Guide
  1. Security Hub

View attack traffic trends and details

It’s important to monitor the volume and variety of attack traffic and hunt down details when necessary. The Attack traffic section lets you look back over the last three months. It features a variety of charts to help you understand all the unwanted requests you’re getting and also how protections have responded.

To set the time period you want to view, click the dropdown on the right side of the Attack traffic section. You can select any period within the last 90 days, and your choice sets the the dates for data shown in all the charts beneath it.

Interact with attack traffic charts

In all these charts, it’s easy to see specifics, zoom in on a traffic spike, or drill down for more details. On charts, you can:

  • view the details for a specific moment in time by hovering over a point on the timeline.
  • view numbers for a chart data element by hovering over it.
  • show or hide chart data elements by clicking the element name in the legend.
  • zoom in on a selected time period by clicking on the timeline and dragging to the point you want. To return to the previous period, click the Reset zoom button.
  • see when you activated new versions of the security configuration by finding purple diamonds that sit high over the timeline. To see details, hover over one.
  • change the statistics you see by clicking the View by dropdown and selecting:
    • Hits. Individual file requests made to your website, like to load an image, for example. A single page request may result in many hits depending upon what elements a page contains.
    • Bandwidth. Amount of data delivered to a visitor.
    • Page requests. Each visitor’s call to view a web page, or run a command.
    • Error views. Hits that occur when there’s a problem. For example, when visitors request a missing web page, they’ll see a 404-page not found error.

View high-level response trends

The Mitgated vs. unmitigated traffic chart breaks down traffic between attack requests that got a mitigating response action, like deny, and those that got a non-mitigating response, like alert.

📘

Mitigating vs. non-mitigating actions

Actions that merely report or log a detection are non-mitigating actions, meaning that they don't affect the request when an attack is detected. Any action that denies a request, slows a response, or throws up a challenge mitigates the request in some way.

It's a security best practice to start protection setup using non-mitigating actions (like alert) which only log detections, so you can track activity until you're confident that settings are effectively identifying attack requests. At that time, change response actions to mitigating actions, like deny or challenge to actually block or control unwanted requests.

The faster you move to mitigating actions, the better, and having done so is one measure that informs your security posture score.

See what portion of requests are attacks

Click the Attack vs. total traffic tab to see how much of your web traffic is classified as attack. The amount may change over time. An unusual red spike can indicate a concentrated attack taking place within a short time period.

View attack types and response details

Get an overview of the kinds of web application attacks detected and drill down into details. Security controls triggered line chart shows the volume of attacks separated out by type. Types are the protections you set when you create your security configuration:

  • IP/Geo firewall. Requests that violate IP address or geographic regions that you've blocked or excluded.
  • DoS protection. Requests that come at an excessively high or low rate.
  • Custom rules. Violations of any custom rules you set.
  • Web application firewall. Requests flagged by the Adaptive Security Engine that protects your site and APIs against web application attacks like SQL injection, cross-site scripting, and many more.
  • Client reputation. Requests from known malicious clients before (based on Akamai’s visibility into prior behavior of individual and shared IP addresses).
  • General bot. Bots flagged by basic detections that come with App & API Protector or Bot Manager Standard
  • Sophisticated bot. Advanced detections to handle adversarial bots and protect important transactional pages, like login or checkout. These detections track request behavior and are also called_transactional endpoint protection_.
  • User risk. Requests that flagged end-user account takeover, opening, and other abuses.

The line chart view helps you see trends of different attack types through time. To quickly view attack types in proportion to each other, go to the top of the chart and switch Line chart to Donut chart.

To see precise statistics that underlie this chart, click Detailed analysis. A panel slides open showing a table of statistics by attack type. To drill down and learn more about a group of requests, click a blue number in either the mitigated (response action you set denied, slowed, or otherwise challenged the requestor) or unmitigated (response action merely logs the bad request) column. Those values are links that open a detailed breakdown of flagged requests that comprise the number in Web Security Analytics.

Identify geographic areas where attacks originate

See at-a-glance where unwanted requests are coming from. The Attack origin by country/area section shows you a map of atta sources. Mouse over a highlighted region to see detailed numbers and click through to see details in Web Security Analytics.

Know which of your assets are attacked most

To see where attackers strike most often, view Top targets section, which lists your hostnames from top to bottom, with most-targeted at the top. Click All targeted hostnames to see a complete list and click through to see detailed numbers in Web Security Analytics.