Fields in logs

This topic describes all fields in the logs of Anti-DDoS Origin.

The fields are classified into the following types based on features:

Event fields: record information about the events that occur on the protected assets. The events include traffic scrubbing, blackhole filtering, and traffic rerouting. The information includes the occurrence time and the status of the events.
Traffic detection fields: record information about the traffic that is generated on the protected assets. The information includes the transmission rate of inbound traffic and the packet forwarding rates of different types of data packets.
Traffic scrubbing fields: record information about the traffic that is denied or allowed by different mitigation policies during traffic scrubbing.

Event fields

Field	Description	Example value

Field	Description	Example value
data_type	The data type. Valid values: Global_SC_Detection: indicates data about the traffic that is forwarded by the traffic scrubbing center of Anti-DDoS Proxy. The traffic is protected by an anti-DDoS diversion instance. Global_SC_Mitigation: indicates data about the traffic that is scrubbed by the traffic scrubbing center of Anti-DDoS Proxy. The traffic is protected by an anti-DDoS diversion instance. Regional_SC_Detection: indicates data about the inbound traffic of the region in which Alibaba Cloud assets reside. Regional_SC_Mitigation: indicates data about the scrubbed traffic of the region in which Alibaba Cloud assets reside. event: indicates data about attack events.	Regional_SC_Mitigation
event_time	The time at which an event occurred. The value is a UNIX timestamp. Unit: seconds.	1624434027
event_type	The type of an event. Valid values: mitigation_begin: A traffic scrubbing event begins. mitigation_ended: A traffic scrubbing event ends. blackhole_begin: A blackhole filtering event begins. blackhole_ended: A blackhole filtering event ends.	mitigation_begin
instance_id	The ID of the Anti-DDoS Origin instance.	ddosbgp-cn-n6w203qg****
ip	The IP address of an asset that is protected by the Anti-DDoS Origin instance.	39.XX.XX.23
kbps_in	The bandwidth of inbound traffic. Unit: Kbit/s.	1000
new_con	The number of new connections.	1000
pps_in	The packet forwarding rate of inbound traffic. Unit: packets per second.	1000
qps	The queries per second (QPS). Unit: QPS.	1000
scrubbing_center	The region where the traffic scrubbing center resides. Valid values: us_west: US (Virginia) us_east: US (Silicon Valley) frankfurt: Germany (Frankfurt) hk: China (Hong Kong) singapore: Singapore malaysia: Malaysia (Kuala Lumpur) uk: UK (London) japan: Japan (Tokyo) total_summary: all regions assets_base_region: the region where the asset resides	us_west
subnet	The CIDR block for traffic rerouting.	1.XX.XX.1/24
user_id	The ID of the Alibaba Cloud account.	170457416359****

