All Products
Search

This Product

    Anti-DDoS:Fields in logs

    Document Center

    Anti-DDoS:Fields in logs

    Last Updated:May 12, 2025

    This topic describes all fields in the logs of Anti-DDoS Origin.

    The fields are classified into the following types based on features:

    • Event fields: record information about the events that occur on the protected assets. The events include traffic scrubbing, blackhole filtering, and traffic rerouting. The information includes the occurrence time and the status of the events.

    • Traffic scrubbing fields: record information about the traffic that is denied or allowed by different mitigation policies during traffic scrubbing.

    Event fields

    Field

    Description

    Example value

    data_type

    The data type. Valid values:

    • Global_SC_Detection: indicates data about the traffic that is forwarded by the traffic scrubbing center of Anti-DDoS Proxy. The traffic is protected by an anti-DDoS diversion instance.

    • Global_SC_Mitigation: indicates data about the traffic that is scrubbed by the traffic scrubbing center of Anti-DDoS Proxy. The traffic is protected by an anti-DDoS diversion instance.

    • Regional_SC_Detection: indicates data about the inbound traffic of the region in which Alibaba Cloud assets reside.

    • Regional_SC_Mitigation: indicates data about the scrubbed traffic of the region in which Alibaba Cloud assets reside.

    • event: indicates data about attack events.

    Regional_SC_Mitigation

    event_time

    The time at which an event occurred. The value is a UNIX timestamp. Unit: seconds.

    1624434027

    event_type

    The type of an event. Valid values:

    • mitigation_begin: A traffic scrubbing event begins.

    • mitigation_ended: A traffic scrubbing event ends.

    • blackhole_begin: A blackhole filtering event begins.

    • blackhole_ended: A blackhole filtering event ends.

    mitigation_begin

    instance_id

    The ID of the Anti-DDoS Origin instance.

    ddosbgp-cn-n6w203qg****

    ip

    The IP address of an asset that is protected by the Anti-DDoS Origin instance.

    39.XX.XX.23

    kbps_in

    The bandwidth of inbound traffic. Unit: Kbit/s.

    1000

    new_con

    The number of new connections.

    1000

    pps_in

    The packet forwarding rate of inbound traffic. Unit: packets per second.

    1000

    qps

    The queries per second (QPS). Unit: QPS.

    1000

    scrubbing_center

    The region where the traffic scrubbing center resides. Valid values:

    • us_west: US (Virginia)

    • us_east: US (Silicon Valley)

    • frankfurt: Germany (Frankfurt)

    • hk: China (Hong Kong)

    • singapore: Singapore

    • malaysia: Malaysia (Kuala Lumpur)

    • uk: UK (London)

    • japan: Japan (Tokyo)

    • total_summary: all regions

    • assets_base_region: the region where the asset resides

    us_west

    subnet

    The CIDR block for traffic rerouting.

    1.XX.XX.1/24

    uid

    The ID of the Alibaba Cloud account.

    170457416359****

    Traffic scrubbing fields

    Field

    Description

    Example value

    time

    The point in time at which the log entry about traffic scrubbing was generated. The value is a UNIX timestamp. Unit: seconds.

    1624434027

    destination_ip

    The destination IP address.

    123.XX.XX.169

    port

    The destination port. Valid values:

    • all (default): indicates the data of all ports.

    • Specific port: indicates the data of a specific port, such as port 80.

    80

    total_traffic_in_bps

    The total number of bytes in all types of packets that are scrubbed. Unit: byte per second.

    8000

    total_traffic_drop_bps

    The total number of bytes of all types of packets that are scrubbed and discarded. Unit: byte per second.

    800

    total_traffic_in_pps

    The forwarding rate of all types of inbound packets. Unit: packets per second.

    1000

    total_traffic_drop_pps

    The forwarding rate of all types of packets that are discarded. Unit: packets per second.

    1000

    pps_types_in_tcp_pps

    The forwarding rate of inbound TCP packets. Unit: packets per second.

    100

    pps_types_in_udp_pps

    The forwarding rate of inbound UDP packets. Unit: packets per second.

    1000

    pps_types_in_icmp_pps

    The forwarding rate of inbound ICMP packets. Unit: packets per second.

    1000

    pps_types_in_syn_pps

    The forwarding rate of inbound SYN packets. Unit: packets per second.

    1000

    pps_types_in_ack_pps

    The forwarding rate of inbound ACK packets. Unit: packets per second.

    1000

    pps_types_in_synack_pps

    The forwarding rate of inbound SYN-ACK packets. Unit: packets per second.

    1000

    pps_types_in_finrst_pps

    The forwarding rate of inbound FIN or RST packets. Unit: packets per second.

    1000

    pps_types_in_dns_pps

    The forwarding rate of inbound DNS packets. Unit: packets per second.

    1000

    pps_types_drop_tcp_pps

    The forwarding rate of the TCP packets that are discarded. Unit: packets per second.

    1000

    pps_types_drop_udp_pps

    The forwarding rate of the UDP packets that are discarded. Unit: packets per second.

    1000

    pps_types_drop_icmp_pps

    The forwarding rate of the ICMP packets that are discarded. Unit: packets per second.

