ESA provides the DDoS Analytics and Attack Details dashboards to help you monitor the health of your service, investigate attacks, and fine-tune your mitigation policies. You can view detailed statistics from the last 30 days for both network-layer and application-layer attacks.
This feature is available exclusively for Enterprise subscribers.
Interpreting the analytics dashboard
The DDoS Analytics tab provides a comprehensive view of your traffic patterns, helping you distinguish between legitimate usage and malicious activity. You can filter the data by time range, up to the last 30 days.
Network layer (L3/L4) metrics
These metrics help identify volumetric attacks designed to saturate your network capacity.
Bandwidth (bits per second, bps): Measures the volume of attack traffic. A high bps value indicates a flood attack that is trying to consume all available network bandwidth. When attack traffic uses more than 95% of the bandwidth, it can disrupt the transmission of legitimate service traffic.
Packet rate (packets per second, pps): Measures the number of packets being sent. A high pps value, even with low bandwidth (> 1 M), can indicate an attack designed to exhaust the processing capacity of servers and network hardware.
By analyzing both metrics, you can identify the attack's signature. Large-packet flood attacks are characterized by high bps and low pps, while connection flood attacks show low bps and high pps. If either metric is missing, mitigation policies may fail. For example, ignoring pps monitoring makes it impossible to detect low-bandwidth, high-intensity attacks that exhaust protocol stack resources.
Follow these steps to obtain bps and pps data:
In the ESA console, choose Websites, and in the Website column, click the target website.
In the left navigation pane, choose .
On the DDoS page, click the DDoS Analytics tab, and then click the Network Layer (L3/4) tab.
In the time filter section, select a time range. The console displays detailed Network Layer (L3/4) traffic for the selected time range. ESA also provides statistics for the Peak Attack Bandwidth and Peak Attack Packet Rate within that range.
Application layer (L7) metrics
Queries per second (QPS): The number of HTTP or HTTPS requests your app receives each second. It is a key metric for detecting Layer 7 attacks. Network-layer attacks often cause spikes in bandwidth or packet rate (bps or pps). Layer 7 attacks mimic normal users and may not change those metrics. Instead, they show up as a sudden surge in QPS, a sign of an HTTP flood that can drain CPU and memory.
Follow these steps to get QPS data:
In the ESA console, choose Websites, and in the Website column, click the target website.
In the left navigation pane, choose .
On the DDoS page, click the DDoS Analytics tab, and then click the Application Layer (L7) tab.
In the time filter section, select a time range. The console displays detailed Application Layer (L7) traffic for the selected time range. ESA also provides statistics for the Peak Traffic During HTTP Traffic Scrubbing and Peak Traffic During HTTPS Traffic Scrubbing within that range.
Traffic scrubbing events
When your service is under a large-scale DDoS attack, ESA performs traffic scrubbing to monitor, analyze, and filter traffic in real time. It separates malicious attack traffic from normal traffic and then blocks or discards it. Only legitimate traffic is allowed to reach the target server. This ensures the normal operation of the server and the availability of your network service. Different types of attacks trigger traffic scrubbing events at different layers:
Network layer scrubbing events: Traffic scrubbing may be triggered if an attack reaches 5 Gbps or more.
Application layer scrubbing events: ESA uses deep learning based on data baselines of domain name access QPS and abnormal status codes from the origin server. It then performs traffic scrubbing based on the actual scale of your service.
Follow these steps to obtain detailed records of scrubbing events:
In the ESA console, choose Websites, and in the Website column, click the target website.
In the left navigation pane, choose .
On the DDoS page, click the DDoS Analytics tab. As needed, you can click the Network Layer (L3/4) or Application Layer (L7) tab. Scroll to the bottom of the page to view the details of scrubbing events.
Review historical attack details
The Attack Details tab provides a forensic log of detected and mitigated DDoS attacks. You can filter this log by time and attack type to investigate specific incidents. This view is useful for:
Identifying trends in the types of attacks targeting your website.
Reviewing the peak magnitude of past attacks.
Correlating attack events with other incidents in your infrastructure.
Follow these steps to see attack details:
In the ESA console, choose Websites, and in the Website column, click the target website.
In the left navigation pane, choose .
On the DDoS page, click the Attack Details tab. From the drop-down lists, select an attack type and a time range to view the Volumetric Attack Peak, Web Resource Exhaustion Attack, Connection Flood Attack Peak, and attack event details.