DDoS Pro (Anti-DDoS Pro) Intercept Query
Scenario Description
Query and analyze DDoS Pro (ddoscoo) block/intercept events using SLS full logs and ddoscoo CLI commands. When a user reports being blocked by DDoS Pro or encounters a block page, this skill discovers DDoS instances, checks full log configuration, queries SLS logs by Request ID, retrieves rule details, and outputs a structured analysis report with recommendations.
Architecture:
DDoS Pro Instance → Full Log (SLS) → Log Query → Rule Analysis → Report
Installation
Pre-check: Aliyun CLI >= 3.3.3 required
Run
to verify >= 3.3.3. If not installed or version too low,
see
references/cli-installation-guide.md for installation instructions.
Pre-check: Aliyun CLI plugin update required
[MUST] run
aliyun configure set --auto-plugin-install true
to enable automatic plugin installation.
[MUST] run
to ensure that any existing plugins are always up-to-date.
Pre-check: AI-Mode Lifecycle
At the start of the Core Workflow (before any CLI invocation):
[MUST] Enable AI-Mode — AI-mode is required for Agent Skill execution.
Run the following commands before any CLI invocation:
bash
aliyun configure ai-mode enable
aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query"
[MUST] Disable AI-Mode at EVERY exit point — Before delivering the final response for ANY reason (workflow success, failure, error, user cancellation, or session end), always disable AI-mode first. AI-mode is only used for Agent Skill invocation scenarios and MUST NOT remain enabled after the skill stops running.
bash
aliyun configure ai-mode disable
Pre-check: SLS CLI plugin required
[MUST] Install the SLS CLI plugin before any log query operations:
bash
aliyun component install sls
Verify the plugin is available:
If
is not available, use the legacy command:
bash
aliyun plugin install --names aliyun-cli-sls
Environment Variables
No additional environment variables required. Authentication is handled via the Aliyun CLI credential chain.
Authentication
Pre-check: Alibaba Cloud Credentials Required
Security Rules:
- NEVER read, echo, or print AK/SK values (e.g.,
echo $ALIBABA_CLOUD_ACCESS_KEY_ID
- NEVER ask the user to input AK/SK directly in the conversation or command line
- NEVER use with literal credential values
- ONLY use to check credential status
Check the output for a valid profile (AK, STS, or OAuth identity).
If no valid profile exists, STOP here.
- Obtain credentials from Alibaba Cloud Console
- Configure credentials outside of this session (via in terminal or environment variables in shell profile)
- Return and re-run after shows a valid profile
Note on 401 Unauthorized errors: A
401 The security token has expired
error means the STS temporary credential has expired — this is
not a RAM permission issue. Ask the user to refresh credentials outside this session via
, then retry.
RAM Policy
See references/ram-policies.md for the full list of required permissions.
[MUST] Permission Failure Handling: When any command or API call fails due to permission errors at any point during execution, follow this process:
- Read
references/ram-policies.md
- Use skill to guide the user through requesting the necessary permissions
- Pause and wait until the user confirms that the required permissions have been granted
Parameter Confirmation
IMPORTANT: Parameter Confirmation — Before executing any command or API call,
ALL user-customizable parameters (e.g., RegionId, instance names, CIDR blocks,
passwords, domain names, resource specifications, etc.) MUST be confirmed with the
user. Do NOT assume or use default values without explicit user approval.
| Parameter Name | Required/Optional | Description | Default Value |
|---|
| Request ID | Required | The traceid from DDoS Pro's block response page | None |
| Domain | Optional | The website domain configured in DDoS Pro (auto-discovered if not provided) | Auto-discover |
| DDoS Instance ID | Optional | DDoS Pro instance ID (auto-discovered if not provided) | Auto-discover |
| SLS Project | Optional | SLS Project name (auto-discovered if not provided) | Auto-discover |
| SLS Logstore | Optional | SLS Logstore name (auto-discovered if not provided) | Auto-discover |
| RegionId | Optional | DDoS Pro region: (China Mainland) or (International) | cn-hangzhou |
Core Workflow
[MUST] Required API Call Sequence — The following API calls MUST be executed in order for every invocation of this skill. Do NOT skip any step, even if you believe the result is known in advance:
- Step 2a →
ddoscoo DescribeInstances
DescribeWebAccessLogDispatchStatus
- Step 2b →
ddoscoo DescribeSlsOpenStatus
DescribeLogStoreExistStatus
- Step 2c →
ddoscoo DescribeWebAccessLogStatus
DescribeWebAccessLogDispatchStatus
- Step 3 → (query block log by Request ID)
- Step 5 → Output analysis report
[MUST] User-Agent Header — Every
CLI command in this skill MUST include
--header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
to identify the caller.
