View annual reports for Anti-DDoS Pro and Anti-DDoS Premium - Anti-DDoS

This topic describes how to view the attack protection reports of Anti-DDoS Pro and Anti-DDoS Premium for the last year.

Report statistics

Timestamp range:
- Anti-DDoS Proxy (Chinese Mainland): Data for dates on or after August 8, 2024 is available.
- Anti-DDoS Proxy (Outside Chinese Mainland): Data for dates on or after September 17, 2025 is available.
Data precision: Attack analysis is based on data sampling. The statistical results may be inaccurate.

View and download statistical reports

Go to the Statistical Reports page of the Traffic Security console.
Select an instance type: Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland).
Select an instance and a domain name, specify a timestamp range, and then click the icon.
Important
Instance and domain name configuration:
- All instances + All domain names: Queries network-layer and application-layer traffic statistics for all services.
- All instances or a specific instance + No domain name: Queries network-layer traffic statistics for the specified instance or instances.
- No instance + All domain names or a specific domain name: Queries application-layer traffic statistics for the specified domain name or domain names.
- Not supported: No instance + No domain name.
- Not supported: Some instances + Some domain names.
In the upper-right corner, click Export Report to export the report in image or PDF format.

Metric descriptions

Overall operational metrics

Metric	Description
Data Metrics	Peak Traffic of Single Attack Event: The peak inbound traffic in bit/s of a single attack event when you compare all network-layer attack events. The peak inbound traffic includes both attack traffic and service traffic. Peak QPS of Single Attack Event: This metric is displayed only if the query includes a domain name. It is the peak queries per second (QPS) of a single attack event when you compare all application-layer attack events. Peak pps of Single Attack Event: The peak inbound traffic in packets per second (pps) of a single attack event when you compare all network-layer attack events. The peak inbound traffic includes both attack traffic and service traffic. Blackhole Filtering Events: This metric is displayed only if the query includes an instance. It is the number of blackhole filtering events that occurred for the selected instance within the specified timestamp range. Blackhole Filtering Duration: This metric is displayed only if the query includes an instance. It is the total duration of all blackhole filtering events that occurred for the selected instance within the specified timestamp range. Anti-DDoS Proxy Protection Duration: The uptime of the current active instance. If multiple instances exist, the longest uptime is displayed.
Traffic Scrubbing Events	The total number and type distribution of all scrubbing events. The types include volumetric, connection flood, and web resource exhaustion. Blackhole filtering events are not included. The displayed data varies based on the query object: If the query includes only an instance: Data for volumetric and connection flood attacks is displayed. If the query includes only a domain name: Data for web resource exhaustion attacks is displayed. If the query includes both an instance and a domain name: Data for volumetric, connection flood, and web resource exhaustion attacks is displayed.
Protected Assets	The total number of protected assets. This data is independent of the specified timestamp range and reflects real-time data from the previous day (T-1). IP: The number of origin IP addresses for port forwarding. Domain name: The number of protected domain names.

Traffic metrics

Metric	Description
Traffic Trend in bit/s	Total inbound traffic: All traffic, in bit/s, from clients to Anti-DDoS Proxy. This includes both normal service traffic and attack traffic. Inbound service traffic: Normal service traffic, in bit/s, from Anti-DDoS Proxy to the origin server. Outbound service traffic: Normal service traffic, in bit/s, from the origin server to Anti-DDoS Proxy. Note If the query includes only a domain name, this data is based on payload statistics. If the query includes an instance, this data is based on network-layer traffic statistics. A drift may exist between network-layer traffic statistics and payload traffic statistics.
Request Trend in QPS	This metric is displayed only if the query includes a domain name. Max Inbound QPS: The queries per second (QPS) from clients to Anti-DDoS Proxy. This includes both attack QPS and clean QPS. Back-to-origin QPS: The QPS from Anti-DDoS Proxy to the origin server.
Top 5 Source Regions of Network Layer Attacks	This metric is displayed only if the query includes an instance. The top five source regions of attacks are ranked by the number of requests from source IPs. China: Statistics are grouped by province. Locations Outside China: Statistics are grouped by country. Statistical logic: In a single attack event, calculate the percentage of requests from each source IP based on the statistical dimension (province or country). Rank the request percentages calculated for all attack events and select the top five. For each province or country, only the highest value is retained. Data from five different provinces or countries is retained.
Top 5 Source Regions of Application Layer Attacks	This metric is displayed only if the query includes a domain name. The top five source regions of attacks are ranked by the number of requests from source IPs, in QPS. China: Statistics are grouped by province. Locations Outside China: Statistics are grouped by country. Statistical logic: In a single attack event, calculate the number of requests from each source IP based on the statistical dimension (province or country). Compare the number of requests calculated for all attack events and select the top five. The QPS values corresponding to the top five are displayed. For each province or country, only the highest value is retained. Data from five different provinces or countries is retained.

