After you configure alert notifications for your Anti-DDoS Origin instance, Alibaba Cloud notifies you of the most recent DDoS attack events that occur on your workloads. This way, you can handle exceptions and restore workloads at the earliest opportunity. This topic describes how to configure alert notifications for DDoS attack events.

Alert notification channels

Anti-DDoS Origin supports the following alert notification channels: Message Center, CloudMonitor, and Log Service. You can select an alert notification channel based on your business requirements.
Alert notification channels Message Center CloudMonitor Log Service
Supported editions of Anti-DDoS Origin instances Anti-DDoS Origin Basic Anti-DDoS Origin Enterprise Anti-DDoS Origin Enterprise Anti-DDoS Origin Enterprise
Scenarios General alerting scenarios in which you need to only be notified of attacks General alerting scenarios in which you need to only be notified of attacks General alerting scenarios in which you can use simple filter conditions to send alert notifications of important events Enterprise-level alerting scenarios in which you can configure items such as service metrics, alert policies, notification methods, and content and generate statistical reports based on different combinations of the items
Configuration complexity Low Low Medium High
Flexibility Low

Alerts can be reported at the beginning and end of an event.

Low

Alerts can be reported at the beginning and end of an event.

Medium

Alerts can be reported at the beginning and end of a filtered important event.

High

Alerts can be reported at the beginning and end of an event based on traffic thresholds or on a combination of conditions.

Notification methods

Email

Email
  • Text message
  • Email
  • Voice call
  • Webhook
  • Text message
  • Email
  • Voice call
  • Webhook
Reliability and timeliness The reliability and timeliness cannot be ensured. If a large number of highly concurrent requests are sent, rate limiting may be triggered.
Note We recommend that you deploy a self-managed traffic monitoring system. For example, you can monitor sudden increases and decreases in the number of requests that are sent to IP addresses of specific assets. You can also use external tools to check whether IP addresses of specific assets can be accessed.
The reliability is high. An alert notification is sent within 5 minutes after the alert is generated. The reliability is high. An alert notification is sent 5 to 10 minutes after the alert is generated. The reliability is high. An alert notification is sent 5 to 10 minutes after the alert is generated.

Configure alert notifications in Message Center (supported for Anti-DDoS Origin Basic and Anti-DDoS Origin Enterprise)

Alibaba Cloud sends alert notifications to the specified contacts when DDoS attack events occur on an Anti-DDoS Origin instance.

  1. Log on to the Message Center console.
  2. On the Common Settings page, specify the notification methods, such as emails.
    1. In the left-side navigation pane, choose Message Settings > Common Settings.
    2. In the Product Message section of the Common Settings page, select Security Notice. Then, select Internal Messages or Email based on your business requirements.
    3. In the lower part of the page, click Add Message Recipient. In the Modify Contact dialog box, select or specify contacts. Then, click Save.

Configure alert notifications in CloudMonitor (supported for Anti-DDoS Origin Enterprise)

If DDoS attack events occur on an Anti-DDoS Origin Enterprise instance, Alibaba Cloud sends alert notifications to the contacts in the selected contact group. Supported DDoS attack events are blackhole filtering events and traffic scrubbing events.

