This topic describes how to configure alert rules for attack events that occur on Anti-DDoS Pro or Anti-DDoS Premium in the CloudMonitor console. The events include blackhole filtering events, traffic scrubbing events, events of flood attacks at Layer 4, and events of HTTP flood attacks at Layer 7. After alert rules are configured, CloudMonitor notifies you of the latest attack events that occur on Anti-DDoS Pro or Anti-DDoS Premium. This allows you to handle exceptions and restore workloads at the earliest opportunity.

Background information

CloudMonitor is a service that allows you to monitor Internet applications and Alibaba Cloud resources. CloudMonitor provides the event monitoring feature. This feature allows you to query the system events generated by different services and view event statistics. This helps you stay informed about the usage of your cloud services.

You can query the blackhole filtering events, traffic scrubbing events, events of flood attacks at Layer 4, and events of HTTP flood attacks at Layer 7 that occur on Anti-DDoS Pro or Anti-DDoS Premium. You can also configure alert rules based on the event levels. When you configure alert rules, you can configure notification methods, such as emails, DingTalk, and alert callbacks. This way, you can be notified of critical events immediately after they occur and handle the events at the earliest opportunity. This helps implement automated online O&M. For more information, see Overview of event monitoring.

Procedure

  1. Log on to the CloudMonitor console.
  2. Optional:Create an alert contact. If you have created a contact, skip this step.
    1. In the left-side navigation pane, choose Alerts > Alert Contacts.
    2. On the Alert Contacts tab, click Create Alert Contact.
    3. In the Set Alert Contact panel, configure the parameters, drag the slider to complete verification, and then click OK.
  3. Optional:Create an alert group. If you have created an alert group, skip this step.
    Note CloudMonitor sends alert notifications only to an alert group. You can add one or more alert contacts to an alert group.
    1. In the left-side navigation pane, choose Alerts > Alert Contacts.
    2. On the Alert Contact Group tab, click Create Alert Contact Group.
    3. In the Create Alert Contact Group panel, enter a group name in the Group Name field. Select the alert contact that you create from the Existing Contacts section and add the contact to the Selected Contacts section. Then, click Confirm.
  4. Create an alert rule for events.
    1. In the left-side navigation pane, click Event Monitoring.
    2. On the Alert Rules tab of the page that appears, click System Event and then Create Event Alert.
    3. In the Create/Modify Event Alert panel, configure the parameters and click OK.
      Create/Modify Event Alert
      Section Parameter Description
      Basic Information Alert Rule Name Enter the name of the alert rule.
      Event alert Event Type Select System Event.
      Product Type Select NewBGPDDoS (Anti-DDoS Pro) or ddosdip (Anti-DDoS Premium).
      Event Type Select the type of event for which you want to receive alert notifications. Valid values:
      • DDoS Blackhole Filtering: blackhole filtering events
      • DDoS Traffic Scrubbing: traffic scrubbing events
      • Layer 4 Flood Attack: events of flood attacks at Layer 4
      • Layer 7 HTTP Flood Attack: events of HTTP flood attacks at Layer 7
      Event Level Select the level of event for which you want to receive alert notifications. Valid values: CRITICAL, WARN, and INFO.
      Notice You can select multiple levels. If you select multiple levels, you must select CRITICAL for all events.
      Event Name Select the event for which you want to receive alert notifications. The valid values of this parameter vary based on the value of the Event Type parameter. The following list describes the events of each event type:
      • Blackhole filtering events: ddosdip_event_blackhole_add and ddosdip_event_blackhole_end
      • Traffic scrubbing events: ddosdip_event_defense_add and ddosdip_event_defense_end
      • Events of flood attacks at Layer 4: ddosdip_event_cc4_add and ddosdip_event_cc4_end
      • Events of HTTP flood attacks at Layer 7: ddosdip_event_cc7_add and ddosdip_event_cc7_end
      Resource Range Select All Resources.
      Alert Type Alert Notification Select Alert Notification and configure Contact Group and Notification Method.
      • Contact Group: Select an existing alert group.
      • Notification Method: Set the value to Info (Email ID+DingTalk Robot). Only this option is supported.

      You can click Add to add more alert groups and notification methods.

      MNS queue You do not need to specify this parameter.
      Function service You do not need to specify this parameter.
      URL callback You do not need to specify this parameter.
      Log Service You do not need to specify this parameter.
      After the alert rule for events is created, if the specified events occur on Anti-DDoS Pro or Anti-DDoS Premium, an alert notification is sent to the specified alert group.
  5. Optional:Query events. You can query the events that recently occurred on Anti-DDoS Pro or Anti-DDoS Premium in the CloudMonitor console.
    1. On the Event Monitoring page, click the Query Event tab.
    2. Select System Event and NewBGPDDoS (Anti-DDoS Pro) or ddosdip (Anti-DDoS Premium). Then, specify the event type and time range to query related events. Query criteria
    3. In the event list, click View the Detail to view the details of an event. View the Detail