All Products
Search

This Product

    Anti-DDoS:Configure alert notifications for DDoS attack events

    Document Center

    Anti-DDoS:Configure alert notifications for DDoS attack events

    Last Updated:Oct 18, 2023

    After you configure alert notifications, Alibaba Cloud notifies you of the most recent DDoS attack events that occur on your workloads. This way, you can handle exceptions and recover workloads at the earliest opportunity. This topic describes how to configure alert notifications for DDoS attack events.

    Alert notification channels

    Anti-DDoS Origin paid editions support the following alert notification channels: Message Center, CloudMonitor, and Simple Log Service. You can select an alert notification channel based on your business requirements.

    Comparison item

    Message Center

    CloudMonitor

    Simple Log Service

    Supported editions of Anti-DDoS Origin instances

    Anti-DDoS Origin Basic

    Anti-DDoS Origin paid editions

    Anti-DDoS Origin paid editions

    Anti-DDoS Origin paid editions

    Scenarios

    General alerting scenarios in which you need to only be notified of attacks

    General alerting scenarios in which you need to only be notified of attacks

    General alerting scenarios in which you can use simple filter conditions to send alert notifications of important events

    Enterprise-level alerting scenarios in which you can configure items such as service metrics, alert policies, notification methods, and content and generate statistical reports based on different combinations of the items

    Configuration complexity

    Low

    Low

    Medium

    High

    Flexibility

    Low

    Alerts can be reported at the beginning and end of an event.

    Low

    Alerts can be reported at the beginning and end of an event.

    Medium

    Alerts can be reported at the beginning and end of a filtered important event.

    High

    Alerts can be reported at the beginning and end of an event based on traffic thresholds or on a combination of conditions.

    Notification methods

    Email

    Email

    • Text message

    • Email

    • Voice call

    • Webhook

    • Text message

    • Email

    • Voice call

    • Webhook

    Reliability and timeliness

    The reliability and timeliness cannot be ensured. If a large number of highly concurrent requests are sent, rate limiting may be triggered.

    Note

    We recommend that you deploy a self-managed traffic monitoring system. For example, you can monitor sudden increases and decreases in the number of requests that are sent to IP addresses of specific assets. You can also use external tools to check whether IP addresses of specific assets can be accessed.

    The reliability is high. An alert notification is sent within 5 minutes after the alert is generated.

    The reliability is high. An alert notification is sent 5 to 10 minutes after the alert is generated.

    The reliability is high. An alert notification is sent 5 to 10 minutes after the alert is generated.

    Configure alert notifications in Message Center (supported for Anti-DDoS Origin Basic and Anti-DDoS Origin paid editions)

    Message Center is a message notification service that is provided for Alibaba Cloud accounts. You can use Message Center to configure different types of notifications for Alibaba Cloud services.

    1. Log on to the Message Center console.

    2. On the Common Settings page, specify the Email notification method.

      1. In the left-side navigation pane, choose Message Settings > Common Settings.

      2. In the Product Message section of the Common Settings page, select Security Notice. Then, select Email.

      3. In the lower part of the page, click Add Message Recipient. In the Modify Contact dialog box, select or specify contacts. Then, click Save.

    Configure alert notifications in CloudMonitor (supported for Anti-DDoS Origin paid editions)

    CloudMonitor is a service that monitors resources and Internet applications. You can configure CloudMonitor to monitor blackhole filtering events and traffic scrubbing events that occur on an Anti-DDoS Origin instance of a paid edition. When DDoS attack events occur, Alibaba Cloud sends alert notifications to the contacts in the selected contact group.

    1. Log on to the CloudMonitor console.

    2. Create an alert contact. If you have created an alert contact, skip this step.

      1. In the left-side navigation pane, choose Alerts > Alert Contacts.

      2. On the Alert Contacts tab, click Create Alert Contact. In the Set Alert Contact panel, configure the parameters, drag the slider to complete verification, and then click OK.

    3. Create an alert group. If you have created an alert group, skip this step.

      Note

      CloudMonitor sends alert notifications only to an alert contact group. You can add one or more alert contacts to an alert contact group.

      1. In the left-side navigation pane, choose Alerts > Alert Contacts.

      2. On the Alert Contact Group tab, click Create Alert Contact Group. In the Create Alert Contact Group panel, configure the parameters, select contacts, and then click Confirm.