Traffic detection fields

Field	Description	Example value

Field	Description	Example value
Ip	The source IP address.	1.XX.XX.1
Time	The point in time at which the log entry about traffic detection was generated. The value is a UNIX timestamp. Unit: seconds.	1624434027
KbpsIn	The bandwidth of inbound traffic at the point in time. Unit: Kbit/s.	1000
KbpsOut	The bandwidth of outbound traffic at the point in time. Unit: Kbit/s.	1000
PpsIn	The forwarding rate of all inbound packets at the point in time. Unit: packets per second.	1000
PpsOut	The forwarding rate of all outbound packets at the point in time. Unit: packets per second.	1000
PpsInSyn	The forwarding rate of inbound SYN packets at the point in time. Unit: packets per second.	1000
PpsInSynack	The forwarding rate of inbound SYN-ACK packets at the point in time. Unit: packets per second.	1000
PpsInFin	The forwarding rate of inbound FIN or RST packets at the point in time. Unit: packets per second.	1000
PpsInHttpReq	The forwarding rate of inbound TCP packets at the point in time. Unit: packets per second. The TCP packets must meet all the following conditions: The TCP packets are not SYN, SYN-ACK, FIN, or RST packets. The source or destination port is 80, 3128, 8080, or 8088. The TCP packets contain payloads. The first few bytes of the payloads in HTTP packets are GET, PUT, HEAD, or POST.	1000
PpsInHttpResp	The forwarding rate of inbound TCP packets at the point in time. Unit: packets per second. The TCP packets must meet all the following conditions: The TCP packets are not SYN, SYN-ACK, FIN, or RST packets. The source or destination port is 80, 3128, 8080, or 8088. The TCP packets contain payloads. The first four bytes of the payloads in HTTP packets are HTTP.	1000
PpsInHttpFlags	The forwarding rate of inbound TCP-ACK packets at the point in time. Unit: packets per second. The TCP-ACK packets are not SYN, SYN-ACK, FIN, or RST packets.	1000
PpsInIcmp	The forwarding rate of inbound ICMP packets at the point in time. Unit: packets per second.	1000
PpsInDns	The forwarding rate of inbound DNS packets at the point in time. Unit: packets per second. The DNS packets are forwarded over UDP, and the source or destination port of the packets is 53.	1000
PpsInUdprisk	The forwarding rate of packets that use a vulnerable source UDP port at the point in time. Unit: packets per second.	1000
PpsInUdpunknown	The forwarding rate of inbound UDP packets at the point in time. Unit: packets per second. The forwarding rate of the UDP packets indicated by this field does not include that indicated by the PpsInDns field. The UDP packets are forwarded over UDP, but the source or destination port of the packets is not 53.	1000

