This topic describes all fields in the logs of Anti-DDoS Origin.

The fields are classified into the following types:
  • Event fields: record information about the events that occur on the protected assets. The events include traffic scrubbing, blackhole filtering, and on-demand protection. The information includes the time at which the events occurred and the status of the events.
  • Traffic detection fields: record information about the traffic that is generated on the protected assets. The information includes the transmission rate of inbound traffic and the packet forwarding rates of different types of data packets.
  • Traffic scrubbing fields: record information about the traffic that is denied or allowed by different mitigation policies during traffic scrubbing.

Event fields

Field Description Example value
data_type The data type. Valid values:
  • Global_SC_Detection: indicates data about the traffic that is forwarded by the traffic scrubbing center of Anti-DDoS. The traffic is protected by an on-demand instance.
  • Global_SC_Mitigation: indicates data about the traffic that is scrubbed by the scrubbing center of Anti-DDoS. The traffic is protected by an on-demand instance.
  • Regional_SC_Detection: indicates data about the inbound traffic of the region in which Alibaba Cloud assets reside.
  • Regional_SC_Mitigation: indicates data about the scrubbed traffic of the region in which Alibaba Cloud assets reside.
  • event: indicates data about attack events.
Regional_SC_Mitigation
event_time The time at which an event occurred. This value is a UNIX timestamp. Unit: seconds. 1624434027
event_type The type of an event. Valid values:
  • mitigation_begin: A traffic scrubbing event begins.
  • mitigation_ended: A traffic scrubbing event ends.
  • blackhole_begin: A blackhole filtering event begins.
  • blackhole_ended: A blackhole filtering event ends.
mitigation_begin
instance_id The ID of the Anti-DDoS Origin instance. ddosbgp-cn-n6w203qg****
ip The IP address of an asset that is protected by the Anti-DDoS Origin instance. 39.XX.XX.23
kbps_in The bandwidth of inbound traffic. Unit: Kbit/s. 1000
new_con The number of new connections. 1000
pps_in The packet forwarding rate of inbound traffic. Unit: packets per second. 1000
qps The number of queries per second (QPS). Unit: QPS. 1000
scrubbing_center The region where the traffic scrubbing center resides. Valid values:
  • us_west: US (Virginia)
  • us_east: US (Silicon Valley)
  • frankfurt: Germany (Frankfurt)
  • hk: China (Hong Kong)
  • singapore: Singapore (Singapore)
  • malaysia: Malaysia (Kuala Lumpur)
  • uk: UK (London)
  • japan: Japan (Tokyo)
  • total_summary: all regions
  • assets_base_region: the region where the asset resides
us_west
subnet The CIDR block for on-demand protection. 1.XX.XX.1/24
user_id The ID of an Alibaba Cloud account. 170457416359****

