Skip to main content

Cloudflare DDoS Attack Analytics

Ingests Cloudflare DDoS attack analytics using the GraphQL Analytics API. This input collects detailed information about DDoS attacks detected and mitigated by Cloudflare, including attack metrics, mitigation actions, and network-layer attack vectors from the dosdAttackAnalyticsGroups dataset.

Sync Type: Incremental

Requirements

  • A Cloudflare account with an Enterprise plan that includes Magic Transit, Spectrum, or Magic WAN
  • An API Token with the Account Analytics:Read permission
  • Your Cloudflare Account ID

Plan Requirements

The DDoS Attack Analytics API is only available to Enterprise customers with specific add-ons:

Add-onAvailability
Magic TransitEnterprise only
SpectrumEnterprise only
Magic WANEnterprise only

If your account does not have one of these services enabled, you will not have access to DDoS attack analytics data.

Creating an API Token

  1. Log in to your Cloudflare dashboard
  2. Navigate to My Profile > API Tokens
  3. Click Create Token
  4. Use the Create Custom Token option
  5. Configure the token:
    • Token name: Give it a descriptive name (e.g., "Monad DDoS Attack Analytics")
    • Permissions: Add Account > Account Analytics > Read
    • Account Resources: Select the specific account(s) or "All accounts"
  6. Click Continue to summary and then Create Token
  7. Copy the token value (you won't be able to see it again)

Finding Your Account ID

  1. Log in to your Cloudflare dashboard
  2. Select the account you want to monitor
  3. The Account ID is displayed in the right sidebar on the overview page
  4. Alternatively, find it in the URL: https://dash.cloudflare.com/{account_id}/...

Details

  • State Management: Uses timestamp-based incremental sync with attack ID deduplication. Monad stores the last processed event timestamp and attack ID to fetch only new attacks on subsequent runs.
  • API Endpoint: GraphQL Analytics API (/graphql)
  • Dataset: dosdAttackAnalyticsGroups
  • Pagination: Time-window based pagination. The API defines maximum query duration and retention limits. The input automatically chunks requests into time windows to handle large time ranges while respecting API constraints.
  • Rate Limits: 300 requests per 5 minutes (1 request per second). The input automatically enforces this limit.
  • Data Retention: The API provides attack data with specific retention periods (typically 30 days for standard retention, extensible for Enterprise customers). The input respects retention limits and adjusts queries accordingly.
  • Time Window Optimization: Queries are automatically windowed to the API's maximum query duration (typically 1 hour) to prevent timeouts on large date ranges.

Configuration

Settings

SettingTypeRequiredDescription
account_idstringYesCloudflare Account ID (32-character alphanumeric string)
backfill_start_timestringNoThe date to start fetching data from. If not specified, no past records will be fetched.

Secrets

SecretTypeRequiredDescription
api_tokenstringYesCloudflare API Token with Account Analytics:Read permission

Rate Limits

LimitValueNotes
Requests per 5 minutes300GraphQL Analytics API limit
Requests per second1Enforced by rate limiter
Data retention30 daysStandard retention; Enterprise plans may have extended retention
Max query duration1 hourAutomatic time windowing is applied

Headers: Authorization: Bearer <api_token> Source: Cloudflare DDoS Protection Analytics API Reference

Troubleshooting

Common Issues

Issue: GraphQL error with authentication message Cause: The API token is invalid, expired, or lacks the required permissions. Solution: Verify your API token is correct and has the Account Analytics:Read permission. Create a new token if needed.

Issue: Account ID is required validation error Cause: The Account ID field was left empty. Solution: Enter your Cloudflare Account ID in the settings. You can find this in your Cloudflare dashboard.

Issue: invalid backfill_start_time format error Cause: The backfill start time is not in RFC3339 format. Solution: Use valid RFC3339 format like 2024-01-15T10:30:00Z or 2024-01-15T10:30:00+00:00.

Issue: Feature not available error Cause: Your account does not have Enterprise plan with Magic Transit, Spectrum, or Magic WAN enabled. Solution: Contact Cloudflare sales to enable DDoS Attack Analytics for your account.

Issue: No data returned despite DDoS attacks occurring Cause: The backfill start time may exceed your plan's data retention, or there may be no attacks in the time range. Solution: Check your plan's data retention limits. Adjust the backfill start time to stay within the retention window (typically 30 days).

Issue: Queries timeout or fail with max_duration exceeded Cause: The time range is too large for a single query. Solution: The input automatically handles this by windowing queries to 1-hour intervals. This is normal and will resolve automatically.

Issue: API returned success=false with permission error Cause: The API token lacks proper permissions for DDoS attack data access. Solution: Verify the token has Account Analytics:Read permission. Some organizations may require additional security reviews before accessing this data.

Sample Record

{
  "attackId": "550e8400-e29b-41d4-a716-446655440000",
  "attackType": "udp",
  "attackVector": "UDP Flood",
  "bits": 2500000000,
  "packets": 1500000,
  "droppedBits": 2500000000,
  "droppedPackets": 1500000,
  "startDatetime": "2024-01-15T10:30:00Z",
  "endDatetime": "2024-01-15T10:31:00Z",
  "sourceIp": "203.0.113.25",
  "sourcePort": 12345,
  "destinationIp": "198.51.100.42",
  "destinationPort": 53,
  "ipProtocol": 17,
  "ipProtocolName": "udp",
  "mitigationType": "dosd",
  "mitigationReason": "auto_mitigation",
  "mitigationScope": "global",
  "ruleId": "c41d8cd98f00b204e9800998ecf8427e",
  "ruleName": "DDoS Attack Prevention",
  "rulesetId": "d41d8cd98f00b204e9800998ecf8427e",
  "rulesetOverrideId": "",
  "tcpFlags": 0,
  "tcpFlagsNames": "",
  "commonTcpFlags": 0,
  "commonTcpFlagsNames": ""
}