All Products
Search

This Product

    Anti-DDoS:Statistical report (Anti-DDoS Proxy)

    Document Center

    Anti-DDoS:Statistical report (Anti-DDoS Proxy)

    Last Updated:Sep 05, 2024

    This topic describes how to view the attack protection report of Anti-DDoS Proxy (Chinese Mainland) over the past year.

    Report description

    • Limits: You can view only data that is generated after August 8, 2024 in statistical reports.

    • Supported instances: The report includes data of Anti-DDoS Proxy (Chinese Mainland) instances.

    • Sampling note: The attack analysis data inlcudes sample data, which may cause statistical bias.

    View and download statistical reports

    1. Log on to the Traffic Security console and open the Satistical Reports page.

    2. Select Anti-DDoS Proxy (Chinese Mainland), specify the instance, domain name, and time range, and click the image icon. image

      Important

      Different configurations of instances and domain names correspond to different statistics:

      • All instances + all domain names: Queries both network-layer and application-layer traffic statistics for all accessed services.

      • All instances or specified instance + empty domain name: Queries network-layer traffic statistics for the instance.

      • Empty instance + all domain names or specified domain name: Queries application-layer traffic statistics for the specified domain name.

      • Not supported: empty instance + empty domain name.

      • Not supported: partial instances + partial domain names.

    3. Click Export Report in the upper-right corner to download the report in image or PDF format.

    Explanation of Metrics

    Overall operations metrics

    Metrics

    Description

    Data Metrics

    • Peak Traffic of Single Attack Event: The peak inbound traffic (bit/s) of a single attack event when you compare all network-layer attack events. The peak inbound traffic includes both attack and service traffic.

    • Peak QPS of Single Attack Event: This metric appears only when the query condition includes a domain name. It refers to the peak queries per second (QPS) of a single attack event when you compare all application-layer attack events.

    • Peak pps of Single Attack Event: The peak inbound traffic (packets per second) of a single attack event when you compare all network-layer attack events. The peak inbound traffic includes both attack traffic and service traffic.

    • Blackhole Filtering Events: This metric appears only when the query condition includes an instance. It refers to the number of blackhole filtering events that occur within the query time range of the selected instance.

    • Blackhole Filtering Duration: This metric appears only when the query condition includes an instance. It refers to the total duration of all blackhole events that occur within the query time of the selected instance.

    • Anti-DDoS Proxy Protection Duration: The life span of the current valid instance. If multiple instances are selected, the longest life span is displayed.

    Traffic Scrubbing Events

    This metric refers to the total count and type distribution of traffic scrubbing events. The types include volumetric, connection flood, and web resource exhaustion attacks, and exclude blackhole filtering events. The data displayed varies based on the query conditions:

    • When the query condition includes only instances, the data of volumetric and connection flood attacks is displayed.

    • When the query condition includes only domain names, the data of web resource exhaustion attacks is displayed.

    • When the query condition includes both instances and domain names, the data of volumetric, connection flood, and web resource exhaustion attacks is displayed.

    Protected Assets

    This metric refers to the total number of protected assets. This data is independent of the search time and reflects real-time information as of the previous day (T-1).

    • IP: The number of origin IP addresses corresponding to port forwarding.

    • Domain name: The number of domain names that are protected by Anti-DDoS Proxy.

    Traffic metrics

    Metrics

    Description

    Traffic Trend in bit/s

    • Total inbound traffic: All traffic (bit/s) from the client to Anti-DDoS Proxy, including both service and attack traffic.

    • Inbound: Service traffic (bit/s) from Anti-DDoS Proxy to the origin server.

    • Outbound: Service traffic (bit/s) from the origin server to Anti-DDoS Proxy.

      Note

      When the query condition includes only domain names, the data represents playload statistics. When the query condition includes instances, network-layer traffic statistics are used. Note that differences exist between network-layer traffic statistics and payload traffic statistics.

    Request Trend in QPS

    This metric appears only when the query condition includes a domain name.

    • Maximum Inbound Traffic in QPS: QPS from the client to Anti-DDoS Proxy, including attack QPS and clean QPS.

    • Back-to-origin QPS: QPS from Anti-DDoS Proxy to the origin server.

    Top 5 Source Regions of Network Layer Attacks

    This metric appears only when the query condition includes instances. The top 5 source regions are ranked based on the number of requests from all attacker IP addresses.

    • China: The regions are sorted by province.

    • Locations Outside China: The regions are sorted by country.

    Statistical logic:

    1. Calculate the ratio of requests from attacker IP addresses to the total number of requests in a single attack event within a single province or country.

