How-to
Path Traffic Spike Detector
Trips when a specific URL path’s traffic spikes over its own baseline — catches card-testing, credential stuffing, and cart-abuse bots that distribute across ASNs.
Jump to section
What it detects
Abuse that targets one specific URL but spreads across many IPs / ASNs so no single network looks suspicious. Classic examples:
- Card testing — a bot submitting stolen cards to your checkout-submit endpoint (e.g.
COBilling-SubmitorCheckoutServices-SubmitPayment) from a pool of residential proxies - Credential stuffing — automated login attempts distributed across hundreds of IPs
- Grinch / inventory bots — bursts of
Cart-AddProductcalls when a product drops
In all three cases the ASN distribution looks normal, but ONE path's request rate goes 5-100× above its own baseline. The path_spike detector notices that.
How it works
Every minute, the detector compares each path prefix's current 5-minute request rate against its 60-minute baseline rate. When:
current_rpm > multiplier × baseline_rpm AND current_total > min_requests
…the detector opens a warning alert. If the ratio exceeds multiplier × 3 the alert opens as critical instead.
When a path has no prior traffic (baseline rpm = 0) and current traffic crosses min_requests, that's an immediate critical — the attacker just discovered a new endpoint.
Default thresholds
| Threshold | Default | Description |
|---|---|---|
window_minutes | 5 | Current evaluation window |
baseline_minutes | 60 | Baseline window (must be ≥ current) |
multiplier | 5 | Trip when current rpm > multiplier × baseline rpm |
min_requests | 100 | Floor on current total — 100× lower than asn_spike because per-path volume is smaller |
The min_requests floor of 100 is deliberately low. A card-testing bot sending 20-50 attempts per minute sits far below the asn_spike floor of 10,000 but is exactly the pattern we want to catch here.
Enabling the detector
Ships disabled by default so you can validate thresholds against your own traffic first. To enable:
- Go to the Rules page
- Find "Path Traffic Spike"
- Adjust thresholds if your site has unusual traffic shapes
- Toggle Enabled
Alert lifecycle
dimensionKey=path:<prefix>— one alert per path, auto-resolves when the rate falls back within the multiplier- Links from the Alerts page straight to the path detail view where you can see which ASNs are driving the spike
- Notification routing (email / webhook) inherits from your tenant defaults unless overridden per-rule
Related
- Path Explorer — the manual view this detector automates
- ASN Traffic Spike Detector — sibling detector keyed on network instead of path