All Products
Search
Document Center

Anti-DDoS:Fields included in full logs

Last Updated:Nov 20, 2024

This topic describes the fields that are included in the full logs of Anti-DDoS Proxy.

Basic Information

Field

Description

Example

__topic__

The topic of the log. The value is fixed as ddos_access_log, which indicates the logs of Anti-DDoS Proxy.

ddos_access_log

user_id

The Alibaba Cloud account ID.

166688437215****

HTTP requests

Field

Description

Example

body_bytes_sent

The size of the body in the request. Unit: bytes.

2

content_type

The content type of the response body.

application/x-www-form-urlencoded

host

The requested domain name.

api.aliyundoc.com

http_cookie

The request cookie.

k1=v1;k2=v2

http_referer

The referer of the request. If the referer does not exist, a hyphen (-) is returned.

http://aliyundoc.com

http_user_agent

The user agent of the request.

Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002)

http_x_forwarded_for

The IP address of the upstream proxy.

192.0.XX.XX

https

Indicates whether the request is an HTTPS request. Valid values: true and false.

true

matched_host

The domain name that is matched, which can be a wildcard domain name. If no domain names are matched, a hyphen (-) is returned.

*.aliyundoc.com

real_client_ip

The originating IP address of the client. If no originating IP addresses are retrieved, a hyphen (-) is returned.

192.0.XX.XX

isp_line

The information about the Internet service provider (ISP) line, such as Border Gateway Protocol (BGP), China Telecom, or China Unicom.

China Telecom

remote_addr

The IP address from which the request is initiated.

192.0.XX.XX

remote_port

The ID of the port from which the request is initiated.

23713

request_length

The size of the request. Unit: bytes.

123

request_method

The HTTP method of the request.

GET

request_time_msec

The processing time of the request. Unit: milliseconds.

44

request_uri

The URI of the request.

/answers/377971214/banner

server_name

The name of the origin server that is matched. If no origin servers are matched, default is returned.

api.aliyundoc.com

status

The HTTP status code.

200

time

The time of the request.

2018-05-02T16:03:59+08:00

querystring

The query string in the request.

token=bbcd&abc=123

upstream_addr

The list of origin addresses that are separated by commas (,). Each address is in the IP:Port format.

192.0.XX.XX:443

upstream_ip

The origin IP address.

192.0.XX.XX

upstream_response_time

The response time of the back-to-origin request. Unit: seconds.

Note

If the famax engine of the previous version is used, the unit of this field is milliseconds.

0.044

upstream_status

The HTTP status code of the back-to-origin request.

200

vip_addr

The IP address of the Anti-DDoS Proxy instance.

203.107.XX.XX

http2_client_fingerprint

The original fingerprint of the HTTP/2 client.

2:0;4:2097152;3:100|10485760|0|m,s,p,a

http2_client_fingerprint_md5

The HTTP/2 fingerprint. The HTTP/2 fingerprint is a 128-bit or 32-character MD5 hash value that is calculated based on the original fingerprint of the HTTP/2 client.

The HTTP/2 fingerprint is used to analyze and identify different clients for more secure and efficient communication.

ad8424af1cc590e09f7b0c499bf7fcdb

ssl_client_ja3_fingerprinting

The JA3 fingerprint of the client is an original fingerprint that contains key parameters from TLS handshake, including information such as the TLS version, cipher suites, compression algorithms, and TLS extensions.

771,4865-49195-49196-49197,29,0

ssl_client_ja3_fingerprinting_md5

The MD5 hash value generated from the JA3 original fingerprint.

c1bd7c674bbec9f0f2474e3eee3564f4

ssl_client_ja4_fingerprinting

The JA4 fingerprint of the client is an original fingerprint that includes key parameters from TLS handshake, such as the TLS version, cipher suites, compression algorithms, TLS extensions, browser version, and operating system.

t13d1516h2_acb858a92679_e5627efa2ab1

ssl_client_ja4_fingerprinting_md5

The MD5 hash value generated from the JA4 original fingerprint.

8c3d99fb6ed08a39c799aad27b4854f4

Client Information

Field

Description

Example

ua_browser

The identifier of the browser.

Note

In some cases, a log does not contain this field.

ie9

ua_browser_family

The series of the browser.

Note

In some cases, a log does not contain this field.

internet explorer

ua_browser_type

The type of the browser.

Note

In some cases, a log does not contain this field.

web_browser

ua_browser_version

The version of the browser.

Note

In some cases, a log does not contain this field.

9.0

ua_device_type

The type of the client.

Note

In some cases, a log does not contain this field.

computer

ua_os

The identifier of the operating system that runs on the client.

Note

In some cases, a log does not contain this field.

windows_7

ua_os_family

The series of the operating system that runs on the client.

Note

In some cases, a log does not contain this field.

windows

server_protocol

The protocol and version number of the origin server that are returned in the response to Anti-DDoS Proxy back-to-origin requests.

HTTP/1.1

ssl_protocol

The SSL or TLS protocol and version that are used in the request.

TLSv1.2

ssl_cipher

The cipher suite that is used in the request.

ECDHE-RSA-AES128-GCM-SHA256

ssl_handshake_time

The period of time during which the client initiates a TLS handshake. Unit: milliseconds.

99

Mitigation settings

Field

Description

Example

cc_action

The action that is triggered in an HTTP flood mitigation rule. Valid values:

  • accept: The request is allowed.

  • block: The request is blocked.

  • challenge: Captcha verification is used to verify the source IP address of the request.

  • alarm: The request is recorded in logs and allowed.

accept

cc_blocks

Indicates whether the request is blocked by an HTTP flood mitigation rule. Valid values:

  • 1: The request is blocked.

  • Other values: The request is allowed.

Note

In some cases, a log does not contain this field. If a log does not contain the cc_blocks field, the last_result field is used to record whether the request is blocked by an HTTP flood mitigation rule.

1

cc_phase

The type of the mitigation setting. Valid values:

  • Valid values for the Tengine engine:

    • gfbwip: a blacklist and whitelist feature

    • gfcc: the HTTP flood mitigation feature

    • gfacl: a custom mitigation policy

    • gfglobal: a DDoS mitigation policy

    • gfareaban: a location blacklist feature

  • Valid values for the famax engine:

    • ipFilter: a blacklist and whitelist feature

    • statProtect: the HTTP flood mitigation feature

    • preciseProtect: a custom mitigation policy

    • regionBLock: a location blacklist feature

gfbwip

last_module

The type of mitigation setting for websites. Valid values:

  • gfareaban: the location blacklist (domain names) feature

  • gfbwip: the blacklist/whitelist (domain names) feature

  • gfacl: an accurate access control rule

  • gfcc: the HTTP flood mitigation feature

  • gfglobal: a DDoS mitigation policy

gfareaban

last_owner

The name of the rule that is configured for websites. Rules include rules that are issued by Anti-DDoS Proxy and custom rules.

Valid values of the rules that are issued by Anti-DDoS Proxy:

  • Rule names that start with smartcc_: rules of the intelligent protection feature

  • Rule names that start with global: rules of a DDoS mitigation policy

  • Rule names that start with gf_internal: rules of the HTTP flood mitigation feature

global_th_4_C_****|global

last_result

The final action on the request. Valid values:

  • ok: The request is allowed.

  • failed: The request is not allowed. For example, the request is blocked, or the verification fails.

Note

In some cases, a log does not contain this field. If a log does not contain the last_result field, the cc_blocks field is used to record whether the request is blocked by an HTTP flood mitigation rule.

failed