  1. Log on to the CloudMonitor console.
  2. Create an alert contact. If you have created a contact, skip this step.
    1. In the left-side navigation pane, choose Alerts > Alert Contacts.
    2. On the Alert Contacts tab, click Create Alert Contact. In the Set Alert Contact panel, configure the parameters, drag the slider to complete verification, and then click Ok.
  3. Create an alert contact group. If you have created an alert contact group, skip this step.
    Note CloudMonitor sends alert notifications only to an alert contact group. You can add one or more alert contacts to an alert contact group.
    1. In the left-side navigation pane, choose Alerts > Alert Contacts.
    2. On the Alert Contact Group tab, click Create Alert Contact Group. In the Create Alert Contact Group panel, configure the parameters, select contacts, and then click Confirm.
  4. In the left-side navigation pane, choose Event Monitoring > System Event.
  5. On the Event-triggered Alert Rules tab, click Create Alert Rule.
  6. In the Create/Modify Event-triggered Alert Rule panel, configure the parameters and click OK.
    Section Parameter Description
    Basic Info Alert Rule Name Enter a name for the alert rule.
    Event-triggered Alert Rules Product Type Select Anti-DDoS Origin.
    Event Type Select the type of event for which you want to send alert notifications. Select DDoS Attacks.
    Event Level Select the severity level of the event for which you want to send alert notifications. Select Critical. The value is fixed as Critical.
    Event Name Select the event for which you want to send alert notifications. Valid values: ddosbgp_event_blackhole and ddosbgp_event_clean.
    Keyword Filtering In the Keyword Filtering field, enter a keyword for filtering and select a match condition from the Condition drop-down list. Valid values:
    • Contains any of the keywords: If the alert rule contains any one of the specified keywords, an alert notification is sent.
    • Does not contain any of the keywords: If the alert rule does not contain any one of the specified keywords, an alert notification is sent.
    SQL Filter Specify the SQL statements that are used for filtering.
    Resource Range Select the range of the resources to which the event-triggered alert rule is applied. Select All Resources.
    • All Resources: CloudMonitor sends alert notifications for all resource-related events based on your configurations.
    • Application Groups: CloudMonitor sends alert notifications only for events that are related to the resources in the specified application group.
    Notification Method Contact Group Select the alert contact groups to which alert notifications are sent.
    Alert Notification Specify the severity level and notification method of the event alert. Valid values:
    • Critical (Phone Call + Text Message + Email + Webhook)
    • Warning (Text Message + Email + Webhook)
    • Info (Email + Webhook)
    Message Queue, Function Compute, URL Callback, and Log Service You do not need to specify these parameters.
    Mute For Select the period during which an alert is muted. This parameter specifies the interval at which an alert notification is sent to the specified contacts again if the alert is not cleared.

Configure alert notifications in Log Service (supported for Anti-DDoS Origin Enterprise)

Anti-DDoS Origin Enterprise supports the mitigation logs feature. You can query and analyze mitigation logs of Anti-DDoS Origin Enterprise instances. You can use query and analysis results to create custom alert rules for metrics based on your business requirements.

  1. Log on to the Traffic Security console.
  2. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Mitigation Logs.
  3. In the top navigation bar, select the resource group and region of your instance.
  4. Activate Log Service as prompted and complete Resource Access Management (RAM) authorization. Skip this step if Log Service is activated and authorization is complete.
  5. Enable the mitigation logs feature for the instance. Skip this step if the feature is enabled.
    1. On the Mitigation Logs page, select the required instance and click Upgrade Now.
    2. On the Anti-DDoS Basic | Upgrade/Downgrade page, set Mitigation Logs to On. Then, read and select Terms of Service.
    3. Click Buy Now and then click Subscribe to enable the mitigation logs feature for the instance.
  6. Configure an alert monitoring rule for the instance.
    1. On the Mitigation Logs page, select the required instance and click Save as Alert in the upper-right corner.
    2. In the Save as Alert drop-down list, select New Version Alert. In the Alert Rules panel, configure the parameters.
      Parameter Description
      Rule Name Specify a name for the alert monitoring rule.
      Check Frequency Specify the frequency at which query and analysis results are checked.
      • Hourly: Query and analysis results are checked every hour.
      • Daily: Query and analysis results are checked at a specified point in time every day.
      • Weekly: Query and analysis results are checked at a specified point in time on a specified day of each week.
      • Fixed Interval: Query and analysis results are checked at a specified interval.
      • Cron: Query and analysis results are checked at an interval that is specified by a cron expression. A cron expression can specify an interval that is accurate to the minute. The cron expression is based on the 24-hour clock. For example, 0 0/1 * * * indicates that query and analysis results are checked at an interval of 1 hour from 00:00.
      Query Statistics Click the input box. In the Query Statistics dialog box, configure information about a query statement.
      • Associated Report: Select DDoS BGP Events Report or DDoS Scrubbing Analysis Report.
      • Advanced Settings: Use the default settings. By default, Logstore is selected.
      Group Evaluation Log Service can group query and analysis results. For more information, see Use the group evaluation feature.
      • No Grouping: Only one alert is triggered in each check period when the trigger condition is met.
      • Custom Label: Log Service groups query and analysis results based on the fields specified fields. After Log Service groups the query and analysis results, Log Service checks whether the query and analysis results in each group meet the trigger condition. If the query and analysis results in each group meet the trigger condition in each check period, an alert is triggered for each group.
      Trigger Condition Specify the trigger condition and severity level of an alert.
      • Trigger Condition
        • Data is returned: If data is returned in the query and analysis results, an alert is triggered.
        • the query result contains: If the query and analysis results contain N data entries, an alert is triggered.
        • data matches the expression: If the query and analysis results contain data that matches a specified expression, an alert is triggered.
        • the query result contains: If the query and analysis results contain N data entries that match a specified expression, an alert is triggered.
      • Severity: You can specify one trigger condition and specify a severity level for the condition. In this case, all alerts that are triggered based on the alert monitoring rule have the same severity level. You can also specify more than one trigger condition and specify different severity levels for each condition. You can click Create to specify additional trigger conditions.
      Add Label Log Service allows you to add labels as identifying attributes to alerts. Labels are in the key-value pair format. This parameter is used to denoise alerts and manage alert notifications. You can add label-based conditions when you create an alert policy or an action policy. For more information, see Labels and annotations.
      Add Annotation Log Service allows you to add annotations as non-identifying attributes to alerts. Annotations are in the key-value pair format. This parameter is used to denoise alerts and manage alert notifications. You can add annotation-based conditions when you create an alert policy or an action policy. For more information, see Labels and annotations.

