Analyze Request Traffic

When an attack successfully bypasses current defenses, the Request Traffic module provides you with the critical data needed for retrospective analysis. This module comprehensively records both real-time and historical views of all HTTP requests, including those not detected by the current security policies. It helps you accurately identify abnormal access patterns, perform an in-depth analysis of suspicious traffic sources and behaviors, and use this insight to create new protection strategies.

Go to Request Traffic

1. Log in to the CDNetworks Console, find the security product in use under Subscribed Products.
2. Go to Analysis & Logs > Security Analysis > Request Traffic.

Attack Analysis Process

Step 1: Select Analysis Target

1. Identify the Analysis Target

When you need to quickly know which website hostname is under attack, you can locate it immediately by any of the following methods:

• View Real-time Alerts: It is recommended to configure and monitor security alert notifications, which will directly specify the attacked hostnames. You can go to Analysis & Logs > Alert Management page, enable system-defined alert rules or configure custom alert rules according to your business needs.
• View Website Security Trends: Go to the Analysis & Logs > Web Security Trends page and focus on the Top Attack Target hostname rankings to quickly identify the primary targets.

2. Add Attacked Hostname

Security Analysis feature specializes in in-depth analysis of a single hostname. Therefore, after entering the page, please select the hostname you wish to analyze. Once selected, the page will display the traffic of this hostname in the past 24 hours by default.

Step 2: Analyze Traffic and Threats

1. View Traffic Overall Using Statistical Trends

The Statistical Trends section displays the overall trend of request traffic. You can use this view to understand the distribution and direction of traffic, determine whether there are abnormal access patterns, and review the current protection status.

• Traffic processing and direction analysis: By default, this chart shows the processing results and trend changes for the following three types of traffic.

• View traffic trends across different dimensions: This chart allows you to select various statistic dimensions and displays the top 5 values in the selected dimension along with their trend over time. This helps you quickly understand the distribution and fluctuation of traffic in key dimensions. Optional dimensions include Request Info such as Host, Client IP, and Country/Region, as well as Protection Status such as Security Action and Policy Type.

2. Analyze Attack Patterns Using Top Statistics

Typically, normal requests are distributed evenly, while attack traffic often displays identifiable abnormal patterns. Typical characteristics include: a high frequency of requests to specific endpoints (such as login pages or API interfaces) within a short period; Highly concentrated sources of attack traffic; and requests containing malicious characters.

The Top Statistics section provides top rankings for various dimensions, displaying fields that occur most frequently in requests to help you quickly identify anomalies.

3. Adjust the Analysis Scope Using Filters

During analysis, you can flexibly adjust the scope of the dashboard statistics in the following two ways to focus on specific traffic:

• Manually Add Filter Conditions:

1. Select the time range you want to focus your analysis on.
2. Click the filter icon. In the input field, you can manually add fields, operators, and values to customize Filter or Exclude specific data dimensions. For example, to filter logs by client IP, select Client IP, choose the equals operator, and enter the IP address.

• Quick Filtering by Chart Legend: When you hover your mouse over the legend in the chart, the Filter and Exclude buttons will appear. Click the corresponding button to instantly filter or exclude data based on the field value represented by that legend item.

Note: The relationship between multiple values for the same query field is “OR”, while the relationship between multiple query fields is “AND”. For example, the conditions Client IP equals 127.0.0.1 AND Status Code equals 403 OR 404 search for data that matches both the client IP 127.0.0.1 and the status code 403 or 404.

Step 3: Verify Analysis Results

1. View Sample Logs

After completing the macro trend analysis, you can view the detailed field information for each request in the Sample Logs section. This allows you to further review specific details to determine and confirm whether the request is abnormal.

Log Sampling Techniques

In order to balance data size and query performance, Security Analytics processes large amounts of data by introducing log sampling techniques to ensure rapid page response and ensure the accuracy of statistical results. When viewing sample logs, if the request volume is too large within the query range, the logs displayed are sampled results. You can adjust the filters and refine the filter criteria to display more complete events. Security Analysis primarily utilizes the following log sampling techniques:

• Data Ingestion with Dynamic Sampling: When logs are ingested, the system automatically adjusts the sampling rate according to the request volume of the domain during the current period. The current system supports sampling rates of 100%, 10%, and 1%.

• Data Query with Intelligent Routing: When you execute a query, the system automatically selects and reads the appropriate sampling data rate table based on the query time range, filter criteria, and historical data distribution.