NAv2 node reference
Main nodes provide deep packet-level information about traffic and attacks for Spectrum customers and Magic Transit customers.
Use the main node to query traffic and attacks at a high level, as seen at the Cloudflare edge:
To query more specific details about attacks, use the attack nodes.
Each row represents a packet sample. The sample rate of main nodes is 1/10,000 packets.
If you are using both Magic Transit and Spectrum for IP addresses that overlap, you can use only the Magic Transit node.
This node provides information about DDoS attacks detected and mitigated by Cloudflare’s main DDoS protection system, the denial of service daemon (
dosd). This node includes attack metadata such as:
Each row represents an attack event. Each attack has a unique ID.
The sample rate is dynamic and based on the volume of packets, ranging from 1/100 to 1/10,000 packets.
This node complements the information in the
dosdAttackAnalyticsGroups node. Provides deep packet-level information about DDoS attack packets mitigated by
dosd, including fields such as:
Each row represents a packet sample. The sample rate is 1/10,000 packets.
This node is only available to Magic Transit customers. Provides metadata about out-of-state TCP DDoS attacks mitigated by
flowtrackd, Cloudflare’s Advanced TCP Protection system.
flowtrackd does not use the following ID fields: attack ID, rule ID, and ruleset ID.
The sample rate is 1/10,000 packets.
This node is only available to Magic Transit customers. Provides information about packets that were matched against customer-configured Magic Firewall rules.
Each row represents a packet sample that matches a Magic Firewall rule.
Magic Firewall does not use attack IDs, only rule IDs and ruleset IDs.
The sample rate is dynamic and based on the volume of packets, ranging from 1/100 to 1/1,000,000 packets.