    4. In the left-side navigation pane, choose Event Center > System Event.

    5. On the Event-triggered Alert Rules tab, click Create Alert Rule.

    6. In the Create/Modify Event-triggered Alert Rule panel, configure the parameters and click OK.

      Section

      Parameter

      Description

      Basic Info

      Alert Rule Name

      Enter a name for the alert rule.

      Event-triggered Alert Rules

      Product Type

      Select Anti-DDoS Origin.

      Event Type

      Select the type of event for which you want to send alert notifications. Select DDoS Attacks.

      Event Level

      Select the severity level of the event for which you want to send alert notifications. Select CRITICAL. The value is fixed as CRITICAL.

      Event Name

      Select the event for which you want to send alert notifications. Valid values: ddosbgp_event_blackhole and ddosbgp_event_clean.

      Keyword Filtering

      In the Keyword Filtering field, enter a keyword for filtering and select a match condition from the Condition drop-down list. Valid values:

      • Contains any of the keywords: If the alert rule contains any one of the specified keywords, no alert notifications are sent.

      • Does not contain any of the keywords: If the alert rule does not contain any one of the specified keywords, no alert notifications are sent.

      SQL Filter

      Specify the SQL statements that are used for filtering.

      Resource Range

      Select the range of the resources to which the event-triggered alert rule is applied. Select All Resources.

      • All Resources: CloudMonitor sends alert notifications for all resource-related events based on your configurations.

      • Application Groups: CloudMonitor sends alert notifications only for events that are related to the resources in the specified application group.

      Notification Method

      Contact Group

      Select the alert contact groups to which alert notifications are sent.

      Alert Notification

      Specify the severity level and notification method of the event alert. Valid values:

      • Critical (Email + Webhook)

      • Warning (Email + Webhook)

      • Info (Email + Webhook)

      Message Queue, Function Compute, URL Callback, and Log Service

      You do not need to specify these parameters.

      Mute For

      Select the period during which an alert is muted. This parameter specifies the interval at which an alert notification is sent to the specified contacts again if the alert is not cleared.

    Configure alert notifications in Simple Log Service (supported for Anti-DDoS Origin paid editions)

    After you enable the mitigation logs feature, you can query and analyze the service traffic and mitigation logs of an Anti-DDoS Origin instance of a paid edition. You can also create custom alert rules for specific service metrics based on the analysis results. If the service metrics for the Anti-DDoS Origin instance of a paid edition are abnormal, Simple Log Service sends alert notifications at the earliest opportunity.

    1. Log on to the Traffic Security console.

    2. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Mitigation Logs.

    3. In the top navigation bar, select the resource group to which the instance belongs and the region in which the instance resides.

      • For an Anti-DDoS Origin 1.0 instance or EIP with Anti-DDoS (Enhanced) enabled, select the region in which the instance or EIP resides.

      • For an Anti-DDoS Origin 2.0 instance, select All Regions.

    4. Activate Simple Log Service as prompted and complete Resource Access Management (RAM) authorization. Skip this step if Simple Log Service is activated and authorization is complete.

    5. Enable the mitigation logs feature for the instance. Skip this step if the feature is enabled.

      1. On the Mitigation Logs page, select the required instance and click Upgrade Now.

      2. On the Upgrade/Downgrade page, set Mitigation Logs to On. Then, read and select Terms of Service.

      3. Click Buy Now and then click Subscribe to enable the mitigation logs feature for the instance.

    6. Configure an alert monitoring rule for the instance.

      1. On the Mitigation Logs page, select the required instance and click Save as Alert in the upper-right corner.

      2. In the Alert Monitoring Rule panel, configure the parameters.

        Parameter

        Description

        Rule Name

        Specify a name for the alert monitoring rule.

        Check Frequency

        Specify the frequency at which query and analysis results are checked.

        • Hourly: Query and analysis results are checked every hour.

        • Daily: Query and analysis results are checked at a specified point in time every day.

        • Weekly: Query and analysis results are checked at a specified point in time on a specified day of each week.

        • Fixed Interval: Query and analysis results are checked at a specified interval.

        • Cron: Query and analysis results are checked at an interval that is specified by a cron expression. A cron expression can specify an interval that is accurate to the minute. The cron expression is based on the 24-hour clock. For example, 0 0/1 * * * indicates that query and analysis results are checked at an interval of 1 hour from 00:00.

