All Products
Search
Document Center

Anti-DDoS:Configure alert notifications for DDoS attack events

Last Updated:Dec 05, 2024

After you configure alert notifications, Alibaba Cloud notifies you of the most recent DDoS attack events that occur on your workloads. This way, you can handle exceptions and recover workloads at the earliest opportunity. This topic describes how to configure alert notifications for DDoS attack events.

Alert notification channels

Anti-DDoS Origin supports the following alert notification channels: Message Center, CloudMonitor, and Simple Log Service. You can select an alert notification channel based on your business requirements.

Comparison item

Message Center

CloudMonitor

Simple Log Service

Supported editions of Anti-DDoS Origin instances

Anti-DDoS Basic

Anti-DDoS Origin

Anti-DDoS Origin

Anti-DDoS Origin

Scenarios

General alerting scenarios in which you need to only be notified of attacks

General alerting scenarios in which you need to only be notified of attacks

General alerting scenarios in which you can use simple filter conditions to send alert notifications of important events

Enterprise-level alerting scenarios in which you can configure items such as service metrics, alert policies, notification methods, and content and generate statistical reports based on different combinations of the items

Configuration complexity

Low

Low

Medium

High

Flexibility

Low

Alerts can be reported at the beginning and end of an event.

Low

Alerts can be reported at the beginning and end of an event.

Medium

Alerts can be reported at the beginning and end of a filtered important event.

High

Alerts can be reported at the beginning and end of an event based on traffic thresholds or on a combination of conditions.

Notification methods

Email

Email

  • Text message

  • Email

  • Voice call

  • Webhook

  • Text message

  • Email

  • Voice call

  • Webhook

Reliability and timeliness

The reliability and timeliness cannot be ensured. If a large number of highly concurrent requests are sent, rate limiting may be triggered.

Note

We recommend that you deploy a self-managed traffic monitoring system. For example, you can monitor sudden increases and decreases in the number of requests that are sent to IP addresses of specific assets. You can also use external tools to check whether IP addresses of specific assets can be accessed.

The reliability is high. An alert notification is sent within 5 minutes after the alert is generated.

The reliability is high. An alert notification is sent 5 to 10 minutes after the alert is generated.

The reliability is high. An alert notification is sent 5 to 10 minutes after the alert is generated.

Configure alert notifications in Message Center (supported for Anti-DDoS Basic and Anti-DDoS Origin)

Message Center is a message notification service that is provided for Alibaba Cloud accounts. You can use Message Center to configure different types of notifications for Alibaba Cloud services.

  1. Log on to the Message Center console.

  2. On the Common Settings page, specify the Email notification method.

    1. In the left-side navigation pane, choose Message Settings > Common Settings.

    2. In the Product Message section of the Common Settings page, select Security Notice. Then, select Email.

    3. In the lower part of the page, click Add Message Recipient. In the Modify Contact dialog box, select or specify contacts. Then, click Save.

Configure alert notifications in CloudMonitor (supported for Anti-DDoS Origin)

CloudMonitor is a service that monitors resources and Internet applications. You can configure CloudMonitor to monitor blackhole filtering events and traffic scrubbing events that occur on an Anti-DDoS Origin instance. When DDoS attack events occur, Alibaba Cloud sends alert notifications to the contacts in the selected contact group.

  1. Log on to the CloudMonitor console.
  2. Create an alert contact. If you have created an alert contact, skip this step.

    1. In the left-side navigation pane, choose Alerts > Alert Contacts.

    2. On the Alert Contacts tab, click Create Alert Contact. In the Set Alert Contact panel, configure the parameters, drag the slider to complete verification, and then click OK.

  3. Create an alert group. If you have created an alert group, skip this step.

    Note

    CloudMonitor sends alert notifications only to an alert contact group. You can add one or more alert contacts to an alert contact group.

    1. In the left-side navigation pane, choose Alerts > Alert Contacts.

    2. On the Alert Contact Group tab, click Create Alert Contact Group. In the Create Alert Contact Group panel, configure the parameters, select contacts, and then click Confirm.

  4. In the left-side navigation pane, choose Event Center > System Event. Then, click Save as Alert Rule.

  5. In the Create/Modify Event-triggered Alert Rule panel, configure the parameters and click OK.

    Section

    Parameter

    Description

    Basic Info

    Alert Rule Name

    Enter a name for the alert rule.