[MUST] 敏感数据脱敏 — 全局规则,贯穿所有输出 — 以下规则适用于整个工作流的所有输出,包括最终报告、中间分析、日志引用、补充说明的任何段落,不得在任何位置还原已脱敏的数据:
- Client IP:仅保留第一段,其余用 替代。适用于所有输出格式(JSON 字段、纯文本段落均须脱敏):
- 纯文本段落: → ;"来自 IP 140.205.11.30 的请求" → "来自 IP 140...* 的请求"
- JSON 字段引用:
"real_client_ip": "140.205.11.30"
"real_client_ip": "140.*.*.*"
- Cookie / Authorization / Token:整个值替换为 ,包括在引用原始日志字段时
- Query Parameters:所有参数值替换为 。示例: →
- User-Agent 字符串:截取前 32 个字符
Step 1: Information Collection
Confirm the Request ID (traceid) with the user. Guide them to obtain it from:
- The block page displayed in the browser (shows Request ID directly)
- The HTML body of DDoS Pro's block (intercept) response (contains traceid)
Optionally collect the domain name if the user knows which website was blocked.
Step 2: Discover DDoS Pro Instances and Verify Full Log Service
Step 2a: Discover DDoS Pro Instances and Protected Domains
bash
# Query DDoS Pro instances (API endpoint region: cn-hangzhou for China, ap-southeast-1 for International)
aliyun ddoscoo describe-instances --page-number 1 --page-size 50 --region cn-hangzhou --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
aliyun ddoscoo describe-instances --page-number 1 --page-size 50 --region ap-southeast-1 --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
[MUST] Instance Discovery Validation — After calling
, inspect the response:
- If is a non-empty array → record the instance(s) and proceed to Step 2b.
- If is empty () for one region → retry with the other region before proceeding.
- If both regions return empty → stop and inform the user: "No DDoS Pro instances were found under this account. Please verify your credentials and region."
- Do NOT proceed to Step 2b or beyond if returns no results. An empty instance list means subsequent SLS and log queries will also fail — continuing will produce an empty or incorrect report.
[MUST] Domain Discovery — Step 2c requires a known domain name to call
describe-web-access-log-status
. If the user did NOT provide the domain in their message, discover it HERE in Step 2a before proceeding:
bash
# Discover all protected domains (domain discovery only — do NOT use the log status from this response)
aliyun ddoscoo describe-web-access-log-dispatch-status --page-number 1 --page-size 10 --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
Extract the domain name(s) from the response and record them. This API is used
only for domain name discovery, not for checking log status. The actual log status check happens in Step 2c using
describe-web-access-log-status
.
[MUST] International Region API Error Recovery: If any
API call returns
,
, or similar region-level errors:
- Do NOT abandon the workflow — continue with available data
- For SLS-related operations: International DDoS Pro SLS projects are typically hosted in (not ), with project names like
ddosdip-project-<uid>-ap-southeast-1
- For rule query APIs (e.g.,
describe-web-precise-access-rule
- [MUST] Never skip a user-requested query step due to region API errors — always attempt recovery via the alternative region before reporting failure
Step 2b: Check SLS and Full Log Status
First check if SLS is opened and log store exists:
bash
aliyun ddoscoo describe-sls-open-status --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
aliyun ddoscoo describe-log-store-exist-status --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
Then get the SLS logstore info (project, logstore, capacity, TTL):
bash
aliyun ddoscoo describe-sls-logstore-info --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
[IMPORTANT] Fallback for SLS Info Retrieval: If
describe-sls-logstore-info
returns an error (e.g.,
400 InvalidRosettaRegionId
in
), use the following fallback methods in order:
Fallback 1 — Get SLS info from domain log status (requires knowing a domain):
bash
aliyun ddoscoo describe-web-access-log-status --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
Extract
and
from the response.
Fallback 2 — List all SLS projects and find the ddoscoo one:
bash
aliyun sls list-project --region cn-hangzhou --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
Look for project names containing
or
. Note: International DDoS Pro SLS projects may also be hosted in
.
Step 2c: Check Domain Full Log Status
⛔ FORBIDDEN: describe-web-access-log-dispatch-status
Domain discovery was completed in Step 2a. This step has exactly ONE permitted API call.
By this point the domain name MUST be known (provided by the user, or discovered in Step 2a). Call:
bash
aliyun ddoscoo describe-web-access-log-status --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
- 若返回 ,说明已开启,直接进入 Step 3。
- 若未开启,告知用户并征得同意后开启:
bash
aliyun ddoscoo enable-web-access-log-config --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
Constraint: This skill only supports
enabling full log (
enable-web-access-log-config
). Disabling is
not permitted via this skill. Never call
disable-web-access-log-config
.
[IMPORTANT] Error Handling for Enable: If
enable-web-access-log-config
returns an error:
- — Domain is not configured in this DDoS Pro instance. Verify the domain belongs to this instance, or try the other region ( ↔ ).
