All Products
Search
Document Center

Anti-DDoS:Use the alert monitoring feature of CloudMonitor

Last Updated:Dec 05, 2024

Anti-DDoS Proxy is integrated with the alert monitoring feature of CloudMonitor. You can configure alert rules and real-time dashboards in the CloudMonitor console. After you configure an alert rule, CloudMonitor reports an alert when the rule is triggered. This way, you can handle exceptions and recover your business at the earliest opportunity. You can also view the monitoring details in real-time dashboards and troubleshoot exceptions. This topic describes how to configure alert rules and real-time dashboards.

Background information

CloudMonitor is a service that monitors Internet applications and Alibaba Cloud resources. For more information, see What is CloudMonitor?

Anti-DDoS Proxy (Chinese Mainland) and Anti-DDoS Proxy (Outside Chinese Mainland) are integrated with the alert monitoring feature of CloudMonitor. You can configure alert notifications and real-time dashboards for the following events in the CloudMonitor console.

Event name

Event type

Description

IP address traffic alert

Service metric monitoring and alerting

After you configure an alert rule for a service metric, CloudMonitor reports an alert notification when the rule is triggered. This way, you can handle exceptions and recover your business at the earliest opportunity.

Connection alerts

QPS alerts

Status code alerts

Alerts for DDoS blackhole filtering alerts

Event monitoring and alerting

After you configure an alert rule for an event, CloudMonitor notifies you when the rule is triggered. This way, you can handle exceptions and recover your business at the earliest opportunity. The event that occurred on your Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland) instance can be a blackhole filtering event, traffic scrubbing event, event of HTTP flood attacks at Layer 4, or event of HTTP flood attacks at Layer 7.

Alerts for DDoS mitigation events

DDoS monitor dashboard

Real-time dashboard

CloudMonitor provides the dashboard feature. You can customize the monitoring data that is displayed on a dashboard and view the monitoring data on the dashboard. You can aggregate monitoring data of different services and instances that run the same type of workloads by using one dashboard.

You can configure a real-time dashboard for Anti-DDoS Proxy (Chinese Mainland) and Anti-DDoS Proxy (Outside Chinese Mainland) in the CloudMonitor console. Then, you can monitor workloads of Anti-DDoS Proxy in a visualized and comprehensive manner.

Click here to view the metrics that are provided by CloudMonitor for Anti-DDoS Proxy.

Metric

Dimension

Unit

Out_Traffic

Instance or IP address

bit/s

In_Traffic

Instance or IP address

bit/s

Back_Traffic (traffic that is scrubbed by Anti-DDoS Proxy and is forwarded to the origin server)

Instance or IP address

bit/s

AttackTraffic

Instance or IP address

bit/s

Active_connection

Instance or IP address

Count

Inactive_connection

Instance or IP address

Count

New_connection

Instance or IP address

Count

QPS

Domain name

Count/second

qps_ratio_down

Domain name

%

qps_ratio_up

Domain name

%

resp200

Domain name

Count

resp2xx

Note

This metric covers status codes 201 to 299.

Domain name

Count

resp2xx_ratio

Domain name

%

resp3xx

Domain name

Count

resp3xx_ratio

Domain name

%

resp404

Domain name

Count

resp404_ratio

Domain name

%

resp4xx

Note

This metric covers status codes from 400 to 499, excluding 403, 404, and 405.

Domain name

Count

resp4xx_ratio

Domain name

%

resp5xx

Note

This metric covers status codes from 500 to 599, excluding 500, 502, 503, and 504.

Domain name

Count

resp5xx_ratio

Domain name

%

upstream_resp2xx

Domain name

Count

upstream_resp2xx_ratio

Domain name

%

upstream_resp3xx

Domain name

Count

upstream_resp3xx_ratio

Domain name

%

upstream_resp404

Domain name

Count

upstream_resp404_ratio

Domain name

%

upstream_resp4xx

Domain name

Count

upstream_resp4xx_ratio

Domain name

%

upstream_resp5xx

Domain name

Count

upstream_resp5xx_ratio

Domain name

%

Prerequisites

An Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland) instance is purchased. For more information, see Purchase an Anti-DDoS Proxy instance.

Procedure

  1. Log on to the Anti-DDoS Proxy console.

  2. In the top navigation bar, select the region of your instance.

    • Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.

    • Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland) instance, select Outside Chinese Mainland.

  3. In the left-side navigation pane, choose Investigation > CloudMonitor Alerts.

  4. On the CloudMonitor Alerts page, find the event for which you want to configure an alert rule and click CloudMonitor Notification in the Interaction Configuration column.

    Event name

    Procedure

    Traffic Alerts by IP Address, Connection Alerts, QPS Alerts, and Alerts on Status Codes

    In the CloudMonitor console, create a threshold-triggered alert rule for Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland). For more information, see Configure event monitoring and alerting.

    Alerts on Blackhole Filtering Events and Alerts on Scrubbing Events

    In the CloudMonitor console, create an event-triggered alert rule for Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland). For more information, see Configure event monitoring and alerting.