    1100

    pps_types_drop_syn_pps

    The forwarding rate of the SYN packets that are discarded. Unit: packets per second.

    1000

    pps_types_drop_ack_pps

    The forwarding rate of the ACK packets that are discarded. Unit: packets per second.

    1000

    pps_types_drop_synack_pps

    The forwarding rate of the SYN-ACK packets that are discarded. Unit: packets per second.

    1000

    pps_types_finrst

    The forwarding rate of the FIN or RST packets that are discarded. Unit: packets per second.

    1000

    pps_types_dns

    The forwarding rate of the DNS packets that are discarded. Unit: packets per second.

    1000

    policy_packet_checking_acct_pps

    The forwarding rate of the packets that are allowed by the default packet checking policy. Unit: packets per second.

    1000

    policy_packet_checking_drop_pps

    The forwarding rate of the packets that are denied by the default packet checking policy. Unit: packets per second.

    1000

    policy_dns_retransmission_authentication_drop_pps

    The forwarding rate of the packets that are denied by the default first-packet-dropping policy of a domain name. Unit: packets per second.

    1000

    policy_dns_retransmission_authentication_acct_pps

    The forwarding rate of the packets that are allowed by the default first-packet-dropping policy of a domain name. Unit: packets per second.

    100

    policy_source_ip_authentication_succeed_pps

    The forwarding rate of the packets that pass the check by the default source IP address-based authentication policy. Unit: packets per second.

    1000

    policy_source_ip_authentication_checked_pps

    The forwarding rate of the packets that are being checked by the default source IP address-based authentication policy. Unit: packets per second.

    1000

    policy_source_ip_authentication_acct_pps

    The forwarding rate of the packets that are allowed by the default source IP address-based authentication policy. Unit: packets per second.

    1000

    policy_source_ip_authentication_drop_pps

    The forwarding rate of the packets that are denied by the default source IP address-based authentication policy. Unit: packets per second.

    1000

    policy_source_ip_rate_limitation_drop_syn_pps

    The forwarding rate of the SYN packets that are denied by the default source IP address-based rate limiting policy. Unit: packets per second.

    1000

    policy_source_ip_rate_limitation_drop_con_max_pps

    The forwarding rate of the packets that are denied by the default source IP address-based rate limiting policy for concurrent connections. The packets are denied because the number of concurrent connections initiated from the source IP addresses exceeds the maximum number of concurrent connections allowed in the policy. Unit: packets per second.

    1000

    policy_source_ip_rate_limitation_drop_con_rate_pps

    The forwarding rate of the packets that are denied by the default source IP address-based rate limiting policy for concurrent connections. The packets are denied because the connection rate of concurrent connections initiated from the source IP addresses exceeds the maximum connection rate allowed in the policy. Unit: packets per second.

    1000

    policy_source_ip_rate_limitation_drop_udp_rate_pps

    The forwarding rate of the packets that are denied by the default source IP address-based rate limiting policy for UDP packets. Unit: packets per second.

    1000

    policy_source_ip_rate_limitation_drop_tcpack_rate_pps

    The forwarding rate of the packets that are denied by the default source IP address-based rate limiting policy for ACK packets. Unit: packets per second.

    1000

    policy_source_ip_rate_limitation_drop_tcpsynack_rate_pps

    The forwarding rate of the packets that are denied by the default source IP address-based rate limiting policy for SYN-ACK packets. Unit: packets per second.

    1000

    policy_destination_ip_rate_limitation_drop_syn_rate

    The forwarding rate of the SYN packets that are denied by the default destination IP address-based rate limiting policy. Unit: packets per second.

    1000

    policy_destination_ip_rate_limitation_drop_udp_rate

    The bandwidth of the UDP packets that are denied by the default destination IP address-based rate limiting policy. Unit: packets per second.

    1000

    policy_destination_ip_rate_limitation_drop_ack_rate

    The bandwidth of the ACK packets that are denied by the default destination IP address-based rate limiting policy. Unit: packets per second.

    1000

    policy_destination_ip_rate_limitation_drop_icmp_rate

    The bandwidth of the ICMP packets that are denied by the default destination IP address-based rate limiting policy. Unit: packets per second.

    1000

    policy_destination_ip_rate_limitation_drop_other_rate

    The forwarding rate of the packets that are denied by the default destination IP address-based rate limiting policy. Unit: packets per second. The packets exclude UDP, ICMP, TCP-SYN, TCP-SYN-ACK, and TCP-ACK packets.

    1000

    policy_destination_ip_rate_limitation_drop_synack_rate

    The forwarding rate of the SYN-ACK packets that are denied by the default destination IP address-based rate limiting policy. Unit: packets per second.

    1000

    policy_layer_4_filter_l4_filiter_drop_pps

    The forwarding rate of the packets that are denied by all fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policies in Mitigation Settings.

    1000

    policy_layer_4_filter_l4_filiter_acct_num

    The forwarding rate of the packets that are allowed by all the policies in the module of fingerprint filtering policies. Unit: packets per second. You can customize the module of fingerprint filtering policies in Mitigation Settings.

