How-to
Reading the Offenders Page
How to interpret the ASN table and drill into a suspicious network.
Jump to section
Summary strip
At the top of the page, a summary strip reads: "N ASNs · X requests (Y% of total) · Z open alerts" -- giving you an instant sense of scale for the current filter set.
Filter bar
Five dropdown filters sit below the summary:
- ASN Country -- filter by the ASN's headquarters country (where the network is registered, not where its traffic originates)
- Bypass tier -- High (≥80%), Elevated (≥50%), or Normal (below 50%)
- Alerts -- filter to ASNs that have / don't have open alerts
- Type -- ISP, Cloud, VPN-Proxy, Transit, or Unknown
- Firewall -- filter by Cloudflare firewall action (added 2026-04-24, see below)
Firewall filter pills
The Firewall dropdown surfaces what Cloudflare's edge actually did with each ASN's traffic. Five options:
| Pill | Matches |
|---|---|
| Any mitigation | ASNs where ≥1 request was block, challenge, managed_challenge, jschallenge, or connectionClose |
| Blocked | ASNs with at least one block action |
| Challenged | ASNs hitting any of the three challenge variants |
| Conn. closed | ASNs with connectionClose (rare — anti-DDoS reset) |
| Monitor mode only | ASNs where log / allow / bypass / skip rules fired but no mitigating action ever did |
The "Monitor mode only" pill is the inverse of "Any mitigation": rules fire but don't enforce. These are the ASNs worth auditing — either the rule should be promoted to block / managed_challenge, or it should be removed if it's noise. A residential ISP showing 100% log matches is usually a stale rule that hasn't been reviewed.
The pills only render when there are ASNs to populate them; if no ASN matches any mitigating action in the current window, the Any mitigation / Blocked etc. pills are hidden.
"Traffic from" chip
When you click a country on the Overview world map, or click through from a status code or cache status row, a "Traffic from" chip appears in the filter bar. This filters by ClientCountry (the geographic origin of the requests), which is different from the ASN Country filter (based on the network's headquarters). For example, "Traffic from: Vietnam" shows all ASNs whose requests originate in Vietnam, even if those ASNs are headquartered elsewhere.
Search box
A search box lets you filter by AS number or organisation name. Type "45899" or "VNPT" to find a specific network.
Table columns
Each row in the Offenders table shows:
| Column | Description |
|---|---|
| ASN | AS number with organisation name, country flag, alert badge (if open alerts exist), and a bgp.tools link icon |
| Requests | Total request count with a proportional magnitude bar |
| % of total | This ASN's share of all traffic |
| Trend | A sparkline showing the traffic pattern over the selected window |
| Bytes | Total egress bytes |
| BPR | Bytes per request -- a low BPR (e.g. <1 KB) combined with high volume is a scraper signal, as scrapers close connections before receiving the full response |
| 499 rate | Percentage of requests where the client closed the connection |
| Hit rate | Cache hit ratio for this ASN |
| Bypass rate | Three-tier colouring: red at ≥80%, amber at ≥50%, normal below 50% |
All columns are sortable -- click any column header to sort ascending/descending.
Pin and Ignore
- Pin an ASN to float it to the top of the table, regardless of sort order. Useful for watching a suspect network.
- Ignore an ASN to hide it from the table. Ignored ASNs are hidden behind a "Show N ignored" toggle at the bottom.
Both actions are persisted in localStorage across sessions.
CSV export
Click the Export CSV button to download the current filtered view as a CSV file.
Drilling into an ASN
Click any row to open the ASN detail page, which provides:
- 8 stat tiles -- total requests (with % of total), 499 rate, cache bypass rate, 499 count, hit rate, egress bytes, bytes per request (with scraper signal label), share of total
- Stacked status-class timeseries with a site-wide baseline overlay so you can compare this ASN's pattern against normal traffic
- Cache breakdown -- hit, dynamic, miss, and other statuses for this ASN
- UA families -- each family is listed with an anomaly flag if it appears inconsistent with the ASN type (e.g. 20 distinct families from a residential ISP)
- Paths -- top URL paths with per-path bypass rate, useful for identifying catalogue crawling
- Similar ASNs (cohort) -- other ASNs with similar volume and bypass-rate profile (within ±50% volume and ±15pp bypass), useful for spotting coordinated traffic across multiple networks
- 7-day alert history -- all alerts for this ASN in the past week
- JSON export -- download the full ASN profile as JSON
- Pin / Ignore / bgp.tools -- action buttons at the top of the detail page