Cloudflare Docs
Radar
Visit Radar on GitHub
Set theme to dark (⇧+D)

Network layer attacks

Network layer attacks show DDoS attack trends at the network layer. These attacks can be split by the network protocol they use: ICMP, TCP, UDP and others.

When filtering by location or autonomous system (AS), we are filtering by the source location/AS of the attack — which can be very different to the location of the human orchestrator of the attack. Refer to botnets for more information.

​​ List of endpoints

​​ Timeseries

​​ Example: hourly percentage breakdown by attack method

In the following example, we will examine the worldwide versus Singapore distribution of mitigated attacks by network protocol:

curl -X GET "https://api.cloudflare.com/client/v4/radar/attacks/layer3/timeseries_groups?name=global&dateRange=1d&location=&name=singapore&location=SG&dateRange=1d&aggInterval=1h&format=json" \
-H "Authorization: Bearer <API_TOKEN>"

If we inspect the abbreviated response below, we can conclude that globally, at those timestamps, UDP and TCP attacks were mostly evenly split.

{
"success": true,
"errors": [],
"result": {
"global": {
"timestamps": ["2022-11-06T13:00:00Z", "2022-11-06T14:00:00Z", "..."],
"udp": ["50.784034", "51.055221", "..."],
"tcp": ["49.213944", "48.943769", "..."],
"icmp": ["0.002023", "0.001009", "..."],
"gre": ["0.0", "0.0", "0.0", "..."]
},
"singapore": {
"timestamps": ["2022-11-06T13:00:00Z", "2022-11-06T14:00:00Z", "..."],
"tcp": ["79.605287", "83.943885", "..."],
"udp": ["20.394594", "16.056115", "..."],
"icmp": ["0.000119", "0.0", "..."],
"gre": ["0.0", "0.0", "..."]
},
"meta": {
"dateRange": {
"startTime": "2022-11-06T13:00:00Z",
"endTime": "2022-11-07T13:00:00Z"
},
"normalization": "PERCENTAGE",
}
}
}

We can also conclude that the distribution of network layer attacks coming from Singapore — or, more accurately, reaching Cloudflare’s data center located in Singapore — differs quite a bit from the worldwide distribution. At those times, the distribution of network layer attacks clearly favors TCP.

For more information refer to the API reference for this endpoint.

​​ Summary

​​ Example: Russia - overall percentage breakdown by network protocol

We can also filter by source location and examine attacks coming from Russia:

curl -X GET "https://api.cloudflare.com/client/v4/radar/attacks/layer3/summary?location=RU&name=attacks_ru&dateRange=1d&format=json" \
-H "Authorization: Bearer <API_TOKEN>"
{
"success": true,
"errors": [],
"result": {
"attacks_ru": {
"udp": "86.682356",
"tcp": "11.928664",
"gre": "1.381015",
"icmp": "0.007965"
},
"meta": {
"dateRange": {
"startTime": "2022-11-06T15:00:00Z",
"endTime": "2022-11-07T15:00:00Z"
},
"normalization": "PERCENTAGE"
}
}
}

The response shows that the attacks coming from Russia to other locations tended to use the UDP network protocol at those timestamps.

For more information refer to the API reference for this endpoint.

​​ Next steps

Refer to DNS to learn more about the aggregated and anonymized DNS queries to Cloudflare’s 1.1.1.1 public resolver service.