DDoS & Dstat Glossary
Plain-language definitions of the terms you will see on a Dstat dashboard — from Layer 4 vs Layer 7 to RPS, Under Attack Mode and bypass — with notes on how each one shows up on the live chart.
Dstat
Live traffic statistics during a stress test or DDoS attack.
Dstat (short for "destination statistics") is a live view of the request/bandwidth volume a target receives during a stress test, typically a rolling chart of requests per time window plus a breakdown of allowed, bypassed and blocked traffic. On this dashboard the chart plots requests over a rolling 60-second window, so a sustained climb means the target is absorbing more load than its baseline.
Layer 7
Application-layer traffic measured in requests per second.
Layer 7 (the application layer) covers HTTP/HTTPS requests. Layer-7 Dstat is measured in requests, and is where WAFs, JS challenges, CAPTCHAs and rate limits do their work. The headline number is peak requests per second (RPS), and a protected target should show most of that volume filtered before it reaches the origin.
Layer 4
Network/transport-layer traffic measured in bandwidth and packets.
Layer 4 (the transport layer) covers TCP/UDP volume. Layer-4 Dstat is measured in bandwidth (Gbps) and packets per second (pps), independent of any application logic. Because these floods ignore the application, they are mitigated at the network edge rather than by challenges or rate limits.
Under Attack Mode (UAM)
A JavaScript challenge that filters automated clients.
Under Attack Mode issues a JavaScript challenge that a real browser solves transparently while most simple bots fail, sharply reducing automated Layer-7 traffic that reaches the origin. On a Dstat chart, enabling UAM typically shows up as a sharp drop in bypass traffic shortly after the test begins.
CAPTCHA
An interactive challenge requiring human input.
A CAPTCHA challenge requires explicit human interaction (clicking or solving a puzzle). It is stronger than a silent JS challenge but adds friction for legitimate users, so it is usually reserved for high-risk paths such as login or checkout where a drop in bypass traffic is worth the extra friction.
Rate Limiting
Capping requests per client over a time window.
Rate limiting caps how many requests a single client (IP, token, or path) may send within a window, smoothing bursts and blunting volumetric Layer-7 floods. In Dstat terms, effective rate limiting keeps the bypass line flat even as total incoming requests spike.
RPS (Requests Per Second)
The core Layer-7 throughput metric.
Requests per second is the primary unit for Layer-7 Dstat: it expresses how many HTTP requests a target processes each second, and peak RPS is the headline figure of most stress tests. Comparing incoming RPS against bypass RPS on the same chart is a quick way to read how well a protection is holding.
Bypass
Requests that slipped past protections to the origin.
Bypass counts requests that defeated the protection layer (challenge or filter) and reached the origin. A high bypass rate during a test indicates the protection is not fully effective. The goal of any protected Dstat run is to drive the bypass line toward zero while total request volume stays high.