All Products
Search

This Product

    Anti-DDoS:CloudMonitor Alerts

    Document Center

    Anti-DDoS:CloudMonitor Alerts

    Last Updated:Mar 31, 2026

    Anti-DDoS Proxy integrates with CloudMonitor so you can get notified when DDoS events occur and visualize traffic metrics without switching consoles. You can configure threshold-triggered alert rules for traffic, connection, QPS, and status code metrics, set up event-triggered rules for blackhole filtering and traffic scrubbing events, and build real-time dashboards to monitor Anti-DDoS Proxy instances continuously.

    CloudMonitor is an Alibaba Cloud service that monitors Internet applications and cloud resources. For more information, see What is CloudMonitor?

    Both Anti-DDoS Proxy (Chinese Mainland) and Anti-DDoS Proxy (Outside Chinese Mainland) support the following feature types:

    Feature typeEvents coveredWhat it does
    Service metric monitoring and alertingIP address traffic alerts, connection alerts, QPS alerts, status code alertsSends an alert notification when a monitored metric exceeds the threshold you define
    Event monitoring and alertingBlackhole filtering events, traffic scrubbing events, Layer 4 flood attack events, Layer 7 HTTP flood attack eventsSends an alert notification when a DDoS event occurs on your Anti-DDoS Proxy instance
    Real-time dashboardDDoS monitor dashboardAggregates metric data from your instances into a customizable visual dashboard

    Usage notes

    For newly created Anti-DDoS Proxy instances or newly added domain names, CloudMonitor starts collecting data on the next day (T+1).

    Metrics reference

    CloudMonitor collects the following metrics for Anti-DDoS Proxy. Use traffic metrics and connection metrics to configure threshold-triggered alert rules. Use status code metrics to identify application-layer anomalies.

    Traffic metrics

    MetricDimensionUnit
    Out_TrafficInstance or IP addressbit/s
    In_TrafficInstance or IP addressbit/s
    Back_Traffic (scrubbed traffic forwarded to the origin server)Instance or IP addressbit/s
    AttackTrafficInstance or IP addressbit/s

    Connection metrics

    MetricDimensionUnit
    Active_connectionInstance or IP addressCount
    Inactive_connectionInstance or IP addressCount
    New_connectionInstance or IP addressCount
    In_PPSInstanceCount/second
    Out_PPSInstanceCount/second

    Request and status code metrics

    MetricDimensionUnit
    QPSDomain nameCount/second
    qps_ratio_downDomain name%
    qps_ratio_upDomain name%
    resp200Domain nameCount
    upstream_resp2xx (
    Note

    Covers back-to-origin status codes 200–299.)

    		Domain nameCount
    upstream_resp2xx_ratioDomain name%
    resp2xx (
    Note

    Covers status codes 200–299.)

    		Domain nameCount
    resp2xx_ratioDomain name%
    upstream_resp3xxDomain nameCount
    upstream_resp3xx_ratioDomain name%
    resp3xxDomain nameCount
    resp3xx_ratioDomain name%
    upstream_resp403Domain nameCount
    resp403Domain nameCount
    upstream_resp404Domain nameCount
    upstream_resp404_ratioDomain name%
    resp404Domain nameCount
    resp404_ratioDomain name%
    upstream_resp405Domain nameCount
    resp405Domain nameCount
    resp410Domain nameCount
    resp499Domain nameCount
    upstream_resp4xx (
    Note

    Covers back-to-origin status codes 400–499.)

    		Domain nameCount
    upstream_resp4xx_ratioDomain name%
    resp4xx (
    Note

    Covers status codes 400–499.)

    		Domain nameCount
    resp4xx_ratioDomain name%
    upstream_resp502Domain nameCount
    resp502Domain nameCount
    upstream_resp503Domain nameCount
    resp503Domain nameCount
    upstream_resp504Domain nameCount
    resp504Domain nameCount
    upstream_resp5xx (
    Note

    Covers back-to-origin status codes 500–599.)

    		Domain nameCount
    upstream_resp5xx_ratioDomain name%
    resp5xx (
    Note

    Covers status codes 500–599.)