    DDoS Dashboard

    In the CloudMonitor console, create a real-time dashboard and charts for Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland). For more information, see Configure a real-time dashboard.

Configure service metric monitoring and alerting

  1. In the CloudMonitor console, create an alert contact. If you have created an alert group, skip this step.

    1. In the left-side navigation pane, choose Alerts > Alert Contacts.

    2. On the Alert Contacts tab, click Create Alert Contact.

    3. In the Set Alert Contact panel, configure the parameters, drag the slider to complete verification, and then click OK.

  2. Create an alert contact group. If you have created an alert group, skip this step.

    Note

    CloudMonitor sends alert notifications only to alert contact groups. You can add one or more alert contacts to an alert contact group.

    1. In the left-side navigation pane, choose Alerts > Alert Contacts.
    2. On the Alert Contact Group tab, click Create Alert Contact Group.

    3. In the Create Alert Contact Group panel, configure the Group Name parameter. Select the alert contact that you create from the Existing Contacts section and add the contact to the Selected Contacts section. Then, click Confirm.

  3. Create one or more threshold-triggered alert rules.

    1. In the left-side navigation pane, choose Alerts > Alert Rules.

    2. On the Alert Rules page, click Create Alert Rule.

    3. In the Create Alert Rule panel, configure the parameters and click Confirm.

      Parameter

      Description

      Product Type

      Select Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland).

      Resource Range

      The range of the resources to which the alert rule applies. Valid values:

      • All Resources: The alert rule applies to all resources of the specified cloud service.

      • Application Groups: The alert rule applies to all resources in the specified application group of the specified cloud service.

      • Instances: The alert rule applies to the specified resources of the specified cloud service.

      Rule Description

      The content of the alert rule. The parameters in this section specify the conditions that trigger an alert. To specify the rule description, perform the following steps:

      1. Click Add Rule and select a metric type from the drop-down list.

      2. In the Configure Rule Description panel, enter a rule name in the Alert Rule field and configure the Metric Type parameter. Valid values of the Metric Type parameter:

        • Simple Metric: Select a metric and set the threshold and alert level for the metric.

        • Combined Metrics: Select an alert level and specify alert conditions for two or more metrics in the Multi-metric Alert Condition section.

          Note

          If a multi-metric alert rule is configured, the desired resource must have data on each metric. An alert can be triggered only if the related conditions are met. For example, if a multi-metric alert rule includes Internet metrics but the ECS instance is not configured with an elastic IP address (EIP), alerts cannot be triggered.

        • Expression: Select an alert level and then configure an alert expression.

        • Dynamic Threshold: For more information about dynamic thresholds, see Overview and Create dynamic threshold-triggered alert rules.

          Note

          The dynamic threshold feature is in invitational preview. To use the feature, you must submit a ticket.

      3. Click OK.

      Note

      For more information about how to specify complex alert conditions, see Alert rule expressions.

      Mute For

      The interval at which CloudMonitor resends alert notifications before an alert is cleared. Valid values: 5 Minutes, 15 Minutes, 30 Minutes, 60 Minutes, 3 Hours, 6 Hours, 12 Hours, and 24 Hours.

      If a metric value reaches the threshold, CloudMonitor sends an alert notification. If the metric value reaches the threshold again within the mute period, CloudMonitor does not resend an alert notification. If the alert is not cleared after the mute period ends, CloudMonitor resends an alert notification.

      For example, if the Mute For parameter is set to 12 Hours and the alert is not cleared, CloudMonitor resends an alert notification after 12 hours.

      Effective Period

      The period during which the alert rule is effective. CloudMonitor sends alert notifications based on the alert rule only within the effective period.

      Note

      If an alert rule is not effective, no alert notification is sent. However, the alert history is still displayed on the Alert History page.

      Alert Contact Group

      Select the alert contact groups to which you want to send alert notifications.

      Tag

      The tag of the alert rule. A tag consists of a tag key and a tag value.

      Note

      You can set a maximum of six tags.

      Alert Callback

      The callback URL that can be accessed over the Internet. CloudMonitor sends HTTP POST requests to push alert notifications to the specified URL. Only HTTP requests are supported. For more information about how to configure alert callback, see Use the alert callback feature to send notifications about threshold-triggered alerts.

      To test the connectivity of an alert callback URL, perform the following steps:

      1. Click Test next to the callback URL.

        In the Webhook Test panel, you can check and troubleshoot the connectivity of the alert callback URL based on the returned status code and test result details.

        Note

        To obtain the details of the test result, configure the Test Template Type and Language parameters and click Test.

      2. Click Close.

      Note

      You can click Advanced Settings to configure this parameter.

      Auto Scaling

      You do not need to specify this parameter. For more information, see Create an alert rule.

      Log Service

      SMQ

      Function Compute

Configure event monitoring and alerting

  1. In the CloudMonitor console, create an alert contact. If you have created an alert group, skip this step.

    1. In the left-side navigation pane, choose Alerts > Alert Contacts.

    2. On the Alert Contacts tab, click Create Alert Contact.

    3. In the Set Alert Contact panel, configure the parameters, drag the slider to complete verification, and then click OK.