    Event-triggered Alert Rules

    Product Type

    Select ddosbgp.

    Event Type

    Select the type of event for which you want to send alert notifications. Select DDoS Attacks.

    Event Level

    Select the severity level of the event for which you want to send alert notifications. Select CRITICAL. The value is fixed as CRITICAL.

    Event Name

    Select the event for which you want to send alert notifications. Valid values: ddosbgp_event_blackhole and ddosbgp_event_clean.

    Keyword Filtering

    In the Keyword Filtering field, enter a keyword for filtering and select a match condition from the Condition drop-down list. Valid values:

    • Contains any of the keywords: If the alert rule contains any one of the specified keywords, no alert notifications are sent.

    • Does not contain any of the keywords: If the alert rule does not contain any one of the specified keywords, no alert notifications are sent.

    SQL Filter

    Specify the SQL statements that are used for filtering.

    Resource Range

    Select the range of the resources to which the event-triggered alert rule is applied. Select All Resources.

    • All Resources: CloudMonitor sends alert notifications for all resource-related events based on your configurations.

    • Application Groups: CloudMonitor sends alert notifications only for events that are related to the resources in the specified application group.

    Notification Method

    Alert Contact Group

    Select the alert contact groups to which alert notifications are sent.

    Alert Notification

    Specify the severity level and notification method of the event alert. Valid values:

    • Critical (Email + Webhook)

    • Warning (Email + Webhook)

    • Info (Email +Webhook)

    Message Queue, Function Compute, URL Callback, and Simple Log Service

    You do not need to specify these parameters.

    Mute For

    Select the period during which an alert is muted. This parameter specifies the interval at which an alert notification is sent to the specified contacts again if the alert is not cleared.

Configure alert notifications in Simple Log Service (supported for Anti-DDoS Origin)

After you enable the mitigation logs feature, you can query and analyze the service traffic and mitigation logs of an Anti-DDoS Origin instance. You can also create custom alert rules for specific service metrics based on the analysis results. If the service metrics for the Anti-DDoS Origin instance are abnormal, Simple Log Service sends alert notifications at the earliest opportunity.

  1. Log on to the Traffic Security console.

  2. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Mitigation Logs.

  3. In the top navigation bar, select the resource group to which the instance belongs and the region in which the instance resides.

    • Anti-DDoS Origin 1.0 (Subscription) instance: Select the region in which the instance resides.

    • Anti-DDoS Origin 2.0 (Subscription) instance and Anti-DDoS Origin 2.0 (Pay-as-you-go) instance: Select All Regions.

  4. Activate Simple Log Service as prompted and complete Resource Access Management (RAM) authorization. Skip this step if Simple Log Service is activated and authorization is complete.

  5. Enable the mitigation logs feature for the instance. Skip this step if the feature is enabled.

    1. On the Mitigation Logs page, select the required instance and click Upgrade Now.

    2. On the Upgrade/Downgrade page, set Mitigation Logs to On. Then, read and select Terms of Service.

    3. Click Buy Now and then click Subscribe to enable the mitigation logs feature for the instance.

  6. Configure an alert monitoring rule for the instance.

    1. On the Mitigation Logs page, select the required instance and click the image icon in the upper-right corner.

    2. In the Alert Monitoring Rule panel, configure the parameters.

      Parameter

      Description

      Rule Name

      Specify a name for the alert monitoring rule.

      Check Frequency

      Specify the frequency at which query and analysis results are checked.

      • Hourly: Query and analysis results are checked every hour.

      • Daily: Query and analysis results are checked at a specified point in time every day.

      • Weekly: Query and analysis results are checked at a specified point in time on a specified day of each week.

      • Fixed Interval: Query and analysis results are checked at a specified interval.

      • Cron: Query and analysis results are checked at an interval that is specified by a cron expression. A cron expression can specify an interval that is accurate to the minute. The cron expression is based on the 24-hour clock. For example, 0 0/1 * * * indicates that query and analysis results are checked at an interval of 1 hour from 00:00.

      Query Statistics

      Click the input box. In the Query Statistics dialog box, configure information about a query statement.

