 --region cn-hangzhou aliyun ddoscoo describe-instances --page-number 1 --page-size 1 --region ap-southeast-1

- 返回正常JSON → 权限正常 | 返回`Forbidden.RAM` / `NoPermission` → 详见[RAM权限策略](references/ram-policies.md)

> **[必须] 终止规则**:若任何预检查连续失败3次,运行`aliyun configure ai-mode disable`,输出错误报告并终止操作。

Phase 2: Product Inventory Check (Multi-Region Mandatory Traversal)

阶段2:产品资产检查(多地域强制遍历)

[MUST] Loop rules: ALL Regions must be queried. On ANY error (InvalidRegionId/Empty/Throttling), log and 
continue
— break/exit is FORBIDDEN. After loop, verify EXECUTED >= 12 (ddosbgp) or = 2 (ddoscoo). Log results immediately after each call — relying on memory is FORBIDDEN.
Empty result handling: 
Total: 0
→ log "no instances", continue | Error code → log error, continue | Normal → extract instance IDs. After traversal, compile Region -> Instance ID list mapping for Phase 4.
bash
undefined
[必须] 循环规则:所有地域必须查询。遇到任何错误(InvalidRegionId/空结果/限流),记录日志并
continue
— 禁止中断/退出。循环结束后,验证已执行地域数≥12(ddosbgp)或=2(ddoscoo)。每次调用后立即记录结果 — 禁止依赖记忆。
空结果处理
Total: 0
→ 记录“无实例”,继续 | 返回错误码 → 记录错误,继续 | 正常返回 → 提取实例ID。 遍历完成后,为阶段4编译地域→实例ID列表映射。
bash
undefined

2.1 Basic Protection assets

2.1 Basic Protection assets

aliyun antiddos-public describe-instance-ip-address
--ddos-region-id cn-hangzhou --instance-type ecs --current-page 1 --page-size 50
aliyun antiddos-public describe-instance-ip-address
--ddos-region-id cn-hangzhou --instance-type ecs --current-page 1 --page-size 50

2.2 Native Protection - [MUST execute full loop in single bash]

2.2 Native Protection - [MUST execute full loop in single bash]

BASELINE="cn-hangzhou cn-shanghai cn-beijing cn-shenzhen cn-hongkong ap-southeast-1 ap-southeast-2 ap-southeast-3 ap-southeast-5 ap-northeast-1 us-west-1 eu-central-1" DYNAMIC=$(aliyun ddosbgp describe-regions 2>/dev/null | grep -o '"RegionId":"[^"]*"' | cut -d'"' -f4 | tr '\n' ' ') if [ -n "$DYNAMIC" ]; then ALL_REGIONS=$(echo "$BASELINE $DYNAMIC" | tr ' ' '\n' | sort -u | tr '\n' ' ') else ALL_REGIONS="$BASELINE" fi EXECUTED=0 for region in $ALL_REGIONS; do

[MANDATORY] NEVER break/return/exit - on ANY error, MUST continue

echo "=== ddosbgp query $region ==="

[CRITICAL] Must specify --endpoint for mainland China Regions

RESULT=$(aliyun ddosbgp describe-instance-list --page-no 1 --page-size 50 --region $region --endpoint ddosbgp.cn-hangzhou.aliyuncs.com 2>&1) echo "$RESULT" if echo "$RESULT" | grep -q "InvalidRegionId|ErrorCode"; then echo "[WARN] $region returned error, logged and continuing" fi EXECUTED=$((EXECUTED+1)) continue done echo "=== Regions executed: $EXECUTED ==="
BASELINE="cn-hangzhou cn-shanghai cn-beijing cn-shenzhen cn-hongkong ap-southeast-1 ap-southeast-2 ap-southeast-3 ap-southeast-5 ap-northeast-1 us-west-1 eu-central-1" DYNAMIC=$(aliyun ddosbgp describe-regions 2>/dev/null | grep -o '"RegionId":"[^"]*"' | cut -d'"' -f4 | tr '\n' ' ') if [ -n "$DYNAMIC" ]; then ALL_REGIONS=$(echo "$BASELINE $DYNAMIC" | tr ' ' '\n' | sort -u | tr '\n' ' ') else ALL_REGIONS="$BASELINE" fi EXECUTED=0 for region in $ALL_REGIONS; do