- / RAM permission error — See references/ram-policies.md.
[IMPORTANT] Historical Logs: Enabling full log only records future requests. If the block event occurred before enabling, no SLS log will exist for that Request ID. Inform the user: "Full log has been enabled, but the historical block event cannot be queried via SLS. Please reproduce the block and retry with the new Request ID."
Step 3: Query SLS Logs
[MUST] Use the SLS CLI plugin (
) for all log queries.
Use the SLS project/logstore obtained from Step 2 to query block logs:
bash
# Query SLS logs via plugin-mode call
TO_TIME=$(python3 -c "import time; print(int(time.time()))")
FROM_TIME=$((TO_TIME - 86400))
aliyun sls get-logs \
--project <project-name> \
--logstore <logstore-name> \
--from $FROM_TIME \
--to $TO_TIME \
--query "<request-id>" \
--reverse true \
--lines 100 \
--region <sls-region> \
--header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
If no results found in the last 24 hours, progressively expand the time range:
- Last 3 days:
FROM_TIME=$((TO_TIME - 86400 * 3))
- Last 7 days:
FROM_TIME=$((TO_TIME - 86400 * 7))
- Last 30 days:
FROM_TIME=$((TO_TIME - 86400 * 30))
- Maximum (based on TTL):
FROM_TIME=$((TO_TIME - 86400 * <ttl_days>))
Fallback method — If the SLS plugin command above fails (e.g., plugin not installed), use the Python script:
bash
python3 scripts/get_ddos_logs.py \
--project <project-name> \
--logstore <logstore-name> \
--request-id <request-id> \
--region <sls-region>
Note: DDoS Pro full log SLS region mapping:
- China Mainland instances (): SLS project is in
- International instances (): SLS project is also typically in (not ), with project names like
ddosdip-project-<uid>-ap-southeast-1
[MUST] Do NOT guess SLS project names. Always use the exact project/logstore values obtained from Step 2b (
describe-sls-logstore-info
or its fallback). If both APIs failed, use
aliyun sls list-project --region cn-hangzhou --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
to discover projects containing
or
.
Step 4: Query Rule Details
After obtaining the SLS log, extract key fields to determine the block type and query the specific rule configuration.
Step 4a: Identify Block Type from Log Fields
The two most important log fields for identifying the block type are:
- — Identifies which protection module triggered the block
- — Format is , where is (user-created) or (auto-generated)
→ Block Type → Query API Mapping:
| value | Block Type | Rule Detail Query Command |
|---|
| / | CC Protection (频率控制自定义规则) | |
| / | Precise Access Control (精确访问控制) | describe-web-precise-access-rule
|
| / | AI Smart Protection (AI智能防护) | describe-web-cc-protect-switch
|
| / / | Global Defense Policy (全局防护策略) | |
| / | IP Blacklist (IP黑名单) | (BlackList field) |
| / / | Region Blocking (区域封禁) | describe-web-area-block-configs
|
Other useful log fields:
| Log Field | Description |
|---|
| Action taken: , , , |
| Specific rule ID that triggered |
| Whether the request was blocked ( = yes) |
| Final action taken on the request |
| Block plugin identifier |
| Request trace ID (same as Request ID in block page) |
| The domain that matched the request |
| The Host header from the request |
| Client's real IP address |
| — identifies which rule and its origin |
| DDoS Pro 接入线路(如:电信、联通、移动、香港、海外等)。注意:此字段反映的是 DDoS Pro 的接入线路,不等同于客户端的物理位置。报告中应表述为"请求经由 {isp_line} 线路接入",不可将其直接等同于客户端所在地区 |
Step 4b: Query Strategy Switch Status (策略预检)
[MUST] Before querying specific rules, first check which protection modules are enabled:
bash
aliyun ddoscoo describe-web-cc-protect-switch --domains.1 '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
This returns all switch states. Key fields:
| Field | Description | Values |
|---|
| CC protection master switch | (off) / (on) |
| Custom CC rules switch | / |
| Precise Access Control (ACL) switch | / |
| Global defense switch | / |
| AI smart protection switch | / |
| AI mode | / |
| AI level | / / |
| IP blacklist/whitelist switch | / |
| Region blocking switch | / |
Step 4c: Query Specific Rule Details
Based on
, call the corresponding API to fetch the rule configuration.
If = → CC Protection Rules:
bash
# Query all CC rules for the domain; use --owner manual for user rules, clover for auto rules
aliyun ddoscoo describe-web-cc-rules-v2 --domain '<domain>' --offset 0 --page-size 30 --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
Then find the specific rule by matching
's rule name (the part before
) against the rule's
field in the response.
If = → Precise Access Control (ACL) Rules:
bash
aliyun ddoscoo describe-web-precise-access-rule --domains.1 '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
Then find the specific rule by matching
's rule name against the rule's
field in the response.