      • Associated Report: Select DDoS BGP Events Report or DDoS Scrubbing Analysis Report.

      • Advanced Settings: Use the default settings. By default, Logstore is selected.

      Group Evaluation

      Simple Log Service can group query and analysis results. For more information, see Use the group evaluation feature. Valid values:

      • No Grouping: Only one alert is triggered in each check period when the trigger condition is met.

      • Custom Label: Simple Log Service groups query and analysis results based on the fields specified fields. After Simple Log Service groups the query and analysis results, Simple Log Service checks whether the query and analysis results in each group meet the trigger condition. If the query and analysis results in each group meet the trigger condition in each check period, an alert is triggered for each group.

      Trigger Condition

      Specify the trigger condition and severity level of an alert.

      • Trigger Condition

        • Data is returned: If data is returned in the query and analysis results, an alert is triggered.

        • the query result contains: If the query and analysis results contain N data entries, an alert is triggered.

        • data matches the expression: If the query and analysis results contain data that matches a specified expression, an alert is triggered.

        • the query result contains: If the query and analysis results contain N data entries that match a specified expression, an alert is triggered.

      • Severity: You can specify one trigger condition and specify a severity level for the condition. In this case, all alerts that are triggered based on the alert monitoring rule have the same severity level. You can also specify more than one trigger condition and specify different severity levels for each condition. You can click Create to specify additional trigger conditions.

      Add Label

      Simple Log Service allows you to add labels as identifying attributes to alerts. Labels are in the key-value pair format. This parameter is used to denoise alerts and manage alert notifications. You can add label-based conditions when you create an alert policy or an action policy. For more information, see Labels and annotations.

      Add Annotation

      Simple Log Service allows you to add annotations as non-identifying attributes to alerts. Annotations are key-value pairs. This parameter is used to denoise alerts and manage alert notifications. When you create an alert policy or an action policy, you can add annotation-based conditions. For more information, see Labels and annotations.

      If you turn on Auto-Add Annotations, fields such as __count__ are automatically added to alerts. For more information, see Auto-Add switch.

      Recovery Notifications

      If you turn on Recovery Notifications, a recovery alert is triggered each time an alert is cleared. The severity level of a recovery alert is the same as the severity level of the alert for which the recovery alert is triggered.

      Advanced Settings

      • Threshold of Continuous Triggers: If the number of consecutive times that the specified trigger condition is met reaches the value of this parameter, an alert is triggered. The system does not count the number of times when the specified trigger condition is not met.

      • No Data Alert: If you turn on No Data Alert, an alert is triggered when the number of times that no data is returned exceeds the value of Threshold of Continuous Triggers. If multiple query statements are executed, the number of times is counted based on the associated query and analysis results of the query statements. For more information, see No-data alert.

      Alert Policy

      Alert policies are used to merge, silence, and inhibit alerts.

      • If you select Simple Mode or Standard Mode, you do not need to configure alert policies. In this case, Simple Log Service uses the built-in alert policy sls.builtin.dynamic to manage alerts by default.

      • If you select Advanced Mode, you can select a built-in or custom alert policy to manage alerts. For more information about how to create an alert policy, see Create an alert policy.

      Action Group

      Alert sets are sent in an alert template to recipients based on specified periods of time by using specified notification methods.

      If you set Alert Policy to Simple Mode, you must configure Action Group.

      Action Group is required only if you set Alert Policy to Simple Mode.

      You can also turn on Enable Intelligent Merging to group and merge alerts that are duplicate, redundant, or relevant. Only one alert notification is sent for all alerts in a group in a specified period of time. This helps denoise alerts. For more information, see Intelligent grouping and merging of alerts.

      Action Policy

      Action policies are used to manage alert notification methods and the frequency at which alert notifications are sent.

      If you set the Alert Policy parameter to Standard Mode or Advanced Mode, you can select a built-in action policy or a custom action policy to send alert notifications. For more information about how to create an action policy, see Create an action policy.

      If you set the Alert Policy parameter to Advanced Mode, you can turn on or turn off Custom Action Policy. For more information, see Dynamic action policy mechanism.

      Repeat Interval

      If duplicate alerts are triggered in the specified period of time, the action policy that you select is executed only once and Simple Log Service sends only one alert notification.