Anti-DDoS Origin logs contain two categories of fields: event fields and traffic scrubbing fields. Event fields capture what happened and when — a scrubbing session started or stopped, or blackhole filtering was triggered. Traffic scrubbing fields capture packet-level statistics for what each mitigation policy allowed or denied during a scrubbing session.
Event fields
Event logs are generated when a protected asset experiences a state change: a scrubbing session begins or ends, or blackhole filtering is activated or lifted. Each log entry contains the following fields.
| Field | Description | Example value |
|---|---|---|
data_type | The data type. Values: Global_SC_Detection (traffic forwarded by the Anti-DDoS Proxy scrubbing center, protected by a diversion instance), Global_SC_Mitigation (traffic scrubbed by the Anti-DDoS Proxy scrubbing center, protected by a diversion instance), Regional_SC_Detection (inbound traffic in the region where Alibaba Cloud assets reside), Regional_SC_Mitigation (scrubbed traffic in the region where Alibaba Cloud assets reside), event (attack event data). | Regional_SC_Mitigation |
event_time | The time at which the event occurred, as a UNIX timestamp. Unit: seconds. | 1624434027 |
event_type | The type of event. Values: mitigation_begin (a traffic scrubbing event begins), mitigation_ended (a traffic scrubbing event ends), blackhole_begin (a blackhole filtering event begins), blackhole_ended (a blackhole filtering event ends). | mitigation_begin |
instance_id | The ID of the Anti-DDoS Origin instance. | ddosbgp-cn-n6w203qg**** |
ip | The IP address of the asset protected by the Anti-DDoS Origin instance. | 39.XX.XX.23 |
kbps_in | The bandwidth of inbound traffic. Unit: Kbit/s. | 1000 |
new_con | The number of new connections. | 1000 |
pps_in | The packet forwarding rate of inbound traffic. Unit: packets per second. | 1000 |
qps | The queries per second (QPS). Unit: QPS. | 1000 |
scrubbing_center | The region where the traffic scrubbing center resides. Values: us_west (US (Virginia)), us_east (US (Silicon Valley)), frankfurt (Germany (Frankfurt)), hk (China (Hong Kong)), singapore (Singapore), malaysia (Malaysia (Kuala Lumpur)), uk (UK (London)), japan (Japan (Tokyo)), total_summary (all regions), assets_base_region (the region where the asset resides). | us_west |
subnet | The CIDR block used for traffic rerouting. | 1.XX.XX.1/24 |
uid | The ID of the Alibaba Cloud account. | 170457416359**** |
Traffic scrubbing fields
Traffic scrubbing logs record packet statistics for each scrubbing session. Each log entry captures traffic at a point in time for a specific destination IP address and port. The fields are organized into three groups: overall traffic totals, per-protocol breakdowns, and per-policy drop and allow counts.
Overall traffic
| Field | Description | Example value |
|---|---|---|
time | The time at which the log entry was generated, as a UNIX timestamp. Unit: seconds. | 1624434027 |
destination_ip | The destination IP address. | 123.XX.XX.169 |
port | The destination port. all (default) covers all ports. A specific value such as 80 covers that port only. | 80 |
total_traffic_in_bps | Total bytes per second of all inbound packet types reaching the scrubbing center. Unit: bytes per second. | 8000 |
total_traffic_drop_bps | Total bytes per second of all packet types that were discarded. Unit: bytes per second. | 800 |
total_traffic_in_pps | Forwarding rate of all inbound packet types. Unit: packets per second. | 1000 |
total_traffic_drop_pps | Forwarding rate of all discarded packet types. Unit: packets per second. | 1000 |
Per-protocol traffic
These fields break down inbound and discarded traffic by protocol or TCP flag type.
| Field | Description | Example value |
|---|---|---|
pps_types_in_tcp_pps | Forwarding rate of inbound TCP packets. Unit: packets per second. | 100 |
pps_types_in_udp_pps | Forwarding rate of inbound UDP packets. Unit: packets per second. | 1000 |
pps_types_in_icmp_pps | Forwarding rate of inbound ICMP packets. Unit: packets per second. | 1000 |
pps_types_in_syn_pps | Forwarding rate of inbound SYN packets. Unit: packets per second. | 1000 |
pps_types_in_ack_pps | Forwarding rate of inbound ACK packets. Unit: packets per second. | 1000 |
pps_types_in_synack_pps | Forwarding rate of inbound SYN-ACK packets. Unit: packets per second. | 1000 |
pps_types_in_finrst_pps | Forwarding rate of inbound FIN or RST packets. Unit: packets per second. | 1000 |
pps_types_in_dns_pps | Forwarding rate of inbound DNS packets. Unit: packets per second. | 1000 |
pps_types_drop_tcp_pps | Forwarding rate of discarded TCP packets. Unit: packets per second. | 1000 |
pps_types_drop_udp_pps | Forwarding rate of discarded UDP packets. Unit: packets per second. | 1000 |
pps_types_drop_icmp_pps | Forwarding rate of discarded ICMP packets. Unit: packets per second. | 1100 |
pps_types_drop_syn_pps | Forwarding rate of discarded SYN packets. Unit: packets per second. | 1000 |
pps_types_drop_ack_pps | Forwarding rate of discarded ACK packets. Unit: packets per second. | 1000 |
pps_types_drop_synack_pps | Forwarding rate of discarded SYN-ACK packets. Unit: packets per second. | 1000 |
pps_types_finrst | Forwarding rate of discarded FIN or RST packets. Unit: packets per second. | 1000 |
pps_types_dns | Forwarding rate of discarded DNS packets. Unit: packets per second. | 1000 |
Per-policy traffic
Each field records the forwarding rate of traffic that a specific default mitigation policy allowed or denied. Policies are organized by type below.
