Hi Admin,
Indeed, actually, a huge part of that quantity is for near real-time web attack forensics. What that means is that whenever a website of mine got attacked (let’s say DDoS), a super tiny notification is sent to a designated central regarding that web request. Unfortunately, I cannot go too much into specifics as that would cause me trouble unless this forum is client-view only and I have control over privacy settings.
Previously that website would also send some more information related to that IP in the notification as well. The central that collects this data will then relay an aggregated list to other websites to apply firewall rules to block the IPs for a certain period of time, different websites may have different requirements. Any particular ASNs with more than a portion of IPs participating in an attack will have their parent ASN operators notified and a case number is assigned in those reports for follow-up on a per peer level. Certain ASNs are by default banned from connecting to my network entirely due to ignorance. Those reports usually result in compliant network shutdowns or suspensions, especially for legitimate cloud providers. These data are also relayed to AbuseIPDB selectively depending on the per-request level. Certain reports can go even further by having a pinpoint geographical coordinate and device info included in the text, if applicable.
Some may argue that I am relaying the DDoS to the central server, which is technically true, but the notification is heavily optimized to avoid sending repeated info at best effort. Such cases include a database insert query that might take 12ms, marking the IP into session temporarily happens around 5ms, and during that 12ms there are 50 requests from the same source, only requests involving the first 5ms might get multi-sent. A small-scaled DDoS attack would generate around 3k of these notifications, per IP per site per incident.
Of course, there are more use cases than that but this is the most interesting one that I’m concerned about.
Cheers!