Traffic Metrics
Both DDoS Protection and EIP Blocked Rules monitor four key traffic metrics. Understanding these metrics helps you interpret protection events and configure appropriate thresholds.
BPS (Bits Per Second)
BPS measures the total bandwidth of traffic flowing to or from your EIP. It is the primary metric for detecting volumetric DDoS attacks.
Common attack scenarios:
Amplification attacks (DNS, NTP, memcached): small spoofed requests trigger large responses from third parties, all directed at your EIP.
Large-payload floods: oversized UDP or HTTP requests sent at volume to saturate your available bandwidth.
PPS (Packets Per Second)
PPS measures the rate of individual packets arriving at your EIP, regardless of packet size. High PPS attacks can overwhelm network interfaces and processing capacity even when total bandwidth remains moderate.
Common attack scenarios:
Small-packet floods: minimal-size UDP or ICMP packets designed to exhaust packet processing capacity rather than bandwidth.
SYN floods: millions of TCP connection-initiation packets per second, overwhelming the connection tracking table.
InCPS (Inbound Connections Per Second)
InCPS measures the rate of new inbound connection attempts to your EIP. It is critical for detecting application-layer attacks that exhaust server resources by rapidly opening new connections.
Common attack scenarios:
HTTP connection floods: botnets opening thousands of simultaneous connections to web servers, exhausting connection pools.
Slowloris-style attacks: connections established but kept open indefinitely, consuming connection table resources without completing requests.
OutCPS (Outbound Connections Per Second)
OutCPS measures the rate of new outbound connections initiated from your EIP. This metric is unique to EIP Blocked Rules and detects potentially compromised instances participating in outbound attacks or scanning.
Common trigger scenarios:
Compromised instance: a botnet client initiating outbound DDoS attacks or network scans from your instance.
Spam campaigns: rapid outbound SMTP connections from a compromised host sending phishing or spam emails.
Last updated