After you configure alert notifications, Alibaba Cloud notifies you of the most recent DDoS attack events that occur on your workloads. This way, you can handle exceptions and recover workloads at the earliest opportunity. This topic describes how to configure alert notifications for DDoS attack events.
Alert notification channels
Anti-DDoS Origin supports the following alert notification channels: Message Center, CloudMonitor, and Simple Log Service. You can select an alert notification channel based on your business requirements.
Comparison item | Message Center | CloudMonitor | Simple Log Service | |
Supported editions of Anti-DDoS Origin instances | Anti-DDoS Basic | Anti-DDoS Origin | Anti-DDoS Origin | Anti-DDoS Origin |
Scenarios | General alerting scenarios in which you need to only be notified of attacks | General alerting scenarios in which you need to only be notified of attacks | General alerting scenarios in which you can use simple filter conditions to send alert notifications of important events | Enterprise-level alerting scenarios in which you can configure items such as service metrics, alert policies, notification methods, and content and generate statistical reports based on different combinations of the items |
Configuration complexity | Low | Low | Medium | High |
Flexibility | Low Alerts can be reported at the beginning and end of an event. | Low Alerts can be reported at the beginning and end of an event. | Medium Alerts can be reported at the beginning and end of a filtered important event. | High Alerts can be reported at the beginning and end of an event based on traffic thresholds or on a combination of conditions. |
Notification methods |
|
| ||
Reliability and timeliness | The reliability and timeliness cannot be ensured. If a large number of highly concurrent requests are sent, rate limiting may be triggered. Note We recommend that you deploy a self-managed traffic monitoring system. For example, you can monitor sudden increases and decreases in the number of requests that are sent to IP addresses of specific assets. You can also use external tools to check whether IP addresses of specific assets can be accessed. | The reliability is high. An alert notification is sent within 5 minutes after the alert is generated. | The reliability is high. An alert notification is sent 5 to 10 minutes after the alert is generated. | The reliability is high. An alert notification is sent 5 to 10 minutes after the alert is generated. |
Configure alert notifications in Message Center (supported for Anti-DDoS Basic and Anti-DDoS Origin)
Message Center is a message notification service that is provided for Alibaba Cloud accounts. You can use Message Center to configure different types of notifications for Alibaba Cloud services.
Log on to the Message Center console.
On the Common Settings page, specify the Email notification method.
In the left-side navigation pane, choose .
In the Product Message section of the Common Settings page, select Security Notice. Then, select Email.
In the lower part of the page, click Add Message Recipient. In the Modify Contact dialog box, select or specify contacts. Then, click Save.
Configure alert notifications in CloudMonitor (supported for Anti-DDoS Origin)
CloudMonitor is a service that monitors resources and Internet applications. You can configure CloudMonitor to monitor blackhole filtering events and traffic scrubbing events that occur on an Anti-DDoS Origin instance. When DDoS attack events occur, Alibaba Cloud sends alert notifications to the contacts in the selected contact group.
- Log on to the CloudMonitor console.
Create an alert contact. If you have created an alert contact, skip this step.
In the left-side navigation pane, choose .
On the Alert Contacts tab, click Create Alert Contact. In the Set Alert Contact panel, configure the parameters, drag the slider to complete verification, and then click OK.
Create an alert group. If you have created an alert group, skip this step.
NoteCloudMonitor sends alert notifications only to an alert contact group. You can add one or more alert contacts to an alert contact group.
In the left-side navigation pane, choose .
On the Alert Contact Group tab, click Create Alert Contact Group. In the Create Alert Contact Group panel, configure the parameters, select contacts, and then click Confirm.
In the left-side navigation pane, choose . Then, click Save as Alert Rule.
In the Create/Modify Event-triggered Alert Rule panel, configure the parameters and click OK.
Section
Parameter
Description
Basic Info
Alert Rule Name
Enter a name for the alert rule.
Event-triggered Alert Rules
Product Type
Select ddosbgp.