Attack distribution

Metric	Description
Attack Type Distribution	The distribution of attacks based on the number of occurrences for each attack type. This includes sub-types of volumetric, connection flood, and web resource exhaustion attacks. Blackhole filtering events are not included.
Top 10 Attack Source ISPs	The distribution of global ISPs for attack sources, based on the number of requests from source IPs in attack events. Attack events include scrubbing events and blackhole filtering events.
Volumetric Attacks by Peak Attack Throughput	The number of events in different peak attack throughput ranges. Blackhole filtering events are not included. The ranges are: 0 Gbps to 30 Gbps, 30 Gbps to 100 Gbps, 100 Gbps to 300 Gbps, 300 Gbps to 600 Gbps, and over 600 Gbps.
Attack Duration Distribution	The number of events in different attack duration ranges. This includes volumetric, connection flood, and web resource exhaustion events. Blackhole filtering events are not included. The ranges are: 0 to 30 minutes, 30 to 60 minutes, 1 to 3 hours, 3 to 12 hours, and over 12 hours.

Attack ranking metrics

Metric	Description
Top 20 Source IP Addresses by Peak Attack Throughput	This metric is displayed only if the query includes an instance. The top 20 source IP addresses with the highest peak attack throughput. The statistical logic is as follows: Based on sampled traffic, rank the source IP addresses in a single attack event by the number of discarded requests. Compare the number of discarded requests across multiple attack events and select the top 20 source IP addresses. For each IP address, only the highest value is retained. A maximum of 20 distinct source IP addresses are displayed.
Top 10 Destination IP Addresses by Peak Attack Throughput	This metric is displayed only if the query includes an instance. The top 10 destination IP addresses with the highest peak attack throughput. The statistical logic is as follows: Based on sampled traffic, rank the destination IP addresses in a single attack event by the peak inbound traffic in bit/s. Compare the peak traffic in bit/s across multiple attack events and select the top 10 destination IP addresses. For each IP address, only the highest peak traffic value is retained. A maximum of 10 distinct destination IP addresses are displayed.
Top 10 Destination Domain Names by Peak Attack Throughput	This metric is displayed only if the query includes a domain name. The top 10 destination domain names with the highest peak attack throughput. The statistical logic is as follows: Based on sampled traffic from a single attack event, rank the destination domain names by peak QPS. Compare the peak QPS across multiple attack events and select the top 10 destination domain names. For each domain name, only the highest peak QPS value is retained. A maximum of 10 distinct destination domain names are displayed.

Protection metrics

Metric

Description

Top 10 Destination Ports by Attack

This metric is displayed only if the query includes an instance.

The top 10 destination ports targeted by attacks. The statistical logic is as follows:

Based on sampled traffic from a single attack event, rank the number of discarded requests by destination (IP address and port).
Compare the number of discarded requests across multiple attack events and select the top 10 destinations. For each destination, only the highest value is retained. A maximum of 10 distinct destinations are displayed.

Defense Against Application Layer Attacks by Module

This metric is displayed only if the query includes a domain name. It shows which mitigation policies filtered the application-layer attacks.

Attack events

This section lists all attack events for the selected instance or domain name within the specified time range. Click View Details in the Actions column of a target event to go to the Attack Analysis page for more event details.

References

For more information about the report metrics for Anti-DDoS Origin, see Statistical report (Anti-DDoS Origin).