Traffic scrubbing fields

Field	Description	Example value

Field	Description	Example value
instance_id	The ID of the Anti-DDoS Origin instance.	ddosbgp-cn-v641is26****
time	The point in time at which the log entry about traffic scrubbing was generated. The value is a UNIX timestamp. Unit: seconds.	1624434027
destination_ip	The destination IP address.	123.XX.XX.169
port	The destination port. Valid values: all (default): indicates the data of all ports. Specific port: indicates the data of a specific port, such as port 80.	80
total_traffic_in_bps	The total number of bytes in all types of packets that are scrubbed. Unit: byte per second.	8000
total_traffic_drop_bps	The total number of bytes of all types of packets that are scrubbed and discarded. Unit: byte per second.	800
total_traffic_in_pps	The forwarding rate of all types of inbound packets. Unit: packets per second.	1000
total_traffic_drop_pps	The forwarding rate of all types of packets that are discarded. Unit: packets per second.	1000
pps_types_in_tcp_pps	The forwarding rate of inbound TCP packets. Unit: packets per second.	100
pps_types_in_udp_pps	The forwarding rate of inbound UDP packets. Unit: packets per second.	1000
pps_types_in_icmp_pps	The forwarding rate of inbound ICMP packets. Unit: packets per second.	1000
pps_types_in_syn_pps	The forwarding rate of inbound SYN packets. Unit: packets per second.	1000
pps_types_in_ack_pps	The forwarding rate of inbound ACK packets. Unit: packets per second.	1000
pps_types_in_synack_pps	The forwarding rate of inbound SYN-ACK packets. Unit: packets per second.	1000
pps_types_in_finrst_pps	The forwarding rate of inbound FIN or RST packets. Unit: packets per second.	1000
pps_types_in_dns_pps	The forwarding rate of inbound DNS packets. Unit: packets per second.	1000
pps_types_drop_tcp_pps	The forwarding rate of the TCP packets that are discarded. Unit: packets per second.	1000
pps_types_drop_udp_pps	The forwarding rate of the UDP packets that are discarded. Unit: packets per second.	1000
pps_types_drop_icmp_pps	The forwarding rate of the ICMP packets that are discarded. Unit: packets per second.	1100
pps_types_drop_syn_pps	The forwarding rate of the SYN packets that are discarded. Unit: packets per second.	1000
pps_types_drop_ack_pps	The forwarding rate of the ACK packets that are discarded. Unit: packets per second.	1000
pps_types_drop_synack_pps	The forwarding rate of the SYN-ACK packets that are discarded. Unit: packets per second.	1000
pps_types_finrst	The forwarding rate of the FIN or RST packets that are discarded. Unit: packets per second.	1000
pps_types_dns	The forwarding rate of the DNS packets that are discarded. Unit: packets per second.	1000
policy_packet_checking_acct_pps	The forwarding rate of the packets that are allowed by the default packet checking policy. Unit: packets per second.	1000
policy_packet_checking_drop_pps	The forwarding rate of the packets that are denied by the default packet checking policy. Unit: packets per second.	1000
policy_dns_retransmission_authentication_drop_pps	The forwarding rate of the packets that are denied by the default first-packet-dropping policy of a domain name. Unit: packets per second.	1000
policy_dns_retransmission_authentication_acct_pps	The forwarding rate of the packets that are allowed by the default first-packet-dropping policy of a domain name. Unit: packets per second.	100
policy_source_ip_authentication_succeed_pps	The forwarding rate of the packets that pass the check by the default source IP address-based authentication policy. Unit: packets per second.	1000
policy_source_ip_authentication_checked_pps	The forwarding rate of the packets that are being checked by the default source IP address-based authentication policy. Unit: packets per second.	1000
policy_source_ip_authentication_acct_pps	The forwarding rate of the packets that are allowed by the default source IP address-based authentication policy. Unit: packets per second.	1000
policy_source_ip_authentication_drop_pps	The forwarding rate of the packets that are denied by the default source IP address-based authentication policy. Unit: packets per second.	1000
policy_source_ip_rate_limitation_drop_syn_pps	The forwarding rate of the SYN packets that are denied by the default source IP address-based rate limiting policy. Unit: packets per second.	1000
policy_source_ip_rate_limitation_drop_con_max_pps	The forwarding rate of the packets that are denied by the default source IP address-based rate limiting policy for concurrent connections. The packets are denied because the number of concurrent connections initiated from the source IP addresses exceeds the maximum number of concurrent connections allowed in the policy. Unit: packets per second.	1000
policy_source_ip_rate_limitation_drop_con_rate_pps	The forwarding rate of the packets that are denied by the default source IP address-based rate limiting policy for concurrent connections. The packets are denied because the connection rate of concurrent connections initiated from the source IP addresses exceeds the maximum connection rate allowed in the policy. Unit: packets per second.	1000
policy_source_ip_rate_limitation_drop_udp_rate_pps	The forwarding rate of the packets that are denied by the default source IP address-based rate limiting policy for UDP packets. Unit: packets per second.	1000
policy_source_ip_rate_limitation_drop_tcpack_rate_pps	The forwarding rate of the packets that are denied by the default source IP address-based rate limiting policy for ACK packets. Unit: packets per second.	1000
policy_source_ip_rate_limitation_drop_tcpsynack_rate_pps	The forwarding rate of the packets that are denied by the default source IP address-based rate limiting policy for SYN-ACK packets. Unit: packets per second.	1000
policy_destination_ip_rate_limitation_drop_syn_rate	The forwarding rate of the SYN packets that are denied by the default destination IP address-based rate limiting policy. Unit: packets per second.	1000