Traffic detection fields

Field Description Example value
Ip The source IP address. 1.XX.XX.1
Time The point in time at which the log entry about traffic detection was generated. This value is a UNIX timestamp. Unit: seconds. 1624434027
KbpsIn The bandwidth of inbound traffic at the point in time. Unit: Kbit/s. 1000
KbpsOut The bandwidth of outbound traffic at the point in time. Unit: Kbit/s. 1000
PpsIn The forwarding rate of all inbound packets at the point in time. Unit: packets per second. 1000
PpsOut The forwarding rate of all outbound packets at the point in time. Unit: packets per second. 1000
PpsInSyn The forwarding rate of inbound SYN packets at the point in time. Unit: packets per second. 1000
PpsInSynack The forwarding rate of inbound SYN-ACK packets at the point in time. Unit: packets per second. 1000
PpsInFin The forwarding rate of inbound FIN or RST packets at the point in time. Unit: packets per second. 1000
PpsInHttpReq The forwarding rate of inbound TCP packets at the point in time. Unit: packets per second. The TCP packets must meet all the following conditions:
  • The TCP packets are not SYN, SYN-ACK, FIN, or RST packets.
  • The destination port is 80, 3128, 8080, or 8088.
  • The TCP packets contain payloads. The first few bytes of the payloads in HTTP packets are GET, PUT, HEAD, or POST.
1000
PpsInHttpResp The forwarding rate of inbound TCP packets at the point in time. Unit: packets per second. The TCP packets must meet all the following conditions:
  • The TCP packets are not SYN, SYN-ACK, FIN, or RST packets.
  • The destination port is 80, 3128, 8080, or 8088.
  • The TCP packets contain payloads. The first four bytes of the payloads in HTTP packets are HTTP.
1000
PpsInHttpFlags The forwarding rate of inbound TCP-ACK packets at the point in time. Unit: packets per second. The TCP-ACK packets are not SYN, SYN-ACK, FIN, or RST packets. 1000
PpsInIcmp The forwarding rate of inbound ICMP packets at the point in time. Unit: packets per second. 1000
PpsInDns The forwarding rate of inbound DNS packets at the point in time. Unit: packets per second. The DNS packets are forwarded over UDP, and the source or destination port of the packets is 53. 1000
PpsInUdprisk The forwarding rate of packets that use a vulnerable source UDP port at the point in time. Unit: packets per second. 1000
PpsInUdpunknown The forwarding rate of inbound UDP packets at the point in time. Unit: packets per second. The forwarding rate of the UDP packets indicated by this field does not include that indicated by the PpsInDns field. The UDP packets are forwarded over UDP, but the source or destination port of the packets is not 53. 1000

