Reading an ASN Detail Page

Every row on the Offenders page drills into a per-ASN detail view. Use it when you need to answer: "is this ASN being mitigated, and is the mitigation appropriate?"

Edge-mitigation banner (top of page)

The red "This ASN is being mitigated at the edge" banner appears when either of these signals trips:

• ≥ 50% of requests matched a mitigating Cloudflare firewall action (block, managed_challenge, challenge, jschallenge, connectionClose)
• ≥ 50% of requests didn't reach a cache decision (cache_unknown_rate high — typical of edge-layer blocks before origin lookup)

The banner is silent when only monitor-mode rules (log / allow) are matching, because those don't actually interfere with the request. A residential ISP showing 100% log matches is not "blocked" — it's being observed by an analytics rule.

If the banner fires unexpectedly, check Cloudflare → Security → Events for which rule is firing.

Stat tiles (rows 1 and 2)

• Total requests — count for this ASN, with share-of-total
• 499 rate — share where the client gave up (scraper signature)
• Cache bypass rate — share that went to origin instead of cache
• 499 count — raw count of 499 responses
• Hit rate — cache-hit share. Renders — when cache outcomes are dominated by unknown (typical of edge-blocked ASNs — see banner above for why)
• Egress bytes — total bytes returned to clients
• Bytes per request — typical browsing is 30–80 kB; under 8 kB suggests JSON-API scraping; over 500 kB is bulk asset leeching
• Share of total — this ASN's percentage of the site's overall traffic

Requests over time

Stacked status-class timeseries with a dashed Site-wide baseline overlay. Alert markers (red dashed lines) show when detectors fired on this ASN.

Cache outcome breakdown

How Cloudflare's cache treated this ASN's requests. hit is good; dynamic / miss / expired mean origin was hit. unknown (large share) is the edge-block signature.

HTTP status codes (added 2026-04-24)

Specific HTTP codes Cloudflare returned: 403 (WAF block), 404 (path not found), 429 (rate-limited), 499 (client hung up), 500/502/504 (origin error), 530 (Cloudflare itself blocked, typically WAF rule action). Stacked bar with chip legend showing exact counts per code.

For data captured before 2026-04-24, only the class is available — the panel falls back to a class-only view (4xx / 5xx) with a one-line note explaining the rollover.

What the codes tell you on a blocked ASN:

• 403 dominant — origin (or Cloudflare) hard-rejected the request
• 530 dominant — Cloudflare itself blocked at the edge (rule, rate-limit, bot-score challenge)
• 500/502/504 dominant — scanner found a real endpoint that's crashing or timing out (worst case — investigate what's broken)
• 404 dominant — path doesn't exist; if combined with high distinct-path-count, the ASN is probing

Firewall actions (added 2026-04-24)

What Cloudflare's firewall did with each request, broken down by action:

Action	What it means
none	No rule matched. Request passed through normally.
log	A rule matched but took no action (monitor mode).
allow / bypass / skip	Explicit allow rule fired.
challenge / managed_challenge / jschallenge	Client had to solve a challenge.
block	Hard reject at the edge.
connectionClose	TCP reset (anti-DDoS).

The panel headline summarises in one of five tiers:

• Heavily mitigated (≥ 80% mitigating actions, red)
• Mitigated (≥ 30%, amber)
• Partial mitigation (> 0%, amber)
• Monitor mode (≥ 50% log/allow, no mitigation, blue) — rules are matching but not enforcing
• Unfiltered (no rules matching, grey)

Top path prefixes

Top-N paths this ASN was hitting in the window. On low-volume ASNs the list may be short; the dimensional rollup only captures the top-120 (ASN × path × …) tuples per batch.

User-agent versions

Both family and version-specific bars. A normal browser population clusters sharply on the latest 1–2 versions; a long, evenly-distributed tail (Chrome/116, /117, /118, /119, /120 etc with comparable shares) is a classic UA-rotation bot signature.

Top IPs in this ASN

Up to ~24 distinct IPs Cloudflare's IP rollup captured for this ASN. — means the ASN's IPs didn't crack the top-N rollup (low ASN volume); spin up an IP discovery window if you need full coverage for forensics.

Probe & scanner activity (when present)

If this ASN has triggered any classified probe paths (WordPress, env_secrets, git_repo, ALFA webshell, sql_dump, admin_panel, tenant_targeted), a Probe Panel renders. See Probe & Scanner Detection for family definitions.

Alert history

Last 30 days of alerts for this ASN. Stacked bar by detector kind on top, full chronological list below. Click to drill into the alert.

Pin / Ignore actions

Pin floats this ASN to the top of Offenders. Ignore hides it. Both persist across sessions in localStorage.