policy_destination_ip_rate_limitation_drop_udp_rate	The bandwidth of the UDP packets that are denied by the default destination IP address-based rate limiting policy. Unit: packets per second.	1000
policy_destination_ip_rate_limitation_drop_ack_rate	The bandwidth of the ACK packets that are denied by the default destination IP address-based rate limiting policy. Unit: packets per second.	1000
policy_destination_ip_rate_limitation_drop_icmp_rate	The bandwidth of the ICMP packets that are denied by the default destination IP address-based rate limiting policy. Unit: packets per second.	1000
policy_destination_ip_rate_limitation_drop_other_rate	The forwarding rate of the packets that are denied by the default destination IP address-based rate limiting policy. Unit: packets per second. The packets exclude UDP, ICMP, TCP-SYN, TCP-SYN-ACK, and TCP-ACK packets.	1000
policy_destination_ip_rate_limitation_drop_synack_rate	The forwarding rate of the SYN-ACK packets that are denied by the default destination IP address-based rate limiting policy. Unit: packets per second.	1000
policy_layer_4_filter_l4_filiter_drop_pps	The forwarding rate of the packets that are denied by all fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policies in Mitigation Settings.	1000
policy_layer_4_filter_l4_filiter_acct_num	The forwarding rate of the packets that are allowed by all the policies in the module of fingerprint filtering policies. Unit: packets per second. You can customize the module of fingerprint filtering policies in Mitigation Settings.	1000
policy_layer_4_filter_l4_filite_drop_rule_1_pps	The forwarding rate of the packets that are denied by the first fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.	1000
policy_layer_4_filter_l4_filite_drop_rule_2_pps	The forwarding rate of the packets that are denied by the second fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.	1000
policy_layer_4_filter_l4_filite_drop_rule_3_pps	The forwarding rate of the packets that are denied by the third fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.	1000
policy_layer_4_filter_l4_filite_drop_rule_4_pps	The forwarding rate of the packets that are denied by the fourth fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.	1000
policy_layer_4_filter_l4_filite_drop_rule_5_pps	The forwarding rate of the packets that are denied by the fifth fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.	1000
policy_layer_4_filter_l4_filite_drop_rule_6_pps	The forwarding rate of the packets that are denied by the sixth fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.	1000
policy_layer_4_filter_l4_filite_drop_rule_7_pps	The forwarding rate of the packets that are denied by the seventh fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.	1000
policy_layer_4_filter_l4_filite_drop_rule_8_pps	The forwarding rate of the packets that are denied by the eighth fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.	1000
policy_dns_domain_authentication_succ_domain_pps	The forwarding rate of the packets that pass the check based on the default domain-based authentication policy. Unit: packets per second.	1000
policy_dns_domain_authentication_fail_domain_pps	The forwarding rate of the packets that fail the check based on the default domain-based authentication policy. Unit: packets per second.	1000
policy_dns_domain_authentication_drop_pps	The forwarding rate of the packets that are denied by the default domain-based authentication policy. Unit: packets per second.	1000
policy_dns_domain_authentication_acct_pps	The forwarding rate of the packets that are allowed by the default domain-based authentication policy. Unit: packets per second.	1000
policy_syn_cookie_succ_check_pps	The forwarding rate of the packets that pass the check based on the default SYN cookie-based policy. Unit: packets per second.	1000
policy_syn_cookie_fail_check_pps	The forwarding rate of the packets that fail the check based on the default SYN cookie-based policy. Unit: packets per second.	1000
policy_syn_cookie_drop_pps	The forwarding rate of the packets that are denied by the default SYN cookie-based policy. Unit: packets per second.	1000
policy_syn_cookie_rebound_check_pps	The forwarding rate of the packets that are reversely verified by the default SYN cookie-based policy. Unit: packets per second.	1000
policy_syn_cookie_acct_pps	The forwarding rate of the packets that are allowed by the default SYN cookie-based policy. Unit: packets per second.	1000
policy_udp_defense_drop_pps	The forwarding rate of the packets that are denied by the default UDP protection policy. Unit: packets per second.	1000
policy_antiothertcp_drop_pps	The forwarding rate of the packets that are denied by other default TCP protection policies. Unit: packets per second.	1000
policy_antiothertcp_acct_pps	The forwarding rate of the packets that are allowed by other default TCP protection policies. Unit: packets per second.	1000
policy_antitcp_drop_tcp_pps	The forwarding rate of all TCP packets that are denied by the default TCP protection policy. Unit: packets per second.	1000
policy_antitcp_drop_ack_pps	The forwarding rate of all ACK packets that are denied by the default TCP protection policy. Unit: packets per second.	1000
policy_retransmission_authentication_acct_pps	The forwarding rate of the packets that are allowed by the default first-packet-dropping policy. Unit: packets per second.	1000
policy_retransmission_authentication_drop_pps	The forwarding rate of the packets that are denied by the default first-packet-dropping policy. Unit: packets per second.	1000

Event fields

Traffic detection fields

Traffic scrubbing fields

Sales Support

Technical Support

Connect & Report Abuse

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Lingma

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)