Traffic scrubbing fields

Field Description Example value
instance_id The ID of the Anti-DDoS Origin instance. ddosbgp-cn-v641is26****
time The point in time at which the log entry about traffic scrubbing was generated. This value is a UNIX timestamp. Unit: seconds. 1624434027
destination_ip The destination IP address. 123.XX.XX.169
port The destination port. Valid values:
  • all (default): indicates the data of all ports
  • Specific port: indicates the data of a specific port, such as port 80
80
total_traffic_in_bps The total number of bytes in all types of packets that are scrubbed. Unit: byte per second. 8000
total_traffic_drop_bps The total number of bytes of all types of packets that are scrubbed and discarded. Unit: byte per second. 800
total_traffic_in_pps The forwarding rate of all types of inbound packets. Unit: packets per second. 1000
total_traffic_drop_pps The forwarding rate of all types of packets that are discarded. Unit: packets per second. 1000
pps_types_in_tcp_pps The forwarding rate of inbound TCP packets. Unit: packets per second. 100
pps_types_in_udp_pps The forwarding rate of inbound UDP packets. Unit: packets per second. 1000
pps_types_in_icmp_pps The forwarding rate of inbound ICMP packets. Unit: packets per second. 1000
pps_types_in_syn_pps The forwarding rate of inbound SYN packets. Unit: packets per second. 1000
pps_types_in_ack_pps The forwarding rate of inbound ACK packets. Unit: packets per second. 1000
pps_types_in_synack_pps The forwarding rate of inbound SYN-ACK packets. Unit: packets per second. 1000
pps_types_in_finrst_pps The forwarding rate of inbound FIN or RST packets. Unit: packets per second. 1000
pps_types_in_dns_pps The forwarding rate of inbound DNS packets. Unit: packets per second. 1000
pps_types_drop_tcp_pps The forwarding rate of the TCP packets that are discarded. Unit: packets per second. 1000
pps_types_drop_udp_pps The forwarding rate of the UDP packets that are discarded. Unit: packets per second. 1000
pps_types_drop_icmp_pps The forwarding rate of the ICMP packets that are discarded. Unit: packets per second. 1100
pps_types_drop_syn_pps The forwarding rate of the SYN packets that are discarded. Unit: packets per second. 1000
pps_types_drop_ack_pps The forwarding rate of the ACK packets that are discarded. Unit: packets per second. 1000
pps_types_drop_synack_pps The forwarding rate of the SYN-ACK packets that are discarded. Unit: packets per second. 1000
pps_types_finrst The forwarding rate of the FIN or RST packets that are discarded. Unit: packets per second. 1000
pps_types_dns The forwarding rate of the DNS packets that are discarded. Unit: packets per second. 1000
policy_packet_checking_acct_pps The forwarding rate of the packets that are allowed by the default packet checking policy. Unit: packets per second. 1000
policy_packet_checking_drop_pps The forwarding rate of the packets that are denied by the default packet checking policy. Unit: packets per second. 1000
policy_dns_retransmission_authentication_drop_pps The forwarding rate of the packets that are denied by the default first-packet-dropping policy of a domain name. Unit: packets per second. 1000
policy_dns_retransmission_authentication_acct_pps The forwarding rate of the packets that are allowed by the default first-packet-dropping policy of a domain name. Unit: packets per second. 100
policy_source_ip_authentication_succeed_pps The forwarding rate of the packets that pass the check by the default source IP address-based authentication policy. Unit: packets per second. 1000
policy_source_ip_authentication_checked_pps The forwarding rate of the packets that are being checked by the default source IP address-based authentication policy Unit: packets per second. 1000
policy_source_ip_authentication_acct_pps The forwarding rate of the packets that are allowed by the default source IP address-based authentication policy. Unit: packets per second. 1000
policy_source_ip_authentication_drop_pps The forwarding rate of the packets that are denied by the default source IP address-based authentication policy. Unit: packets per second. 1000
policy_source_ip_rate_limitation_drop_syn_pps The forwarding rate of the SYN packets that are denied by the default source IP address-based throttling policy. Unit: packets per second. 1000
policy_source_ip_rate_limitation_drop_con_max_pps The forwarding rate of the packets that are denied by the default source IP address-based throttling policy for concurrent connections. The packets are denied because the number of concurrent connections initiated from the source IP addresses exceeds the maximum number of concurrent connections allowed in the policy. Unit: packets per second. 1000
policy_source_ip_rate_limitation_drop_con_rate_pps The forwarding rate of the packets that are denied by the default source IP address-based throttling policy for concurrent connections. The packets are denied because the connection rate of concurrent connections initiated from the source IP addresses exceeds the maximum connection rate allowed in the policy. Unit: packets per second. 1000
policy_source_ip_rate_limitation_drop_udp_rate_pps The forwarding rate of the packets that are denied by the default source IP address-based throttling policy for UDP packets. Unit: packets per second. 1000
policy_source_ip_rate_limitation_drop_tcpack_rate_pps The forwarding rate of the packets that are denied by the default source IP address-based throttling policy for ACK packets. Unit: packets per second. 1000
policy_source_ip_rate_limitation_drop_tcpsynack_rate_pps The forwarding rate of the packets that are denied by the default source IP address-based throttling policy for SYN-ACK packets. Unit: packets per second. 1000