Event Type
Select the type of event for which you want to send alert notifications. Select DDoS Attacks.
Event Level
Select the severity level of the event for which you want to send alert notifications. Select CRITICAL. The value is fixed as CRITICAL.
Event Name
Select the event for which you want to send alert notifications. Valid values: ddosbgp_event_blackhole and ddosbgp_event_clean.
Keyword Filtering
In the Keyword Filtering field, enter a keyword for filtering and select a match condition from the Condition drop-down list. Valid values:
Contains any of the keywords: If the alert rule contains any one of the specified keywords, no alert notifications are sent.
Does not contain any of the keywords: If the alert rule does not contain any one of the specified keywords, no alert notifications are sent.
SQL Filter
Specify the SQL statements that are used for filtering.
Resource Range
Select the range of the resources to which the event-triggered alert rule is applied. Select All Resources.
All Resources: CloudMonitor sends alert notifications for all resource-related events based on your configurations.
Application Groups: CloudMonitor sends alert notifications only for events that are related to the resources in the specified application group.
Notification Method
Alert Contact Group
Select the alert contact groups to which alert notifications are sent.
Alert Notification
Specify the severity level and notification method of the event alert. Valid values:
Critical (Email + Webhook)
Warning (Email + Webhook)
Info (Email +Webhook)
Message Queue, Function Compute, URL Callback, and Simple Log Service
You do not need to specify these parameters.
Mute For
Select the period during which an alert is muted. This parameter specifies the interval at which an alert notification is sent to the specified contacts again if the alert is not cleared.
Configure alert notifications in Simple Log Service (supported for Anti-DDoS Origin)
After you enable the mitigation logs feature, you can query and analyze the service traffic and mitigation logs of an Anti-DDoS Origin instance. You can also create custom alert rules for specific service metrics based on the analysis results. If the service metrics for the Anti-DDoS Origin instance are abnormal, Simple Log Service sends alert notifications at the earliest opportunity.
Log on to the Traffic Security console.
In the left-side navigation pane, choose .
In the top navigation bar, select the resource group to which the instance belongs and the region in which the instance resides.
Anti-DDoS Origin 1.0 (Subscription) instance: Select the region in which the instance resides.
Anti-DDoS Origin 2.0 (Subscription) instance and Anti-DDoS Origin 2.0 (Pay-as-you-go) instance: Select All Regions.
Activate Simple Log Service as prompted and complete Resource Access Management (RAM) authorization. Skip this step if Simple Log Service is activated and authorization is complete.
Enable the mitigation logs feature for the instance. Skip this step if the feature is enabled.
On the Mitigation Logs page, select the required instance and click Upgrade Now.
On the Upgrade/Downgrade page, set Mitigation Logs to On. Then, read and select Terms of Service.
Click Buy Now and then click Subscribe to enable the mitigation logs feature for the instance.
Configure an alert monitoring rule for the instance.
On the Mitigation Logs page, select the required instance and click the icon in the upper-right corner.
In the Alert Monitoring Rule panel, configure the parameters.
Parameter
Description
Rule Name
Specify a name for the alert monitoring rule.
Check Frequency
Specify the frequency at which query and analysis results are checked.
Hourly: Query and analysis results are checked every hour.
Daily: Query and analysis results are checked at a specified point in time every day.
Weekly: Query and analysis results are checked at a specified point in time on a specified day of each week.
Fixed Interval: Query and analysis results are checked at a specified interval.
Cron: Query and analysis results are checked at an interval that is specified by a cron expression. A cron expression can specify an interval that is accurate to the minute. The cron expression is based on the 24-hour clock. For example, 0 0/1 * * * indicates that query and analysis results are checked at an interval of 1 hour from 00:00.
Query Statistics
Click the input box. In the Query Statistics dialog box, configure information about a query statement.
Associated Report: Select DDoS BGP Events Report or DDoS Scrubbing Analysis Report.
Advanced Settings: Use the default settings. By default, Logstore is selected.