[MANDATORY] NEVER break/return/exit - on ANY error, MUST continue

echo "=== ddosbgp query $region ==="

[CRITICAL] Must specify --endpoint for mainland China Regions

RESULT=$(aliyun ddosbgp describe-instance-list --page-no 1 --page-size 50 --region $region --endpoint ddosbgp.cn-hangzhou.aliyuncs.com 2>&1) echo "$RESULT" if echo "$RESULT" | grep -q "InvalidRegionId|ErrorCode"; then echo "[WARN] $region returned error, logged and continuing" fi EXECUTED=$((EXECUTED+1)) continue done echo "=== Regions executed: $EXECUTED ==="

2.3 Native Protection associated IPs (per discovered instance, uses --biz-region-id)

2.3 Native Protection associated IPs (per discovered instance, uses --biz-region-id)

aliyun ddosbgp describe-pack-ip-list
--instance-id <instance-id> --page-no 1 --page-size 50 --biz-region-id <region-id>
aliyun ddosbgp describe-pack-ip-list
--instance-id <instance-id> --page-no 1 --page-size 50 --biz-region-id <region-id>

2.4 Anti-DDoS Pro instances [MUST query both Regions]

2.4 Anti-DDoS Pro instances [MUST query both Regions]

aliyun ddoscoo describe-instances --page-number 1 --page-size 50 --region cn-hangzhou aliyun ddoscoo describe-instances --page-number 1 --page-size 50 --region ap-southeast-1
aliyun ddoscoo describe-instances --page-number 1 --page-size 50 --region cn-hangzhou aliyun ddoscoo describe-instances --page-number 1 --page-size 50 --region ap-southeast-1

2.5 Anti-DDoS Pro associated domains (per discovered instance)

2.5 Anti-DDoS Pro associated domains (per discovered instance)

aliyun ddoscoo describe-domains --instance-ids <instance-id> --region <region-id>

> **[MUST] End validation**: 1) Region count: ddosbgp >= 12, ddoscoo = 2 2) Product isolation: no mixed API prefixes 3) Instance deduplication: Global instances (CoverageType=4) appear in every Region — deduplicate by InstanceId
aliyun ddoscoo describe-domains --instance-ids <instance-id> --region <region-id>

> **[必须] 结束验证**:1) 地域数量:ddosbgp≥12,ddoscoo=2 2) 产品隔离:无混合API前缀 3) 实例去重:全局实例(CoverageType=4)会出现在每个地域 — 按InstanceId去重

Phase 3: Confirm Comparison Period

阶段3:确认对比周期

Ask user for comparison period, parse into second-precision Unix timestamps. [MUST] Use bash 
date
command — manual calculation FORBIDDEN:
bash
BASE_END=$(date +%s)
BASE_START=$((BASE_END - 86400))
COMPARE_END=$((BASE_START))
COMPARE_START=$((COMPARE_END - 86400))
向用户确认对比周期,解析为秒级Unix时间戳。[必须] 使用bash 
date
命令 — 禁止手动计算
bash
BASE_END=$(date +%s)
BASE_START=$((BASE_END - 86400))
COMPARE_END=$((BASE_START))
COMPARE_START=$((COMPARE_END - 86400))

Week-over-week: offset 604800s | Hour-over-hour: offset 3600s

Week-over-week: offset 604800s | Hour-over-hour: offset 3600s

echo "Base: $BASE_START ~ $BASE_END | Compare: $COMPARE_START ~ $COMPARE_END"
undefined
echo "Base: $BASE_START ~ $BASE_END | Compare: $COMPARE_START ~ $COMPARE_END"
undefined