      If you turn on Auto-Add Annotations, fields such as __count__ are automatically added to alerts. For more information, see Auto-Add switch
      Recovery Notifications If you turn on Recovery Notifications, a recovery alert is triggered each time an alert is cleared. The severity level of a recovery alert is the same as the severity level of the alert for which the recovery alert is triggered.
      Advanced Settings
      • Threshold of Continuous Triggers: If the number of consecutive times that the specified trigger condition is met reaches the value of this parameter, an alert is triggered. The system does not count the number of times when the specified trigger condition is not met.
      • No Data Alert: If you turn on No Data Alert, an alert is triggered when the number of times that no data is returned exceeds the value of Threshold of Continuous Triggers. If multiple query statements are executed, the number of times is counted based on the associated query and analysis results of the query statements. For more information, see No-data alert
      Alert Policy Alert policies are used to merge, silence, and suppress alerts.
      • If you select Simple Mode or Standard Mode, you do not need to configure an alert policy. In this case, Log Service uses the built-in alert policy sls.builtin.dynamic to manage alerts by default.
      • If you select Advanced Mode, you can select a built-in or custom alert policy to manage alerts. For more information about how to create an alert policy, see Create an alert policy.
      Action Group Alert sets are sent in an alert template to recipients based on specified periods of time by using specified notification methods.

      If you set Alert Policy to Simple Mode, you must configure Action Group.

      Action Group is required only if you set Alert Policy to Simple Mode.

      You can also turn on Enable Intelligent Merging to merge duplicate, redundant, or relevant alerts into a group. Log Service sends only one alert notification for each group in a specified period of time. This helps you denoise alerts. For more information, see Intelligent grouping and merging of alerts.

      Action Policy Action policies are used to manage alert notification methods and the frequency at which alert notifications are sent.

      If you set the Alert Policy parameter to Standard Mode or Advanced Mode, you can select a built-in or custom action policy to send alert notifications. For more information about how to create an action policy, see Create an action policy.

      If you set the Alert Policy parameter to Advanced Mode, you can turn on or turn off Custom Action Policy. For more information, see Dynamic action policy mechanism.

      Repeat Interval If duplicate alerts are triggered in the specified period of time, the action policy that you select is executed only once and Log Service sends only one alert notification.