[DDoS Protection] Various updates (#17865)

* botnet threat feed offense

* recommendations for ddos tests

* edit

* remove ddos billing note

* space

* Update src/content/docs/ddos-protection/botnet-threat-feed.mdx

Co-authored-by: Jun Lee <[email protected]>

---------

Co-authored-by: Jun Lee <[email protected]>

Author: 2 people

src/content/docs/ddos-protection/about/how-ddos-protection-works.mdx

@@ -33,11 +33,6 @@ Once attack traffic matches a rule, Cloudflare's systems will track that traffic
 | Log | Records matching requests in the Cloudflare Logs. |
 | Use rule defaults | Uses the default action that is pre-defined for each rule. | 
 
-:::note
-
-DDoS attack traffic is automatically excluded from billing systems.
-:::
-
 ## Time to mitigate
 
 - Immediate mitigation for Advanced TCP and DNS Protection systems.

src/content/docs/ddos-protection/botnet-threat-feed.mdx

@@ -11,9 +11,11 @@ head:
 
 The Cloudflare DDoS Botnet Threat Feed is a threat intelligence feed for service providers (SPs) such as hosting providers and Internet service providers (ISPs) that provides information about their own IP addresses that have participated in HTTP DDoS attacks as observed from Cloudflare's global network. The feed aims to help service providers stop the abuse and reduce DDoS attacks originating from within their networks.
 
-Each service provider can only get information about IP addresses associated with their autonomous system numbers (ASNs). The affiliation of a service provider with their ASNs will be checked against [PeeringDB](https://www.peeringdb.com/), a reliable and globally recognized interconnection database.
+Each offense is a mitigated HTTP request from the specific IP address. For example, if an IP has 3,000 offenses, it means that Cloudflare has mitigated 3,000 HTTP requests from that IP. 
 
-To ensure the feed’s accuracy, Cloudflare will only include in the feed IP addresses that have participated in multiple HTTP DDoS attacks and have triggered high-confidence rules.
+A service provider can only get information about IP addresses associated with their autonomous system numbers (ASNs). The affiliation of a service provider with their ASNs will be checked against [PeeringDB](https://www.peeringdb.com/), a reliable and globally recognized interconnection database.
+
+To ensure the feed's accuracy, Cloudflare will only include IP addresses that have participated in multiple HTTP DDoS attacks and have triggered high-confidence rules. 
 
 ## Context
 

src/content/docs/ddos-protection/reference/simulate-ddos-attack.mdx

@@ -19,4 +19,6 @@ You can only launch DDoS attacks against your own Internet properties — your z
 
 You do not have to obtain permission from Cloudflare to launch a DDoS attack simulation against your own Internet properties. However, before launching the simulated attack, you must [open a Support ticket](/support/contacting-cloudflare-support/) and provide the information below. All fields are mandatory.
 
+It is recommended that you choose the right service and enable the correct features to test against the corresponding DDoS attacks. For example, if you want to test Cloudflare against an HTTP DDoS attack and you are only using Magic Transit, the test is going to fail because you need to onboard your HTTP application to Cloudflare's reverse proxy service to test our HTTP DDoS Protection. 
+
 <Render file="support-ticket-information" product="fundamentals" params={{ one: "Attack" }} />