There are more packets/sec reported for the Most Active Source graph compared to what the FortiDDoS is actually receiving/sending for that source and also compared to other graphs.Scope
For TCP and DNS traffic, the MAS will add up both directions. Wherever a session is detected it is associated with both inbound and outbound traffic to its source for Most Active Source. This is to catch the offending sources in a faster way. Since this client creates the session, the source can be identified and punished more rapidly.