Packet checking
| Field | Description | Example value |
|---|---|---|
policy_packet_checking_acct_pps | Packets allowed by the default packet checking policy. Unit: packets per second. | 1000 |
policy_packet_checking_drop_pps | Packets denied by the default packet checking policy. Unit: packets per second. | 1000 |
Source IP address-based authentication
| Field | Description | Example value |
|---|---|---|
policy_source_ip_authentication_checked_pps | Packets currently being checked by the default source IP address-based authentication policy. Unit: packets per second. | 1000 |
policy_dns_domain_authentication_rebound_check_pps | 由域名认证策略(默认)重定向验证的数据包的包转发率,单位:pps。 | 1000 |
policy_source_ip_authentication_rebound_check_pps | 由源IP认证策略(默认)进行反弹验证的数据包的包转发率,单位:pps。 | 1000 |
policy_source_ip_authentication_succeed_pps | Packets that passed the default source IP address-based authentication policy check. Unit: packets per second. | 1000 |
policy_source_ip_authentication_acct_pps | Packets allowed by the default source IP address-based authentication policy. Unit: packets per second. | 1000 |
policy_source_ip_authentication_drop_pps | Packets denied by the default source IP address-based authentication policy. Unit: packets per second. | 1000 |
Source IP address-based rate limiting
| Field | Description | Example value |
|---|---|---|
policy_source_ip_rate_limitation_drop_syn_pps | SYN packets denied by the default source IP address-based rate limiting policy. Unit: packets per second. | 1000 |
policy_source_ip_rate_limitation_drop_con_max_pps | Packets denied because the number of concurrent connections from the source IP address exceeded the maximum allowed by the default source IP address-based rate limiting policy. Unit: packets per second. | 1000 |
policy_source_ip_rate_limitation_drop_con_rate_pps | Packets denied because the connection rate from the source IP address exceeded the maximum allowed by the default source IP address-based rate limiting policy. Unit: packets per second. | 1000 |
policy_source_ip_rate_limitation_drop_udp_rate_pps | UDP packets denied by the default source IP address-based rate limiting policy. Unit: packets per second. | 1000 |
policy_source_ip_rate_limitation_drop_tcpack_rate_pps | ACK packets denied by the default source IP address-based rate limiting policy. Unit: packets per second. | 1000 |
policy_source_ip_rate_limitation_drop_tcpsynack_rate_pps | SYN-ACK packets denied by the default source IP address-based rate limiting policy. Unit: packets per second. | 1000 |
Destination IP address-based rate limiting
| Field | Description | Example value |
|---|---|---|
policy_destination_ip_rate_limitation_drop_syn_rate | SYN packets denied by the default destination IP address-based rate limiting policy. Unit: packets per second. | 1000 |
policy_destination_ip_rate_limitation_drop_udp_rate | UDP packets denied by the default destination IP address-based rate limiting policy. Unit: packets per second. | 1000 |
policy_destination_ip_rate_limitation_drop_ack_rate | ACK packets denied by the default destination IP address-based rate limiting policy. Unit: packets per second. | 1000 |
policy_destination_ip_rate_limitation_drop_icmp_rate | ICMP packets denied by the default destination IP address-based rate limiting policy. Unit: packets per second. | 1000 |
policy_destination_ip_rate_limitation_drop_synack_rate | SYN-ACK packets denied by the default destination IP address-based rate limiting policy. Unit: packets per second. | 1000 |
policy_destination_ip_rate_limitation_drop_other_rate | Packets denied by the default destination IP address-based rate limiting policy, excluding UDP, ICMP, TCP-SYN, TCP-SYN-ACK, and TCP-ACK packets. Unit: packets per second. | 1000 |
Fingerprint filtering
Fingerprint filtering policies can be customized in Mitigation Settings.
