This topic describes the fields that are included in the full logs of Anti-DDoS Proxy.
Basic Information
Field | Description | Example |
__topic__ | The topic of the log. The value is fixed as ddos_access_log, which indicates the logs of Anti-DDoS Proxy. | ddos_access_log |
user_id | The Alibaba Cloud account ID. | 166688437215**** |
HTTP requests
Field | Description | Example |
body_bytes_sent | The size of the body in the request. Unit: bytes. | 2 |
content_type | The content type of the response body. | application/x-www-form-urlencoded |
host | The requested domain name. | api.aliyundoc.com |
http_cookie | The request cookie. | k1=v1;k2=v2 |
http_referer | The referer of the request. If the referer does not exist, a hyphen ( | http://aliyundoc.com |
http_user_agent | The user agent of the request. | Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002) |
http_x_forwarded_for | The IP address of the upstream proxy. | 192.0.XX.XX |
https | Indicates whether the request is an HTTPS request. Valid values: true and false. | true |
matched_host | The domain name that is matched, which can be a wildcard domain name. If no domain names are matched, a hyphen ( | *.aliyundoc.com |
real_client_ip | The originating IP address of the client. If no originating IP addresses are retrieved, a hyphen ( | 192.0.XX.XX |
isp_line | The information about the Internet service provider (ISP) line, such as Border Gateway Protocol (BGP), China Telecom, or China Unicom. | China Telecom |
remote_addr | The IP address from which the request is initiated. | 192.0.XX.XX |
remote_port | The ID of the port from which the request is initiated. | 23713 |
request_length | The size of the request. Unit: bytes. | 123 |
request_method | The HTTP method of the request. | GET |
request_time_msec | The processing time of the request. Unit: milliseconds. | 44 |
request_uri | The URI of the request. | /answers/377971214/banner |
server_name | The name of the origin server that is matched. If no origin servers are matched, | api.aliyundoc.com |
status | The HTTP status code. | 200 |
time | The time of the request. | 2018-05-02T16:03:59+08:00 |
querystring | The query string in the request. | token=bbcd&abc=123 |
upstream_addr | The list of origin addresses that are separated by commas (,). Each address is in the IP:Port format. | 192.0.XX.XX:443 |
upstream_ip | The origin IP address. | 192.0.XX.XX |
upstream_response_time | The response time of the back-to-origin request. Unit: seconds. Note If the famax engine of the previous version is used, the unit of this field is milliseconds. | 0.044 |
upstream_status | The HTTP status code of the back-to-origin request. | 200 |
vip_addr | The IP address of the Anti-DDoS Proxy instance. | 203.107.XX.XX |
http2_client_fingerprint | The original fingerprint of the HTTP/2 client. | 2:0;4:2097152;3:100|10485760|0|m,s,p,a |
http2_client_fingerprint_md5 | The HTTP/2 fingerprint. The HTTP/2 fingerprint is a 128-bit or 32-character MD5 hash value that is calculated based on the original fingerprint of the HTTP/2 client. The HTTP/2 fingerprint is used to analyze and identify different clients for more secure and efficient communication. | ad8424af1cc590e09f7b0c499bf7fcdb |
ssl_client_ja3_fingerprinting | The JA3 fingerprint of the client is an original fingerprint that contains key parameters from TLS handshake, including information such as the TLS version, cipher suites, compression algorithms, and TLS extensions. | 771,4865-49195-49196-49197,29,0 |
ssl_client_ja3_fingerprinting_md5 | The MD5 hash value generated from the JA3 original fingerprint. | c1bd7c674bbec9f0f2474e3eee3564f4 |
ssl_client_ja4_fingerprinting | The JA4 fingerprint of the client is an original fingerprint that includes key parameters from TLS handshake, such as the TLS version, cipher suites, compression algorithms, TLS extensions, browser version, and operating system. | t13d1516h2_acb858a92679_e5627efa2ab1 |
ssl_client_ja4_fingerprinting_md5 | The MD5 hash value generated from the JA4 original fingerprint. | 8c3d99fb6ed08a39c799aad27b4854f4 |
Client Information
Field | Description | Example |
ua_browser | The identifier of the browser. Note In some cases, a log does not contain this field. | ie9 |
ua_browser_family | The series of the browser. Note In some cases, a log does not contain this field. | internet explorer |
ua_browser_type | The type of the browser. Note In some cases, a log does not contain this field. | web_browser |
ua_browser_version | The version of the browser. Note In some cases, a log does not contain this field. | 9.0 |
ua_device_type | The type of the client. Note In some cases, a log does not contain this field. | computer |
ua_os | The identifier of the operating system that runs on the client. Note In some cases, a log does not contain this field. | windows_7 |
ua_os_family | The series of the operating system that runs on the client. Note In some cases, a log does not contain this field. | windows |
server_protocol | The protocol and version number of the origin server that are returned in the response to Anti-DDoS Proxy back-to-origin requests. | HTTP/1.1 |
ssl_protocol | The SSL or TLS protocol and version that are used in the request. | TLSv1.2 |
ssl_cipher | The cipher suite that is used in the request. | ECDHE-RSA-AES128-GCM-SHA256 |
ssl_handshake_time | The period of time during which the client initiates a TLS handshake. Unit: milliseconds. | 99 |
Mitigation settings
Field | Description | Example |
cc_action | The action that is triggered in an HTTP flood mitigation rule. Valid values:
| accept |
cc_blocks | Indicates whether the request is blocked by an HTTP flood mitigation rule. Valid values:
Note In some cases, a log does not contain this field. If a log does not contain the cc_blocks field, the | 1 |
cc_phase | The type of the mitigation setting. Valid values:
| gfbwip |
last_module | The type of mitigation setting for websites. Valid values:
| gfareaban |
last_owner | The name of the rule that is configured for websites. Rules include rules that are issued by Anti-DDoS Proxy and custom rules. Valid values of the rules that are issued by Anti-DDoS Proxy:
| global_th_4_C_****|global |
last_result | The final action on the request. Valid values:
Note In some cases, a log does not contain this field. If a log does not contain the last_result field, the | failed |