Phase 4: Execute Inspection & Generate Report

阶段4:执行巡检并生成报告

[MUST] Sequential Execution Guard: Execute API chains strictly in order for EACH instance. Do NOT stop at "planning" — every API MUST have an actual 
aliyun
command executed with visible output. After each sub-step (4.1/4.2/4.3), print 
echo "[Step 4.X Complete]"
. Proceeding to 4.4/4.5 without all calls completed is FORBIDDEN.
[MUST] Route by inventory: No instances in ALL Regions → execute probe calls (
--instance-id dummy
) on cn-hangzhou to preserve trace, report "not provisioned". Some Regions have instances → inspect those, skip empty Regions. NEVER substitute product APIs.
[必须] 顺序执行保障:为每个实例严格按顺序执行API链。不能停留在“规划”阶段 — 每个API必须执行实际的
aliyun
命令并输出可见结果。每个子步骤(4.1/4.2/4.3)完成后,打印
echo "[Step 4.X Complete]"
。未完成所有调用前,禁止进入4.4/4.5。
[必须] 按资产路由:所有地域均无实例 → 在cn-hangzhou执行探测调用(
--instance-id dummy
)以保留痕迹,报告“未部署”。部分地域有实例 → 巡检这些地域,跳过空地域。绝对禁止混用产品API。

4.1 Basic Protection Inspection

4.1 Basic Protection巡检

bash
undefined
bash
undefined

Has assets: real ID | No assets: probe call

Has assets: real ID | No assets: probe call

aliyun antiddos-public describe-ddos-event-list
--ddos-region-id <region-id> --instance-type <type> --instance-id <id>
--current-page 1 --page-size 50
aliyun antiddos-public describe-ddos-event-list
--ddos-region-id <region-id> --instance-type <type> --instance-id <id>
--current-page 1 --page-size 50

Probe: --instance-id dummy --ddos-region-id cn-hangzhou --instance-type ecs

Probe: --instance-id dummy --ddos-region-id cn-hangzhou --instance-type ecs


> **[MANDATORY CHECKPOINT 4.1]** Confirm describe-ddos-event-list returned JSON or explicit error. If not executed, retry now. Do NOT proceed to 4.2 until confirmed.

> **[强制检查点4.1]** 确认describe-ddos-event-list返回JSON或明确错误。若未执行,立即重试。确认完成前禁止进入4.2。

4.2 Native Protection Inspection (ddosbgp APIs ONLY)

4.2 Native Protection巡检(仅使用ddosbgp API)

[MUST] 
ddosbgp
APIs only. Attack events: 
describe-ddos-event
(singular). L4 traffic: 
describe-traffic
(MUST call). Region params: describe-ddos-event/describe-pack-ip-list use 
--biz-region-id
; describe-traffic uses 
--region
. Has instances → all 3 APIs per instance | ALL empty → 3 probe calls on cn-hangzhou (all required)
bash
aliyun ddosbgp describe-ddos-event \
  --instance-id <id> --start-time <ts> --end-time <ts> \
  --page-no 1 --page-size 50 --biz-region-id <region-id>
aliyun ddosbgp describe-pack-ip-list \
  --instance-id <id> --page-no 1 --page-size 50 --biz-region-id <region-id>
aliyun ddosbgp describe-traffic \
  --instance-id <id> --start-time <ts> --end-time <ts> --region <region-id>
[必须] 仅使用
ddosbgp
API。攻击事件:
describe-ddos-event
单数)。L4流量:
describe-traffic
(必须调用)。地域参数:describe-ddos-event/describe-pack-ip-list使用
--biz-region-id
;describe-traffic使用
--region
。 有实例 → 每个实例调用全部3个API | 所有地域均为空 → 在cn-hangzhou执行3次探测调用(全部必填)
bash
aliyun ddosbgp describe-ddos-event \
  --instance-id <id> --start-time <ts> --end-time <ts> \
  --page-no 1 --page-size 50 --biz-region-id <region-id>
aliyun ddosbgp describe-pack-ip-list \
  --instance-id <id> --page-no 1 --page-size 50 --biz-region-id <region-id>
aliyun ddosbgp describe-traffic \
  --instance-id <id> --start-time <ts> --end-time <ts> --region <region-id>

