This topic describes how to configure alert notifications for blackhole filtering events and traffic scrubbing events that occur on an Anti-DDoS Origin instance. After alert notifications are configured, Alibaba Cloud notifies you of the latest DDoS attack events that occur on your Anti-DDoS Origin instance. This allows you to handle exceptions and restore workloads at the earliest opportunity.

Description of alert notification channels

Anti-DDoS Origin supports the following alert notification channels:
  • Message Center

    Message Center is a message notification service that is provided for Alibaba Cloud accounts. You can use Message Center to configure different types of notifications for Alibaba Cloud services. You can enable Security Notice in Message Center. If security events are detected on your assets, Alibaba Cloud sends alert notificationsto the specified contacts by using methods, such as internal messages and emails.

  • CloudMonitor
    CloudMonitor monitors Internet applications and Alibaba Cloud resources. You can use CloudMonitor to monitor DDoS attack events that occur on Anti-DDoS Origin instances. The DDoS attack events include the following types of events:
    • Blackhole filtering events: If the peak bandwidth of DDoS attacks exceeds the blackhole filtering threshold specified for your asset, blackhole filtering is triggered on your asset.
    • Traffic scrubbing events: If the traffic volume of DDoS attacks exceeds the traffic scrubbing threshold, traffic scrubbing is triggered.
    You can configure event alert rules for Anti-DDoS Origin. If CloudMonitor detects that DDoS attack events occur on Anti-DDoS Origin instances, CloudMonitor sends alert notifications to the specified contacts by using methods, such as emails and DingTalk. This way, you are notified of the latest attack events and can handle exceptions at the earliest opportunity. For more information, see Configure alert rules in CloudMonitor.
  • Log Service

    Anti-DDoS Origin Enterprise supports mitigation analysis based on traffic logs. After you enable mitigation analysis for an Anti-DDoS Origin Enterprise instance, the instance collects the service traffic and mitigation logs of the protected assets. You can view and analyze the logs. In addition, you can create custom alert rules for specific service metrics based on the analysis results. If the service metrics for the Anti-DDoS Origin Enterprise instance are abnormal, Log Service sends alert notifications at the earliest opportunity.

    For more information about how to configure alert rules in Log Service, see Configure an alert in Log Service.

The following table compares the alert notification methods from different dimensions. You can choose an alert notification method based on your business requirements.
Item Message Center CloudMonitor Log Service
Supported editions of Anti-DDoS Origin instances Anti-DDoS Origin Enterprise instances and Anti-DDoS Origin Basic instances Anti-DDoS Origin Enterprise instances Anti-DDoS Origin Enterprise instances that have the mitigation analysis feature enabled
Scenarios General alerting scenarios in which you need only to be notified of attacks General alerting scenarios in which you can use simple filter conditions to receive alert notifications of important events Enterprise-level alerting scenarios in which you can configure items such as service metrics, alert policies, notification methods, and content and generate statistical reports based on different combinations of the items
Configuration complexity Low Medium High
Flexibility Low

Alerts can be reported at the beginning and end of an event.

Medium

Alerts can be reported at the beginning and end of an event at this time.

High

Alerts can be reported at the beginning and end of an event based on traffic thresholds or based on a combination of conditions.

Notification method
  • Internal messages
  • Emails
  • Emails
  • Webhook
  • Emails
  • Webhook
Reliability and timeliness The reliability is extremely high, and an alert notification is sent within 5 minutes after the alert is generated. The reliability is high, and an alert notification is sent 5 to 10 minutes after the alert is generated. The reliability is high, and an alert notification is sent 5 to 10 minutes after the alert is generated.

Configure alert notifications in CloudMonitor (available only for Anti-DDoS Origin Enterprise)

If you have purchased an Anti-DDoS Origin Enterprise instance, you can perform the following steps to configure alert notifications for DDoS attack events in the CloudMonitor console. If you use an Anti-DDoS Origin Basic instance, we recommend that you use Message Center to configure alert notifications. You cannot configure alert notifications for an Anti-DDoS Origin Basic instance in the CloudMonitor console.