If = → AI Smart Protection:
bash
# AI protection has no individual rules; check mode and level from switch status
aliyun ddoscoo describe-web-cc-protect-switch --domains.1 '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
Report the
(watch/defense),
(level30/60/90), and
status.
If = or → Global Defense Policy:
bash
# Get global rule list with RuleId, Action, Enabled, Description
aliyun ddoscoo describe-l7-global-rule --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
If = → IP Blacklist/Whitelist:
bash
# Get blacklist and whitelist IPs from domain web rules
aliyun ddoscoo describe-web-rules --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
Extract
and
arrays from the response.
If = or → Region Blocking:
bash
aliyun ddoscoo describe-web-area-block-configs --domains.1 '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
Check which regions have
.
[IMPORTANT] Domain Not Found: If the domain query returns
, the domain may have been removed from DDoS Pro after the block event. Report this to the user — the log is still valid but rule details cannot be retrieved.
See references/domain-security-policy.md for the complete domain security policy management reference including rule creation, modification, deletion, and field reference tables.
Step 5: Output Analysis Report
[MUST] Sensitive Data Masking — Apply the global masking rules defined in Core Workflow to all fields in this report, including any supplementary paragraphs. Never restore masked data in any section.
markdown
## DDoS Pro Intercept Analysis Report
### Request Information
- Request ID: {request_traceid}
- Block Time: {time}
- Client IP: {masked_real_client_ip, e.g. 192.***.***.***}
- ISP Line: {isp_line}(DDoS Pro 接入线路,非客户端实际位置)
- Domain: {matched_host}
- Request URL: {host}{request_path}?{masked_query_params}
### Block Details
- Rule ID: {final_rule_id 或 cc_rule_id;若日志中两个字段均不存在,输出 "N/A - 日志中未记录规则 ID",不可省略此行}
- Block Type: {final_plugin / cc_phase}
- Action: {final_action or cc_action}
### Recommendations
{Based on block type, refer to references/common-block-reasons.md}
Troubleshooting
No Logs Found
- Re-check SLS and log store status (Step 2b)
- Check domain full log switch:
bash
aliyun ddoscoo describe-web-access-log-status --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
- Enable if disabled (check-then-act):
bash
aliyun ddoscoo enable-web-access-log-config --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
- Check all domain log dispatch status:
bash
aliyun ddoscoo describe-web-access-log-dispatch-status --page-number 1 --page-size 50 --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
Request ID Not Found
- Verify Request ID format (typically 30+ hex characters)
- Script auto-expands search up to 90 days
- Try both regions ( and )
- Check log retention (TTL) via
describe-sls-logstore-info
Multi-Instance Scenarios
DDoS Pro instances may span both regions. Query logs across all discovered SLS projects until the Request ID is found.
Rule Operation Constraints
See references/rule-operations.md for detailed instructions.
When user requests to disable a rule:
- Check current status first (idempotent check-then-act)
- Only disable operations are permitted; never delete rules
- Confirm with user before executing
Disable CC Rule:
bash
aliyun ddoscoo disable-web-cc-rule --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
Disable Precise Access Control:
bash
aliyun ddoscoo modify-web-precise-access-switch --domain '<domain>' --config '{"PreciseRuleEnable": 0}' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
Success Verification Method
See references/verification-method.md for detailed verification steps.
Expected Outcome: Intercept analysis report generated with complete request information, rule details, and actionable recommendations.
Verification: After querying with a known Request ID, the output should contain all fields in the report template.
Cleanup
This skill is read-only by default and does not create persistent resources. No cleanup required unless:
- Full log was enabled for a domain during execution (inform user; this skill only enables, never disables)
- CC rules were disabled (can be re-enabled via )
Best Practices
- Always query both regions ( and ) for instance discovery
- [MUST] Use (plugin mode, kebab-case) for SLS log queries
- Do NOT guess SLS project/logstore names — always obtain them from
describe-sls-logstore-info
describe-web-access-log-status
- Check domain full log status before querying to avoid empty results
- [MUST] Mask sensitive data in output reports: Client IP → , query parameters → , cookies/tokens →
- Use idempotent check-then-act pattern before any write operations
- Never delete rules — only disable/enable operations are permitted
Reference Links
| Reference | Description |
|---|
| references/ram-policies.md | RAM permission requirements |
| references/common-block-reasons.md | Common block reasons and recommendations |
| references/rule-config-details.md | Rule configuration field descriptions |
| references/rule-operations.md | Rule operation policy and constraints |
| references/domain-security-policy.md | Domain security policy management (query, create, modify, delete rules) |
| references/related-commands.md | All CLI commands used in this skill |
| references/verification-method.md | Success verification steps |
| references/cli-installation-guide.md | Aliyun CLI installation and upgrade guide |