| Field | Description | Example value |
|---|---|---|
policy_layer_4_filter_l4_filiter_drop_pps | Packets denied by all fingerprint filtering policies combined. Unit: packets per second. | 1000 |
policy_layer_4_filter_l4_filiter_acct_num | Packets allowed by all fingerprint filtering policies combined. Unit: packets per second. | 1000 |
policy_layer_4_filter_l4_filite_drop_rule_1_pps | Packets denied by the first fingerprint filtering policy. Unit: packets per second. | 1000 |
policy_layer_4_filter_l4_filite_drop_rule_2_pps | Packets denied by the second fingerprint filtering policy. Unit: packets per second. | 1000 |
policy_layer_4_filter_l4_filite_drop_rule_3_pps | Packets denied by the third fingerprint filtering policy. Unit: packets per second. | 1000 |
policy_layer_4_filter_l4_filite_drop_rule_4_pps | Packets denied by the fourth fingerprint filtering policy. Unit: packets per second. | 1000 |
policy_layer_4_filter_l4_filite_drop_rule_5_pps | Packets denied by the fifth fingerprint filtering policy. Unit: packets per second. | 1000 |
policy_layer_4_filter_l4_filite_drop_rule_6_pps | Packets denied by the sixth fingerprint filtering policy. Unit: packets per second. | 1000 |
policy_layer_4_filter_l4_filite_drop_rule_7_pps | Packets denied by the seventh fingerprint filtering policy. Unit: packets per second. | 1000 |
policy_layer_4_filter_l4_filite_drop_rule_8_pps | Packets denied by the eighth fingerprint filtering policy. Unit: packets per second. | 1000 |
First-packet-dropping (TCP)
| Field | Description | Example value |
|---|---|---|
policy_retransmission_authentication_acct_pps | Packets allowed by the default first-packet-dropping policy. Unit: packets per second. | 1000 |
policy_retransmission_authentication_drop_pps | Packets denied by the default first-packet-dropping policy. Unit: packets per second. | 1000 |
First-packet-dropping (DNS)
| Field | Description | Example value |
|---|---|---|
policy_dns_retransmission_authentication_acct_pps | Packets allowed by the default first-packet-dropping policy for domain names. Unit: packets per second. | 100 |
policy_dns_retransmission_authentication_drop_pps | Packets denied by the default first-packet-dropping policy for domain names. Unit: packets per second. | 1000 |
Domain-based authentication
| Field | Description | Example value |
|---|---|---|
policy_dns_domain_authentication_succ_domain_pps | Packets that passed the default domain-based authentication policy check. Unit: packets per second. | 1000 |
policy_dns_domain_authentication_fail_domain_pps | Packets that failed the default domain-based authentication policy check. Unit: packets per second. | 1000 |
policy_dns_domain_authentication_acct_pps | Packets allowed by the default domain-based authentication policy. Unit: packets per second. | 1000 |
policy_dns_domain_authentication_drop_pps | Packets denied by the default domain-based authentication policy. Unit: packets per second. | 1000 |
SYN cookie
| Field | Description | Example value |
|---|---|---|
policy_syn_cookie_succ_check_pps | Packets that passed the default SYN cookie-based policy check. Unit: packets per second. | 1000 |
policy_syn_cookie_fail_check_pps | Packets that failed the default SYN cookie-based policy check. Unit: packets per second. | 1000 |
policy_syn_cookie_rebound_check_pps | Packets reversely verified by the default SYN cookie-based policy. Unit: packets per second. | 1000 |
policy_syn_cookie_acct_pps | Packets allowed by the default SYN cookie-based policy. Unit: packets per second. | 1000 |
policy_syn_cookie_drop_pps | Packets denied by the default SYN cookie-based policy. Unit: packets per second. | 1000 |
UDP protection
| Field | Description | Example value |
|---|---|---|
policy_udp_defense_in_pps | Inbound packets that matched the default UDP protection policy (UDP packets protected and detected per second). Unit: packets per second. | 1000 |
policy_udp_defense_drop_pps | Packets denied by the default UDP protection policy. Unit: packets per second. | 1000 |
DNS protection
| Field | Description | Example value |
|---|---|---|
policy_dns_ipdomain_rate_limitation_drop_over_rate_limitation_pps | Packets discarded due to rate limits triggered by IP address or domain name in traffic that matched the default DNS protection policy. Unit: packets per second. | 1000 |
TCP protection
| Field | Description | Example value |
|---|---|---|
policy_antitcp_in_pps | Total rate of TCP packets that matched the TCP protection policy. Unit: packets per second. | 1000 |
policy_antitcp_drop_tcp_pps | All TCP packets denied by the default TCP protection policy. Unit: packets per second. | 1000 |
policy_antitcp_drop_ack_pps | ACK packets denied by the default TCP protection policy. Unit: packets per second. | 1000 |
policy_antitcp_drop_pushack_pps | PUSHACK packets denied by the default TCP protection policy. Unit: packets per second. | 1000 |
policy_antiothertcp_session_cre_num_syn_pps | Rate of sessions created by the TCP protection policy using SYN packets. Unit: packets per second. | 1000 |
policy_antiothertcp_session_cre_num_ack_pps | Rate of sessions created by the TCP protection policy using ACK packets. Unit: packets per second. | 1000 |
policy_antiothertcp_succ_auth_num_syn_pps | Rate of packets authenticated after a session was created by the TCP protection policy using SYN. Unit: packets per second. | 1000 |
policy_antiothertcp_succ_auth_num_ack_pps | Rate of packets authenticated after a session was created by the TCP protection policy using ACK. Unit: packets per second. | 1000 |
policy_antiothertcp_acct_pps | Packets allowed by other default TCP protection policies. Unit: packets per second. | 1000 |
policy_antiothertcp_drop_pps | Packets denied by other default TCP protection policies. Unit: packets per second. | 1000 |