1) Where to get data (reliable + licensable)

• Cloudflare Radar API — free, documented API with endpoints specifically for application-layer (L7) and network-layer (L3/4) attacks, plus metadata like confidence levels. Licensed CC BY-NC 4.0. Cloudflare Docs+2Cloudflare Docs+2

• Digital Attack Map (Jigsaw + NETSCOUT/Arbor) — public site showing daily top DDoS flows (historical + “today” view). Data is a sample of ATLAS observations; API access is not formally documented, so treat it as a reference/embedded widget rather than a backend feed. Digital Attack Map+1NETSCOUT

• CAIDA / UCSD Network Telescope — research-grade backscatter datasets (historic, application needed). Great for offline analysis and papers; not ideal for “live” dashboards. CAIDA Resource Catalog+1Impact Cyber Trust

For a production, continuously updating map, start with Cloudflare Radar’s API and optionally link out to Digital Attack Map for context.

2) How to get it (ingestion)

Cloudflare Radar API (recommended pipeline)

1. Create an API token (Account → Radar → Read). Requests hit https://api.cloudflare.com/client/v4/radar/.... Cloudflare Docs

2. Pull L7 (HTTP) attack aggregates

   • Top target locations (last 1h/24h):
     GET /radar/attacks/layer7/top/locations/target?dateRange=1h&limit=200&format=json

   • Top origin→target pairs (for drawing arcs):
     GET /radar/attacks/layer7/top/attacks?dateRange=1h&limit=200&format=json

   • L7 time series by technique/product (for trends):
     GET /radar/attacks/layer7/timeseries_groups/mitigation_product?... Cloudflare Docs

3. Pull L3/4 (network-layer) attack aggregates (protocol splits, datacenter-attributed):

   • Timeseries + summaries under /radar/attacks/layer3/... (see docs page). Note: location = CF datacenter, due to IP spoofing at L3/4. Cloudflare Docs

Auth header: Authorization: Bearer <API_TOKEN>
Formats: format=json (default) or format=csv (nice for Pandas). Cloudflare Docs

3) How to clean + prep it (data model)

Minimum model for a globe/choropleth + arcs:

Tables (or JSON schemas)

• countries — alpha2, name, lat, lon (centroids).

• attack_snapshot — ts, layer (L7/L3), metric (e.g., share_percent or requests_per_s), origin_alpha2, target_alpha2, value, confidence.

Transform steps

1. Normalize fields

   • Radar returns percent shares for many “top” endpoints. Keep value as a percentage and store meta.normalization so you don’t mislabel it as absolute counts. Cloudflare Docs

2. Confidence filtering

   • Drop or de-emphasize rows where meta.confidenceInfo.level < 5. This is explicitly provided by Radar. Cloudflare Docs

3. Attribution caveats

   • L7 origin = IP’s geo; target = zone billing location. L3/4 location = datacenter, not bot origin (due to spoofing). Keep a tooltip note on the map to avoid misinterpretation. Cloudflare Docs+1

4. Smoothing & freshness

   • Pull at a fixed interval (e.g., every 5–10 minutes) and compute rolling 1-hour means for stability; keep a “last updated” timestamp.

5. Country geometry join

   • Join alpha2 codes from Radar with your centroid list to place bubbles/arcs.

6. Licensing

   • Display “Data © Cloudflare Radar (CC BY-NC 4.0)” on the map and any exports. Cloudflare Docs

Optional enrichments

• Split by attack product/technique (e.g., DDoS vs. WAF blocks) for legends. Cloudflare Docs

• Show L7 vs L3/4 tabs (different semantics). Cloudflare Docs

4) How (and where) to display it

Frontend stack (fast path)

• Map: Mapbox GL JS or Leaflet + deck.gl. Deck.gl’s ArcLayer is perfect for origin→target ribbons; a second layer (Scatter/Column) for per-country intensity.

• Basemap: OpenStreetMap tiles (no cost) or Mapbox (nice styles).

• UI: React + Vite/Next.js. Tabs: Global, By Layer (L7/L3), Top Pairs, Trends. Controls: time window, layer, metric.

• Hosting: Vercel/Netlify (static + API routes) or a small Node/Express on a VPS.

Dashboard alternative

• Grafana + Worldmap/Geomap panels and a JSON API datasource. Great if you already have Prometheus/Influx/Timescale.

Backend

• For simplicity, run a cron (GitHub Actions or a tiny server) that:

  1. Calls Radar endpoints (JSON/CSV).

  2. Writes compact snapshot JSON (e.g., latest.json and history/2025-08-13T15.json).

  3. Invalidates CDN cache.

• If you expect growth, use PostgreSQL + PostGIS or TimescaleDB for time windows & aggregates.

Visual encodings

• Choropleth or bubbles on targets (where victims are billed).

• Arcs for top origin→target flows.

• Color split for L7 vs L3/4 or by protocol (TCP/UDP/ICMP) for network layer views. Cloudflare Docs

• Tooltips: country names, share %, time window, confidence note.

5) Example requests you can drop into a script

(Replace API_TOKEN)

Top L7 targets (last 24h) for choropleth/bubbles