  1. Log on to the CloudMonitor console.
  2. Optional:Create an alert contact. If you have created a contact, skip this step.
    1. In the left-side navigation pane, choose Alerts > Alert Contacts.
    2. On the Alert Contacts tab, click Create Alert Contact.
    3. In the Set Alert Contact panel, configure the parameters, drag the slider to complete verification, and then click OK.
  3. Optional:Create an alert group. If you have created an alert group, skip this step.
    Note CloudMonitor sends alert notifications only to an alert group. You can add one or more alert contacts to an alert group.
    1. In the left-side navigation pane, choose Alerts > Alert Contacts.
    2. On the Alert Contact Group tab, click Create Alert Contact Group.
    3. In the Create Alert Contact Group panel, enter a group name in the Group Name field. Select the alert contact that you create from the Existing Contacts section and add the contact to the Selected Contacts section. Then, click Confirm.
  4. In the left-side navigation pane, choose Alerts > Alert Rules.
  5. On the page that appears, click the Event Alert tab. On the Event Alert tab, click Create Event Alert.
  6. In the Create / Modify Event Alert panel, configure the parameters and click OK.
    Create / Modify Event Alert
    Section Parameter Description
    Basic Information Alert Rule Name Enter a name for the alert rule.
    Event Alert Event Type Select System Event.
    Product Type Select Anti-DDoS Origin, which indicates Anti-DDoS Origin Enterprise instances.
    Event Type Select the type of event for which you want to receive alert notifications. Valid value: DDoS attacks.
    Event Level Select the level of events for which you want to receive alert notifications. Valid values: CRITICAL, WARN, and INFO.
    Notice You can select multiple levels. If you select multiple levels, you must select CRITICAL for all events.
    Event Name Select the event for which you want to receive alert notifications. Valid values: ddosbgp_event_blackhole and ddosbgp_event_clean.
    Resource Range Select All Resources.
    Alert Type Alert Notification Select Alert Notification and configure Contact Group and Notification Method.
    • Contact Group: Select an existing contact group.
    • Notification Method:Set the value to Info (Email ID+DingTalk Robot). Only this option is supported.

    You can click Add to add more contact groups and notification methods.

    MNS queue You do not need to specify this parameter.
    Function service You do not need to specify this parameter.
    URL callback You do not need to specify this parameter.
    Log Service You do not need to specify this parameter.
After an alert rule is created, you can view the rule in the rule list. The new alert rule is enabled by default. If DDoS attack events occur on an Anti-DDoS Origin Enterprise instance, Alibaba Cloud sends alert notifications to the contacts in the selected contact group. Supported DDoS attack events are blackhole filtering events and traffic scrubbing events. Event alert rules

Configure alert notifications in Message Center (available for Anti-DDoS Origin Basic and Anti-DDoS Origin Enterprise)

You can perform the following steps to configure alert notifications in Message Center.

  1. Log on to the Message Center console.
  2. In the left-side navigation pane, choose Message Settings > Common Settings.
  3. On the Common Settings page, select Security Notice. Then, select the notification methods based on your business requirements.
    Security Notice (International site)The following notification methods are supported:
    • Internal Messages: If you select this option, Alibaba Cloud sends alert notifications by using internal messages. You can view the internal messages by clicking the Internal Messages icon in the upper-right corner of the Alibaba Cloud Management Console.
    • Email: If you select this option, Alibaba Cloud sends alert notifications by using emails. The alert notifications are sent to the email addresses of the contacts that you specify.
  4. Click Add Message Recipient.
  5. In the Modify Contact dialog box, select or configure contacts. Then, click Save.

After you complete the configurations, Alibaba Cloud sends alert notifications to the specified contacts when DDoS attack events occur on an Anti-DDoS Origin instance.