  2. Create an alert contact group. If you have created an alert group, skip this step.

    Note

    CloudMonitor sends alert notifications only to alert contact groups. You can add one or more alert contacts to an alert contact group.

    1. In the left-side navigation pane, choose Alerts > Alert Contacts.
    2. On the Alert Contact Group tab, click Create Alert Contact Group.

    3. In the Create Alert Contact Group panel, configure the Group Name parameter. Select the alert contact that you create from the Existing Contacts section and add the contact to the Selected Contacts section. Then, click Confirm.

  3. Create one or more event-triggered alert rules.

    1. In the left-side navigation pane, choose Event Center > System Event.

    2. On the Event Monitoring tab, click Old Event Alarm Rules in the upper-right corner and then click Create Alert Rule.

    3. In the Create/Modify Event-triggered Alert Rule panel, configure the parameters and click OK.

      Section

      Parameter

      Description

      Basic Info

      Alert Rule Name

      Enter a name for the alert rule.

      Event-triggered Alert Rules

      Product Type

      Select Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland).

      Event Type

      Select the type of event for which you want to send alert notifications. Valid values:

      • DDoS Blackhole Filtering: blackhole filtering events

      • DDoS Traffic Scrubbing: traffic scrubbing events

      • Layer 4 Flood Attack: events of flood attacks at Layer 4

      • Layer 7 HTTP Flood Attack: events of HTTP flood attacks at Layer 7

      Event Level

      Select the level of event for which you want to send alert notifications. Only CRITICAL is supported for the preceding types of events.

      Event Name

      Select the event for which you want to send alert notifications. The valid values of this parameter vary based on the value of the Event Type parameter. The following list describes the events of each event type:

      • Blackhole filtering events: ddosdip_event_blackhole_add or ddoscoo_event_blackhole_add and ddosdip_event_blackhole_end or ddoscoo_event_blackhole_end

      • Traffic scrubbing events: ddosdip_event_defense_add or ddoscoo_event_defense_add and ddosdip_event_defense_end or ddoscoo_event_defense_end

      • Events of flood attacks at Layer 4: ddosdip_event_cc4_add or ddoscoo_event_cc4_add and ddosdip_event_cc4_end or ddoscoo_event_cc4_end

      • Events of HTTP flood attacks at Layer 7: ddosdip_event_cc7_add or ddoscoo_event_cc7_add and ddosdip_event_cc7_end or ddoscoo_event_cc7_end

      Keyword Filtering

      The keywords that are used to filter the alert rule. Valid values:

      • Contains any of the keywords: If the alert rule contains any one of the specified keywords, CloudMonitor sends an alert notification.

      • Does not contain any of the keywords: If the alert rule does not contain any one of the specified keywords, CloudMonitor sends an alert notification.

      Note

      For more information about how to view the content of an event, see View system events.

      SQL Filter

      The SQL statement that is used to filter the alert rule.

      You can use the and and or operators. For example, if you set this parameter to Warn and i-hp368focau7dp0hw****, CloudMonitor sends alert notifications only when the event content contains the instance i-hp368focau7dp0hw**** and the alert level Warn.

      Resource Range

      Select All Resources.

      Notification Method

      Alert Contact Group

      Select the alert contact groups to which you want to send alert notifications.

      Alert Notification

      Specify the severity level and notification method of the event alert. Valid values:

      • Critical (Email + Webhook)

      • Warning (Email + Webhook)

      • Info (Email +Webhook)

      Simple Message Queue (formerly MNS)

      You do not need to specify this parameter. For more information, see Manage system event-triggered alert rules (previous version).

      Function Compute

      URL Callback

      Log Service

      Mute For

      Specify the period during which an alert is muted. This parameter specifies the interval at which an alert notification is sent to the specified contacts again if the alert is not cleared.

  4. Optional. Query the events that recently occurred on Anti-DDoS Proxy in the CloudMonitor console.

    1. On the Event Monitoring tab of the System Event page, select Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland), specify the event type and the time range, and then click Search.

    2. In the event list, click Details in the Actions column to view the details of an event.

Configure a real-time dashboard

  1. In the left-side navigation pane of the CloudMonitor console, click Dashboard.

  2. On the Custom Dashboard page, click Add Dashboard.

  3. In the Add Dashboard Group dialog box, specify a dashboard name and click Confirm.

    After the dashboard is created, you can view the dashboard on the Custom Dashboard tab.

  4. Click the name of the dashboard and click Add View. In the Add Chart panel, configure a chart.

    1. Select a chart type. The following chart types are supported: Line, Area, Table, Heat Map, and Pie Chart.

    2. Configure one or more metrics. Click the Dashboards tab and select Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland). Then, configure the Metric Name and Resource parameters.

      • Metric Name: Select the metrics that you want to monitor.

      • Resource: Select Apply Group, Cloud product instance, or Monitoring Instance based on your business requirements. Then, select the Anti-DDoS Proxy instance and the IP address of the asset that you want to monitor.

      Note

      Click Add Metric if you want to add more metrics.

    3. Click OK to create the chart.

    You can repeat the preceding steps to add more charts to the dashboard.