        Query Statistics

        Click the input box. In the Query Statistics dialog box, configure information about a query statement.

        • Associated Report: Select DDoS BGP Events Report or DDoS Scrubbing Analysis Report.

        • Advanced Settings: Use the default settings. By default, Logstore is selected.

        Group Evaluation

        Simple Log Service can group query and analysis results. For more information, see Use the group evaluation feature.

        • No Grouping: Only one alert is triggered in each check period when the trigger condition is met.

        • Custom Label: Simple Log Service groups query and analysis results based on the fields specified fields. After Simple Log Service groups the query and analysis results, Simple Log Service checks whether the query and analysis results in each group meet the trigger condition. If the query and analysis results in each group meet the trigger condition in each check period, an alert is triggered for each group.

        Trigger Condition

        Specify the trigger condition and severity level of an alert.

        • Trigger Condition

          • Data is returned: If data is returned in the query and analysis results, an alert is triggered.

          • the query result contains: If the query and analysis results contain N data entries, an alert is triggered.

          • data matches the expression: If the query and analysis results contain data that matches a specified expression, an alert is triggered.

          • the query result contains: If the query and analysis results contain N data entries that match a specified expression, an alert is triggered.

        • Severity: You can specify one trigger condition and specify a severity level for the condition. In this case, all alerts that are triggered based on the alert monitoring rule have the same severity level. You can also specify more than one trigger condition and specify different severity levels for each condition. You can click Create to specify additional trigger conditions.

        Add Label

        Simple Log Service allows you to add labels as identifying attributes to alerts. Labels are in the key-value pair format. This parameter is used to denoise alerts and manage alert notifications. You can add label-based conditions when you create an alert policy or an action policy. For more information, see Labels and annotations.

        Add Annotation

        Simple Log Service allows you to add annotations as non-identifying attributes to alerts. Annotations are in the key-value pair format. This parameter is used to denoise alerts and manage alert notifications. You can add annotation-based conditions when you create an alert policy or an action policy. For more information, see Labels and annotations.

        If you turn on Auto-Add Annotations, fields such as __count__ are automatically added to alerts. For more information, see Auto-Add switch.

        Recovery Notifications

        If you turn on Recovery Notifications, a recovery alert is triggered each time an alert is cleared. The severity level of a recovery alert is the same as the severity level of the alert for which the recovery alert is triggered.

        Advanced Settings

        • Threshold of Continuous Triggers: If the number of consecutive times that the specified trigger condition is met reaches the value of this parameter, an alert is triggered. The system does not count the number of times when the specified trigger condition is not met.

        • No Data Alert: If you turn on No Data Alert, an alert is triggered when the number of times that no data is returned exceeds the value of Threshold of Continuous Triggers. If multiple query statements are executed, the number of times is counted based on the associated query and analysis results of the query statements. For more information, see No-data alert.

        Alert Policy

        Alert policies are used to merge, silence, and suppress alerts.

        • If you select Simple Mode or Standard Mode, you do not need to configure an alert policy. In this case, Simple Log Service uses the built-in alert policy sls.builtin.dynamic to manage alerts by default.

        • If you select Advanced Mode, you can select a built-in or custom alert policy to manage alerts. For more information about how to create an alert policy, see Create an alert policy.

        Action Group

        Alert sets are sent in an alert template to recipients based on specified periods of time by using specified notification methods.

        If you set Alert Policy to Simple Mode, you must configure Action Group.

        Action Group is required only if you set Alert Policy to Simple Mode.

        You can also turn on Enable Intelligent Merging to group and merge alerts that are duplicate, redundant, or relevant. Only one alert notification is sent for all alerts in a group in a specified period of time. This helps denoise alerts. For more information, see Intelligent grouping and merging of alerts.

        Action Policy

        Action policies are used to manage alert notification methods and the frequency at which alert notifications are sent.

        If you set the Alert Policy parameter to Standard Mode or Advanced Mode, you can select a built-in or custom action policy to send alert notifications. For more information about how to create an action policy, see Create an action policy.

        If you set the Alert Policy parameter to Advanced Mode, you can turn on or turn off Custom Action Policy. For more information, see Dynamic action policy mechanism.

        Repeat Interval

        If duplicate alerts are triggered in the specified period of time, the action policy that you select is executed only once and Simple Log Service sends only one alert notification.