Webshield Observability

The Webshield is deeply integrated with ClickHouse. Each block incident is also registered in a special table in the database: blocked_users.

The table schema is as follows:

CREATE TABLE blocked_users (
    address IPv6,
    tft UInt64,
    tfh UInt64,
    reason UInt64,
    timestamp DateTime(3, 'UTC'),
    PRIMARY KEY (timestamp)
)

One important thing to understand: the client can configure different detectors, for example tft_rps and tfh_time. These types of detectors aggregate access logs by TFt or TFh respectively, and as a result, the address field should be empty because many IP addresses might fall under the same TFt or TFh. Similarly, if bad traffic is detected using IP_RPS, the tft and tfh fields should be empty. In other words, this table actually records the characteristic of the user (or group of users) that caused the block.

Field meanings:

Field Name	Description
address	The IP address of the blocked user
tft	The TFt hash of the blocked user
tfh	The TFh hash of the blocked user
reason	The reason why the block was performed
timestamp	The time when the block was made

Block reason codes:

Reason	Description
0	Exceeded RPS threshold
1	Exceeded HTTP errors threshold
2	Exceeded accumulative response time threshold
3	Exceeded unusual city GeoIP requests threshold

Webshield Observability

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Contents

Clone this wiki locally