Probe: --instance-id dummy, --biz-region-id cn-hangzhou (describe-traffic: --region cn-hangzhou)

Probe: --instance-id dummy, --biz-region-id cn-hangzhou (describe-traffic: --region cn-hangzhou)


> **[MANDATORY CHECKPOINT 4.2]** You MUST now verify all 3 ddosbgp APIs were actually executed by checking terminal output. If describe-ddos-event OR describe-pack-ip-list OR describe-traffic has zero terminal output, STOP and execute the missing call(s) NOW. Two consecutive failures to complete all 3 → output error log and terminate. Do NOT proceed to 4.3 until all 3 confirmed.

> **[强制检查点4.2]** 必须通过终端输出验证所有3个ddosbgp API已实际执行。若describe-ddos-event或describe-pack-ip-list或describe-traffic无终端输出,**立即停止**并执行缺失的调用。连续两次无法完成全部3个调用 → 输出错误日志并终止。确认全部完成前禁止进入4.3。

4.3 Anti-DDoS Pro/Premium Inspection (ddoscoo APIs ONLY)

4.3 Anti-DDoS Pro/Premium巡检(仅使用ddoscoo API)

[MUST] 
ddoscoo
APIs only. Has instances → all APIs per instance | Both Regions empty → probe calls on cn-hangzhou
bash
aliyun ddoscoo describe-ddos-events \
  --instance-ids <id> --start-time <ts> --end-time <ts> \
  --page-number 1 --page-size 50 --region <region-id>
aliyun ddoscoo describe-domain-qps-list \
  --start-time <ts> --end-time <ts> --interval 300 --region <region-id>
aliyun ddoscoo describe-port-flow-list \
  --instance-ids <id> --start-time <ts> --end-time <ts> \
  --interval 300 --region <region-id>
aliyun ddoscoo describe-domain-status-code-list \
  --start-time <ts> --end-time <ts> --interval 300 \
  --query-type gf --region <region-id>
aliyun ddoscoo describe-domain-status-code-list \
  --start-time <ts> --end-time <ts> --interval 300 \
  --query-type upstrem --region <region-id>
[必须] 仅使用
ddoscoo
API。有实例 → 每个实例调用全部API | 两个地域均为空 → 在cn-hangzhou执行探测调用
bash
aliyun ddoscoo describe-ddos-events \
  --instance-ids <id> --start-time <ts> --end-time <ts> \
  --page-number 1 --page-size 50 --region <region-id>
aliyun ddoscoo describe-domain-qps-list \
  --start-time <ts> --end-time <ts> --interval 300 --region <region-id>
aliyun ddoscoo describe-port-flow-list \
  --instance-ids <id> --start-time <ts> --end-time <ts> \
  --interval 300 --region <region-id>
aliyun ddoscoo describe-domain-status-code-list \
  --start-time <ts> --end-time <ts> --interval 300 \
  --query-type gf --region <region-id>
aliyun ddoscoo describe-domain-status-code-list \
  --start-time <ts> --end-time <ts> --interval 300 \
  --query-type upstrem --region <region-id>

Probe: --instance-ids dummy, --region cn-hangzhou (same 5 APIs)

Probe: --instance-ids dummy, --region cn-hangzhou (same 5 APIs)


> **[MANDATORY CHECKPOINT 4.3]** Verify all 5 ddoscoo APIs have terminal output. Any missing → execute now. Do NOT proceed to 4.4.