    1000

    policy_layer_4_filter_l4_filite_drop_rule_1_pps

    The forwarding rate of the packets that are denied by the first fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.

    1000

    policy_layer_4_filter_l4_filite_drop_rule_2_pps

    The forwarding rate of the packets that are denied by the second fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.

    1000

    policy_layer_4_filter_l4_filite_drop_rule_3_pps

    The forwarding rate of the packets that are denied by the third fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.

    1000

    policy_layer_4_filter_l4_filite_drop_rule_4_pps

    The forwarding rate of the packets that are denied by the fourth fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.

    1000

    policy_layer_4_filter_l4_filite_drop_rule_5_pps

    The forwarding rate of the packets that are denied by the fifth fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.

    1000

    policy_layer_4_filter_l4_filite_drop_rule_6_pps

    The forwarding rate of the packets that are denied by the sixth fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.

    1000

    policy_layer_4_filter_l4_filite_drop_rule_7_pps

    The forwarding rate of the packets that are denied by the seventh fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.

    1000

    policy_layer_4_filter_l4_filite_drop_rule_8_pps

    The forwarding rate of the packets that are denied by the eighth fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings.

    1000

    policy_dns_domain_authentication_succ_domain_pps

    The forwarding rate of the packets that pass the check based on the default domain-based authentication policy. Unit: packets per second.

    1000

    policy_dns_domain_authentication_fail_domain_pps

    The forwarding rate of the packets that fail the check based on the default domain-based authentication policy. Unit: packets per second.

    1000

    policy_dns_domain_authentication_drop_pps

    The forwarding rate of the packets that are denied by the default domain-based authentication policy. Unit: packets per second.

    1000

    policy_dns_domain_authentication_acct_pps

    The forwarding rate of the packets that are allowed by the default domain-based authentication policy. Unit: packets per second.

    1000

    policy_syn_cookie_succ_check_pps

    The forwarding rate of the packets that pass the check based on the default SYN cookie-based policy. Unit: packets per second.

    1000

    policy_syn_cookie_fail_check_pps

    The forwarding rate of the packets that fail the check based on the default SYN cookie-based policy. Unit: packets per second.

    1000

    policy_syn_cookie_drop_pps

    The forwarding rate of the packets that are denied by the default SYN cookie-based policy. Unit: packets per second.

    1000

    policy_syn_cookie_rebound_check_pps

    The forwarding rate of the packets that are reversely verified by the default SYN cookie-based policy. Unit: packets per second.

    1000

    policy_syn_cookie_acct_pps

    The forwarding rate of the packets that are allowed by the default SYN cookie-based policy. Unit: packets per second.

    1000

    policy_udp_defense_drop_pps

    The forwarding rate of the packets that are denied by the default UDP protection policy. Unit: packets per second.

    1000

    policy_udp_defense_in_pps

    The forwarding rate of inbound packets that hit the default UDP protection policy, namely the number of UDP packets protected and detected per second. Unit: packets per second.

    1000

    policy_dns_ipdomain_rate_limitation_drop_over_rate_limitation_pps

    The rate of packets discarded due to rate limits triggered by IP or domain names in traffic hitting the default DNS protection policy. Unit: packets per second.

    1000

    policy_antiothertcp_session_cre_num_syn_pps

    The packet forwarding rate of sessions created by the TCP protection policy using SYN packets. Unit: packets per second.

    1000

    policy_antiothertcp_session_cre_num_ack_pps

    The packet forwarding rate of sessions created by the TCP protection policy using ACK packets. Unit: packets per second.

    1000

    policy_antiothertcp_succ_auth_num_syn_pps

    The forwarding rate of data packets authenticated after a session is created by the TCP protection policy using SYN. Unit: packets per second.

    1000

    policy_antiothertcp_succ_auth_num_ack_pps

    The forwarding rate of data packets authenticated after a session is created by the TCP protection policy using ACK. Unit: packets per second.

    1000

    policy_antiothertcp_drop_pps

    The forwarding rate of the packets that are denied by other default TCP protection policies. Unit: packets per second.

    1000

    policy_antiothertcp_acct_pps

    The forwarding rate of the packets that are allowed by other default TCP protection policies. Unit: packets per second.

    1000

    policy_antitcp_in_pps

    The total rate of TCP packets that hit the TCP protection policy. Unit: packets per second.

    1000

    policy_antitcp_drop_tcp_pps

    The forwarding rate of all TCP packets that are denied by the default TCP protection policy. Unit: packets per second.

    1000

    policy_antitcp_drop_ack_pps

    The forwarding rate of all ACK packets that are denied by the default TCP protection policy. Unit: packets per second.

    1000

    policy_antitcp_drop_pushack_pps

    The forwarding rate of PUSHACK packets discarded by the default TCP protection policy. Unit: packets per second.

    1000

    policy_retransmission_authentication_acct_pps

    The forwarding rate of the packets that are allowed by the default first-packet-dropping policy. Unit: packets per second.

    1000

    policy_retransmission_authentication_drop_pps

    The forwarding rate of the packets that are denied by the default first-packet-dropping policy. Unit: packets per second.

    1000