    2. Rank the ratios and select the top 5.

      • For each province or country, retain only the largest ratio.

      • Retain data from 5 different provinces or countries.

    Top 5 Source Regions of Application Layer Attacks

    This metric appears only when the query condition includes a domain name. The top 5 source regions are ranked based on the number of requests from all attacker IP addresses in QPS.

    • China: The regions are sorted by province.

    • Locations Outside China: The regions are sorted by country.

    Statistical logic:

    1. Calculate the number of requests from attacker IP addresses in a single attack event within a single province or country.

    2. Rank the numbers and select the top 5. Take the QPS of the top 5 data.

      • Within one province or country, only the largest data is taken.

      • Data from 5 different provinces or countries is retained.

    Attack distribution

    Metrics

    Description

    Attack Type Distribution

    Calculate the attack type distribution based on the number of attack types, which include volumetric, connection flood, and web resource exhaustion attacks and exclude blackhole filtering events.

    Top 10 Attack Source ISPs

    Calculate the distribution of global attack source Internet service providers (ISPs) based on the number of requests from attack sources in attack events, which include traffic scrubbing events and blackhole filtering events.

    Volumetric Attacks by Peak Attack Throughput

    Calculate the number of events across different peak attack throughput ranges. Blackhole filtering events are excluded.

    The ranges are 0-30G, 30-100G, 100-300G, 300-600G, and above 600G.

    Attack Duration Distribution

    Calculate the number of events across different attack duration ranges. Volumetric, connection flood, and web resource exhaustion events are included, while blackhole filtering events are excluded.

    The ranges are 0-30 minutes, 30-60 minutes, 1-3 hours, 3-12 hours, and above 12 hours.

    Attack ranking metrics

    Metrics

    Description

    Top 20 Source IP Addresses by Peak Attack Throughput

    This metric appears only when the query condition includes instances.

    This metric displays the source IP addresses that generate the top 20 peak attack throughput. The following statistical logic is used:

    1. Rank the numbers of discarded requests from attacker IP addresses in a single attack event by using sample traffic.

    2. Rank the numbers of requests discarded across multiple attack events.

    3. Select the top 20 source IP addresses based on the largest request numbers.

    4. For each source IP address, retain only the single largest request number.

    5. Limit the results to a maximum of 20 distinct source IP addresses.

    Top 10 Destination IP Addresses by Peak Attack Throughput

    This metric appears only when the query condition includes instances.

    This metric displays the destination IP addresses that receive the top 10 peak attack throughput. The following statistical logic is used:

    1. Rank the peak inbound traffic (bit/s) of the destination IP addresses in a single attack event by using sampled traffic.

    2. Rank the peak inbound traffic (bit/s) across multiple attack events.

    3. Select the top 10 destination IP addresses based on the highest peak inbound traffic.

    4. For each destination IP address, retain only the single highest peak inbound traffic.

    5. Limit the results to a maximum of 10 distinct destination IP addresses.

    Top 10 Destination Domain Names by Peak Attack Throughput

    This metric appears only when the query condition includes a domain name.

    This metric displays the destination domain names subject to the top 10 peak attack throughput. The following statistical logic is used:

    1. Rank the peak QPS of a destination domain name by using sampled traffic of a single attack event.

    2. Rank the peak QPS across multiple attack events.

    3. Select the top 10 destination domain names based on the highest peak QPS.

    4. For each destination domain name, retain only the single highest peak QPS.

    5. Limit the results to a maximum of 10 distinct destination domain names.

    Protection metrics

    Metrics

    Description

    Top 10 Destination Ports by Attack

    This metric appears only when the query condition includes instances.

    The following statistical logic is used to decide the Top 10 Destination Ports by Attack:

    1. Rank the numbers of requests discarded based on their destination ports (IP addresses and ports) by using sampled traffic of a single attack event.

    2. Rank the numbers of requests discarded across multiple attack events.

    3. Select the top 10 destination ports with the largest numbers of discarded requests.

    4. For each destination port, retain only the maximum number of discarded requests.

    5. Limit the results to a maximum of 10 distinct destination ports.

    Defense Against Application Layer Attacks by Module

    This metric appears only when the query condition includes a domain name. It displays the protection policies that filter out application layer attacks.

    Attack events

    All attack events within the query time of the selected instance or domain name are listed. You can go to the Attack Analysis page to view event details.

    References

    For more information about the metrics of Anti-DDoS Origin, see Statistical report (Anti-DDoS Origin).