> **[强制检查点4.3]** 验证所有5个ddoscoo API均有终端输出。任何缺失 → 立即执行。禁止进入4.4。

4.4 Period-over-Period Analysis

4.4 同比分析

Change rate = (Base - Compare) / Compare × 100%. Thresholds: ±30%~±100% → Attention | >±100% → Anomaly | Blackhole/scrubbing present → Anomaly.
变化率 =(基准值 - 对比值)/ 对比值 × 100%。阈值:±30%~±100% → 关注 | >±100% → 异常 | 存在黑洞/清洗 → 异常。

4.5 Report Output

4.5 报告输出

Mandatory: Follow Report Template, no sections omitted. Group assets by Region.
[MUST] Data consistency validation:
  1. Aggregation: Summary numbers must exactly match detail list counts
  2. Deduplication: Same instance/IP across Regions → deduplicate before counting
  3. Empty value annotation (hard rule): Empty array 
    []
    → write 
    0 (API returned empty)
    or 
    Query failed (ErrorCode: XXX)
    . FORBIDDEN: vague phrases like "no anomaly found", "appears to be a false alarm". Key metrics with empty data MUST include 
    [DATA MISSING]
    tag at section start
  4. Cross-validation: Summary totals = sum of Region details
  5. Call record verification: Claimed API calls and conclusions must match actual execution. Fabrication FORBIDDEN
  6. Raw Data Binding: Copy-paste exact values from terminal output into report. FORBIDDEN: inferring from memory, writing "no domains" if API returned domains. Use 
    grep
    /
    jq
    to verify before finalizing
[MUST] Pre-computation verification (hard blocker): [STRICT MODE] Directly writing 
echo "<number>"
with pre-filled values is FORBIDDEN and counts as fabrication. You MUST use 
grep
/
jq
/
wc
to parse actual terminal output or saved log. The verification script must contain pipe commands that extract real data, NOT hardcoded echo statements.
bash
# [STRICT] Count API calls from terminal history - must use grep, not hardcoded echo
echo "=== Call statistics ==="
# Example: grep -c "aliyun antiddos-public" /path/to/terminal.log  (adapt to your log method)
echo "antiddos-public: $(grep -c 'antiddos-public' <<< "$TERMINAL_LOG")"
echo "ddosbgp: $(grep -c 'aliyun ddosbgp' <<< "$TERMINAL_LOG")"
echo "ddoscoo: $(grep -c 'aliyun ddoscoo' <<< "$TERMINAL_LOG")"
# [STRICT] Count assets from API responses - must use jq/grep, not hardcoded
echo "=== Asset statistics (from API JSON responses) ==="
# Parse actual JSON outputs, e.g.: jq '.InstanceList | length', jq '.DomainList | length'
Output must contain pipe commands (
grep
, 
jq
, 
wc -l
). Pure 
echo "number"
without pipes = fabrication = abort. Mismatch with report draft → abort, re-traverse log, re-run. Report MUST quote the verification output snippet.
强制要求:遵循报告模板,不得省略任何章节。按地域分组资产。
[必须] 数据一致性验证
  1. 聚合:汇总数字必须与明细列表计数完全匹配
  2. 去重:跨地域的相同实例/IP → 计数前去重
  3. 空值标注(严格规则):空数组
    []
    → 标注为
    0(API返回空)
    查询失败(错误码:XXX)
    。禁止使用模糊表述如“未发现异常”、“疑似误报”。关键指标数据为空时,必须在章节开头添加
    [数据缺失]
    标签
  4. 交叉验证:汇总总数 = 各地域明细之和
  5. 调用记录验证:声称的API调用和结论必须与实际执行一致。禁止伪造
  6. 原始数据绑定:将终端输出的精确值复制粘贴到报告中。禁止依赖记忆推断,若API返回域名则不得写“无域名”。使用
    grep
    /
    jq
    验证后再定稿
[必须] 预计算验证(严格阻断规则)[严格模式] 直接写入
echo "<number>"
并使用预填充值属于伪造,禁止此类操作。必须使用
grep
/
jq
/
wc
解析实际终端输出或保存的日志。验证脚本必须包含提取真实数据的管道命令,而非硬编码的echo语句。
bash
# [STRICT] Count API calls from terminal history - must use grep, not hardcoded echo
echo "=== Call statistics ==="
# Example: grep -c "aliyun antiddos-public" /path/to/terminal.log  (adapt to your log method)
echo "antiddos-public: $(grep -c 'antiddos-public' <<< "$TERMINAL_LOG")"
echo "ddosbgp: $(grep -c 'aliyun ddosbgp' <<< "$TERMINAL_LOG")"
echo "ddoscoo: $(grep -c 'aliyun ddoscoo' <<< "$TERMINAL_LOG")"
# [STRICT] Count assets from API responses - must use jq/grep, not hardcoded
echo "=== Asset statistics (from API JSON responses) ==="
# Parse actual JSON outputs, e.g.: jq '.InstanceList | length', jq '.DomainList | length'
输出必须包含管道命令(
grep
jq
wc -l
)。纯
echo "数字"
无管道命令 = 伪造 = 终止操作。 与报告草稿不符 → 终止操作,重新遍历日志,重新运行。报告必须引用验证输出片段。