Group Evaluation
Simple Log Service can group query and analysis results. For more information, see Use the group evaluation feature. Valid values:
No Grouping: Only one alert is triggered in each check period when the trigger condition is met.
Custom Label: Simple Log Service groups query and analysis results based on the fields specified fields. After Simple Log Service groups the query and analysis results, Simple Log Service checks whether the query and analysis results in each group meet the trigger condition. If the query and analysis results in each group meet the trigger condition in each check period, an alert is triggered for each group.
Trigger Condition
Specify the trigger condition and severity level of an alert.
Trigger Condition
Data is returned: If data is returned in the query and analysis results, an alert is triggered.
the query result contains: If the query and analysis results contain N data entries, an alert is triggered.
data matches the expression: If the query and analysis results contain data that matches a specified expression, an alert is triggered.
the query result contains: If the query and analysis results contain N data entries that match a specified expression, an alert is triggered.
Severity: You can specify one trigger condition and specify a severity level for the condition. In this case, all alerts that are triggered based on the alert monitoring rule have the same severity level. You can also specify more than one trigger condition and specify different severity levels for each condition. You can click Create to specify additional trigger conditions.
Add Label
Simple Log Service allows you to add labels as identifying attributes to alerts. Labels are in the key-value pair format. This parameter is used to denoise alerts and manage alert notifications. You can add label-based conditions when you create an alert policy or an action policy. For more information, see Labels and annotations.
Add Annotation
Simple Log Service allows you to add annotations as non-identifying attributes to alerts. Annotations are key-value pairs. This parameter is used to denoise alerts and manage alert notifications. When you create an alert policy or an action policy, you can add annotation-based conditions. For more information, see Labels and annotations.
If you turn on Auto-Add Annotations, fields such as __count__ are automatically added to alerts. For more information, see Auto-Add switch.
Recovery Notifications
If you turn on Recovery Notifications, a recovery alert is triggered each time an alert is cleared. The severity level of a recovery alert is the same as the severity level of the alert for which the recovery alert is triggered.
Advanced Settings
Threshold of Continuous Triggers: If the number of consecutive times that the specified trigger condition is met reaches the value of this parameter, an alert is triggered. The system does not count the number of times when the specified trigger condition is not met.
No Data Alert: If you turn on No Data Alert, an alert is triggered when the number of times that no data is returned exceeds the value of Threshold of Continuous Triggers. If multiple query statements are executed, the number of times is counted based on the associated query and analysis results of the query statements. For more information, see No-data alert.
Alert Policy
Alert policies are used to merge, silence, and inhibit alerts.
If you select Simple Mode or Standard Mode, you do not need to configure alert policies. In this case, Simple Log Service uses the built-in alert policy sls.builtin.dynamic to manage alerts by default.
If you select Advanced Mode, you can select a built-in or custom alert policy to manage alerts. For more information about how to create an alert policy, see Create an alert policy.
Action Group
Alert sets are sent in an alert template to recipients based on specified periods of time by using specified notification methods.
If you set Alert Policy to Simple Mode, you must configure Action Group.
Action Group is required only if you set Alert Policy to Simple Mode.
You can also turn on Enable Intelligent Merging to group and merge alerts that are duplicate, redundant, or relevant. Only one alert notification is sent for all alerts in a group in a specified period of time. This helps denoise alerts. For more information, see Intelligent grouping and merging of alerts.
Action Policy
Action policies are used to manage alert notification methods and the frequency at which alert notifications are sent.
If you set the Alert Policy parameter to Standard Mode or Advanced Mode, you can select a built-in action policy or a custom action policy to send alert notifications. For more information about how to create an action policy, see Create an action policy.
If you set the Alert Policy parameter to Advanced Mode, you can turn on or turn off Custom Action Policy. For more information, see Dynamic action policy mechanism.
Repeat Interval
If duplicate alerts are triggered in the specified period of time, the action policy that you select is executed only once and Simple Log Service sends only one alert notification.