policy_destination_ip_rate_limitation_drop_syn_rate The forwarding rate of the SYN packets that are denied by the default source IP address-based throttling policy Unit: packets per second. 1000
policy_destination_ip_rate_limitation_drop_udp_rate The bandwidth of the UDP packets that are denied by the default destination IP address-based throttling policy. Unit: packets per second. 1000
policy_destination_ip_rate_limitation_drop_ack_rate The bandwidth of the ACK packets that are denied by the default destination IP address-based throttling policy. Unit: packets per second. 1000
policy_destination_ip_rate_limitation_drop_icmp_rate The bandwidth of the ICMP packets that are denied by the default destination IP address-based throttling policy. Unit: packets per second. 1000
policy_destination_ip_rate_limitation_drop_other_rate The forwarding rate of the packets that are denied by the default destination IP address-based throttling policy. Unit: packets per second. The packets exclude UDP, ICMP, TCP-SYN, TCP-SYN-ACK, and TCP-ACK packets. 1000
policy_destination_ip_rate_limitation_drop_synack_rate The forwarding rate of the SYN-ACK packets that are denied by the default destination IP address-based throttling policy. Unit: packets per second. 1000
policy_layer_4_filter_l4_filiter_drop_pps The forwarding rate of the packets that are denied by all fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policies in Mitigation Settings. 1000
policy_layer_4_filter_l4_filiter_acct_num The forwarding rate of the packets that are allowed by all the policies in the module of fingerprint filtering policies. Unit: packets per second. You can customize the module of fingerprint filtering policies in Mitigation Settings. 1000
policy_layer_4_filter_l4_filite_drop_rule_1_pps The forwarding rate of the packets that are denied by the first fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings. 1000
policy_layer_4_filter_l4_filite_drop_rule_2_pps The forwarding rate of the packets that are denied by the second fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings. 1000
policy_layer_4_filter_l4_filite_drop_rule_3_pps The forwarding rate of the packets that are denied by the third fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings. 1000
policy_layer_4_filter_l4_filite_drop_rule_4_pps The forwarding rate of the packets that are denied by the fourth fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings. 1000
policy_layer_4_filter_l4_filite_drop_rule_5_pps The forwarding rate of the packets that are denied by the fifth fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings. 1000
policy_layer_4_filter_l4_filite_drop_rule_6_pps The forwarding rate of the packets that are denied by the sixth fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings. 1000
policy_layer_4_filter_l4_filite_drop_rule_7_pps The forwarding rate of the packets that are denied by the seventh fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings. 1000
policy_layer_4_filter_l4_filite_drop_rule_8_pps The forwarding rate of the packets that are denied by the eighth fingerprint filtering policy in the module of fingerprint filtering policies. Unit: packets per second. You can customize the fingerprint filtering policy in Mitigation Settings. 1000
policy_dns_domain_authentication_succ_domain_pps The forwarding rate of the packets that pass the check based on the default domain-based authentication policy. Unit: packets per second. 1000
policy_dns_domain_authentication_fail_domain_pps The forwarding rate of the packets that fail the check based on the default domain-based authentication policy. Unit: packets per second. 1000
policy_dns_domain_authentication_drop_pps The forwarding rate of the packets that are denied by the default domain-based authentication policy. Unit: packets per second. 1000
policy_dns_domain_authentication_acct_pps The forwarding rate of the packets that are allowed by the default domain-based authentication policy. Unit: packets per second. 1000
policy_syn_cookie_succ_check_pps The forwarding rate of the packets that pass the check based on the default SYN cookie-based policy. Unit: packets per second. 1000
policy_syn_cookie_fail_check_pps The forwarding rate of the packets that fail the check based on the default SYN cookie-based policy. Unit: packets per second. 1000
policy_syn_cookie_drop_pps The forwarding rate of the packets that are denied by the default SYN cookie-based policy. Unit: packets per second. 1000
policy_syn_cookie_rebound_check_pps The forwarding rate of the packets that are reversely verified by the default SYN cookie-based policy. Unit: packets per second. 1000
policy_syn_cookie_acct_pps The forwarding rate of the packets that are allowed by the default SYN cookie-based policy. Unit: packets per second. 1000
policy_udp_defense_drop_pps The forwarding rate of the packets that are denied by the default UDP protection policy. Unit: packets per second. 1000
policy_antiothertcp_drop_pps The forwarding rate of the packets that are denied by other default TCP protection policies. Unit: packets per second. 1000
policy_antiothertcp_acct_pps The forwarding rate of the packets that are allowed by other default TCP protection policies. Unit: packets per second. 1000
policy_antitcp_drop_tcp_pps The forwarding rate of all TCP packets that are denied by the default TCP protection policy. Unit: packets per second. 1000
policy_antitcp_drop_ack_pps The forwarding rate of all ACK packets that are denied by the default TCP protection policy. Unit: packets per second. 1000
policy_retransmission_authentication_acct_pps The forwarding rate of the packets that are allowed by the default first-packet-dropping policy. Unit: packets per second. 1000
policy_retransmission_authentication_drop_pps The forwarding rate of the packets that are denied by the default first-packet-dropping policy. Unit: packets per second. 1000