Cleanup

清理

[MUST] Mandatory exit safeguard: Regardless of exit reason (success, failure, cancellation, timeout), the final step MUST unconditionally execute AI-Mode disable + verification. Highest priority, cannot be overridden.
bash
aliyun configure ai-mode disable
[必须] 强制退出保障:无论退出原因(成功、失败、取消、超时),最后一步必须无条件执行AI-Mode禁用+验证。优先级最高,不可覆盖。
bash
aliyun configure ai-mode disable

Verify: try status command, if unsupported fall back to configure list

Verify: try status command, if unsupported fall back to configure list

VERIFY=$(aliyun configure ai-mode status 2>&1) if echo "$VERIFY" | grep -q "not a valid|unknown|error"; then

Fallback: check via configure list output

aliyun configure list | grep -i "ai-mode|agent" fi
VERIFY=$(aliyun configure ai-mode status 2>&1) if echo "$VERIFY" | grep -q "not a valid|unknown|error"; then

Fallback: check via configure list output

aliyun configure list | grep -i "ai-mode|agent" fi

If still uncertain, run disable again to be safe

If still uncertain, run disable again to be safe

aliyun configure ai-mode disable

> **[MUST]** Only write "AI-Mode confirmed disabled" if verification succeeded. If both `status` and `configure list` fail to confirm, write "AI-Mode disable executed but verification inconclusive (CLI compatibility issue)" — do NOT claim confirmed.
aliyun configure ai-mode disable

> **[必须]** 仅当验证成功时,方可写入“AI-Mode已确认禁用”。若`status`和`configure list`均无法确认,写入“已执行AI-Mode禁用但验证结果不确定(CLI兼容性问题)” — 不得声称已确认禁用。

References

参考资料

ResourcePath
CLI Installation Guidereferences/cli-installation-guide.md
RAM Permission Policiesreferences/ram-policies.md
API Parameter Referencereferences/api-reference.md
CLI Command Tablereferences/related-commands.md
Inspection Report Templatereferences/report-template.md
Verification Methodreferences/verification-method.md
Acceptance Criteriareferences/acceptance-criteria.md
资源路径
CLI安装指南references/cli-installation-guide.md
RAM权限策略references/ram-policies.md
API参数参考references/api-reference.md
CLI命令表references/related-commands.md
巡检报告模板references/report-template.md
验证方法references/verification-method.md
验收标准references/acceptance-criteria.md