    		Domain nameCount
    resp5xx_ratioDomain name%

    Prerequisites

    Before you begin, ensure that you have:

    Open CloudMonitor alerts from the Anti-DDoS Proxy console

    1. Log on to the Anti-DDoS Proxy console.Anti-DDoS Proxy console

    2. In the top navigation bar, select the region of your instance.

      • Anti-DDoS Proxy (Chinese Mainland): Select Chinese Mainland.

      • Anti-DDoS Proxy (Outside Chinese Mainland): Select Outside Chinese Mainland.

    3. In the left-side navigation pane, choose Investigation > CloudMonitor Alerts.

    4. On the CloudMonitor Alerts page, find the event for which you want to configure alerting, then click CloudMonitor Notification in the Interaction Configuration column.

      Event nameWhat to configure
      Traffic Alerts by IP Address, Connection Alerts, QPS Alerts, Alerts on Status CodesA threshold-triggered alert rule. See Configure service metric monitoring and alerting.
      Alerts on Blackhole Filtering Events, Alerts on Scrubbing EventsAn event-triggered alert rule. See Configure event monitoring and alerting.
      DDoS DashboardA real-time dashboard. See Configure a real-time dashboard.

    Configure service metric monitoring and alerting

    Use this procedure to receive notifications when traffic, connection, QPS, or status code metrics on your Anti-DDoS Proxy instance cross a defined threshold.

    1. Create an alert contact. Skip this step if you already have an alert contact group.

      1. In the CloudMonitor console, choose Alerts > Alert Contacts in the left-side navigation pane.

      2. On the Alert Contacts tab, click Create Alert Contact.

      3. In the Set Alert Contact panel, configure the parameters, drag the slider to complete verification, and click OK.

    2. Create an alert contact group. Skip this step if you already have an alert contact group.

      1. In the left-side navigation pane, choose Alerts > Alert Contacts.

      2. On the Alert Contact Group tab, click Create Alert Contact Group.

      3. In the Create Alert Contact Group panel, set the Group Name, select contacts from the Existing Contacts section, add them to Selected Contacts, and click Confirm.

      Note

      CloudMonitor sends alert notifications only to alert contact groups. Add one or more alert contacts to a group before configuring alert rules.

    3. Create one or more threshold-triggered alert rules.

      1. In the left-side navigation pane, choose Alerts > Alert Rules.

      2. On the Alert Rules page, click Create Alert Rule.

      3. In the Create Alert Rule panel, configure the following parameters and click Confirm.

      ParameterDescription
      Product TypeSelect Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland).
      Resource RangeThe resources to which the alert rule applies: All Resources, Application Groups, or Instances.
      Rule DescriptionThe conditions that trigger an alert. Click Add Rule, select a metric type from the drop-down list, and configure the rule in the Configure Rule Description panel. Set Metric Type to one of the following: Simple Metric (single metric with threshold and alert level), Combined Metrics (two or more metrics; all metrics must have data on the resource — if a resource lacks an EIP, Internet metrics cannot trigger alerts), Expression (custom alert expression), or Dynamic Threshold (anomaly-based alerting, currently in invitational preview; submit a ticket to enable). For complex conditions, see Alert rule expressions.
      Mute ForHow long CloudMonitor waits before resending an alert notification if the alert is not cleared. Valid values: 5 Minutes, 15 Minutes, 30 Minutes, 60 Minutes, 3 Hours, 6 Hours, 12 Hours, 24 Hours.
      Effective PeriodThe time window during which the alert rule is active. Notifications are sent only within this period. Alert history is still recorded outside the effective period.
      Alert Contact GroupThe alert contact groups to receive notifications.
      TagTags for the alert rule. A maximum of six tags are supported.
      Alert CallbackA publicly accessible HTTP URL. CloudMonitor sends HTTP POST requests to this URL when an alert is triggered. Only HTTP requests are supported. To test connectivity, click Test next to the URL and check the result in the Webhook Test panel. Click Advanced Settings to access this parameter. For setup details, see Use the alert callback feature to send notifications about threshold-triggered alerts.
      Auto Scaling, Log Service, Simple Message Queue (formerly MNS), Function ComputeOptional integration channels. For details, see Create an alert rule.

    Configure event monitoring and alerting

    Use this procedure to receive notifications when blackhole filtering or traffic scrubbing events occur on your Anti-DDoS Proxy instance.

    1. Create an alert contact and alert contact group by following steps 1 and 2 in Configure service metric monitoring and alerting.

    2. Create one or more event-triggered alert rules.

      1. In the CloudMonitor console, choose Event Center > System Event in the left-side navigation pane.

      2. On the Event Monitoring tab, click Old Event Alarm Rules in the upper-right corner, then click Create Alert Rule.

      3. In the Create/Modify Event-triggered Alert Rule panel, configure the following parameters and click OK.

      SectionParameterDescription
      Basic InfoAlert Rule NameEnter a name for the alert rule.
      Event-triggered Alert RulesProduct TypeSelect Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland).
      Event TypeThe type of event to monitor: DDoS Blackhole Filtering, DDoS Traffic Scrubbing, Layer 4 Flood Attack, or Layer 7 HTTP Flood Attack.
      Event LevelOnly CRITICAL is supported for these event types.
      Event NameThe specific event to monitor. Valid values depend on the selected Event Type:

      • Blackhole filtering: ddosdip_event_blackhole_add or ddoscoo_event_blackhole_add and ddosdip_event_blackhole_end or ddoscoo_event_blackhole_end

      • Traffic scrubbing: ddosdip_event_defense_add or ddoscoo_event_defense_add and ddosdip_event_defense_end or ddoscoo_event_defense_end

      • Layer 4 flood attack: ddosdip_event_cc4_add or ddoscoo_event_cc4_add and ddosdip_event_cc4_end or ddoscoo_event_cc4_end

      • Layer 7 HTTP flood attack: ddosdip_event_cc7_add or ddoscoo_event_cc7_add and ddosdip_event_cc7_end or ddoscoo_event_cc7_end

      Keyword FilteringFilter events by keyword: Contains any of the keywords or Does not contain any of the keywords. For how to view event content, see View system events.
      SQL FilterSQL statements for filtering, using and and or operators. For example, Warn and i-hp368focau7dp0hw**** restricts notifications to events that contain both the specified instance ID and the Warn alert level.
      Resource RangeSelect All Resources.
      Notification MethodAlert Contact GroupThe alert contact groups to receive notifications.
      Alert NotificationThe severity level and notification channel: Critical (Email + Webhook), Warning (Email + Webhook), or Info (Email + Webhook).

      • Critical (Email + WebHook)

      • Warning (Email + WebHook)

      • Info (Email + WebHook)

      Simple Message Queue (formerly MNS), Function Compute, URL Callback, Log ServiceOptional integration channels. For details, see Manage system event-triggered alert rules (previous version).
      Mute ForHow long CloudMonitor waits before resending a notification if the alert is not cleared.

    3. (Optional) Query recent events on your Anti-DDoS Proxy instance.

      1. On the Event Monitoring tab of the System Event page, select Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland), specify the event type and time range, and click Search.

      2. In the event list, click Details in the Actions column to view event details.

    Configure a real-time dashboard

    Build a custom CloudMonitor dashboard to visualize Anti-DDoS Proxy metrics across instances and IP addresses.

    1. In the CloudMonitor console, click Dashboard in the left-side navigation pane.

    2. On the Custom Dashboard page, click Add Dashboard.

    3. In the Add Dashboard Group dialog box, enter a dashboard name and click Confirm.

      The dashboard appears on the Custom Dashboard tab.

    4. Click the dashboard name, then click Add View. In the Add Chart panel, configure a chart.

      1. Select a chart type: Line, Area, Table, Heat Map, or Pie Chart. For details, see Manage the monitoring charts of a custom dashboard.

      2. Click the Dashboards tab and select Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland). Configure the following:

        • Metric Name: Select the metrics to display.

        • Resource: Select Apply Group, Cloud product instance, or Monitoring Instance, then select the Anti-DDoS Proxy instance and IP address to monitor.

        To add more metrics to the same chart, click Add Metric.

        3. Click OK to create the chart.

    Repeat the preceding steps to add more charts to the dashboard.