Monitoring Azure DDoS Protection Mitigation Triggers

Azure DDoS Protection Mitigation Trigger Monitoring

In today’s digital environment, distributed denial of service (DDoS) attacks pose a significant threat to the availability and performance of online services. Azure DDoS Protection provides a powerful mechanism to protect your applications and services from these attacks. In this blog post, we will look at how to monitor Azure DDoS Protection metrics for public IPs and show you how to make the most of the available metrics to monitor your public IPs for DDoS attacks.

Understanding Public IPs and Azure DDoS Protection Metrics

Azure DDoS Protection provides a variety of metrics that provide insight into potential threats targeting your resources. There are also public IP platform metrics that you can leverage to monitor traffic patterns. These metrics are accessible through Azure Monitor and can be used to set up alerts and automatic responses. Key metrics include:

memo: The aggregation labeled ‘Total’ in this table represents the sum of all values ​​recorded during the aggregation interval. It is also called the Sum aggregation. For more information, see this Azure Monitor Metrics Aggregation and Display Explained – Azure Monitor | Microsoft Learn

These metrics provide a comprehensive view of traffic patterns and potential threats targeting your Azure resources, allowing you to establish effective monitoring and mitigation strategies. In this blog post, we will focus on three specific metrics. “DDoSTriggerSYNPackets”, “SYN count”and “If there is a DDoSAttack” Monitors DDoS SYN packet thresholds.

Steps to monitor public IP metrics

1. Go to Azure Monitor: Sign in to the Azure Portal and navigate to Azure Monitor.
2. Select Metric: From the Azure Monitor menu, select “Metrics.”
3. Select a range: Select a range by selecting the subscription and specific public IP addresses you want to monitor.
4. Add metrics: Click “Add Metric” and select the desired metric, such as “DDoSTriggerSYNPackets”.
5. Set the aggregation type: Select the aggregation type.

Understanding Traffic Thresholds

When monitoring traffic, it is important to understand the thresholds set by Azure DDoS Protection Auto-Tuning. How can you compare your actual traffic to these thresholds to determine if you are close to the threshold? It is also important to evaluate whether the thresholds are appropriate for your environment and downstream architecture.

You can add metrics for this. “DDoSTriggerSYNPackets” Then add it to your public IP metrics “SYN count” On the same chart. This comparison helps us understand how real traffic measures up against the threshold. However, the problem arises because the aggregations used in these metrics are maximum and sum. Maximum aggregate For ~ “DDoSTriggerSYNPackets” While only the maximum data point in the interval is displayed, Total aggregation For ~ “SYN count” Sum all data points in the interval. This discrepancy can result in charts that lack information.

Understanding Sum and Max Aggregations

Total Aggregation:

• definition: Sum adds all values ​​within a time range.
• Use Cases: Ideal for finding total values, such as total number of requests or number of bytes.
• yes: TCP packets per minute [50, 60, 45, 55, 40]The sum for 5 minutes is 50 + 60 + 45 + 55 + 40 = 250.

Maximum aggregate:

• definition: Max selects the highest value within the time range.
• Use Cases: Useful for identifying peaks such as highest CPU usage or maximum response times.
• yes: When using the same data, the maximum aggregation is: Max = 60 requests.

summation

• Total aggregation: Shows the total value over time.
• Maximum aggregate: Shows the highest point during the period.

There is currently no way to 100% correlate these two indicators, but the closest thing you can get is to use: Average Aggregation For “SYN count” Use metrics and reduce the interval to 5 minutes or 1 minute to get the most accurate data possible. The Avg aggregation provides the average of all data points in a given interval. The smaller the interval, the more closely it can be correlated to the maximum aggregation of the threshold.

If we change the aggregation to Avg, we can see in the chart below how much more accurate the data correlation becomes.

As you can see from the chart, traffic is minimal most of the day. However, two sudden spikes were observed, indicating DDoS attacks. In this chart, these spikes exceeded the threshold of 20k PPS (packets per second).

memo: Since the time unit for these metrics is PT1M, the metrics are sampled every minute, so you can divide the data point value by 60 to get the packets per second value. For more information about resource metrics, see: See monitoring data for public IP addresses | Microsoft Learn

Add another chart with metrics to verify that Azure DDoS protection has started mitigating. “If there is a DDoSAttack”. This metric has only two values:

• 0: No active DDoS mitigation
• 1: Active DDoS Mitigation

Let’s look at how the two charts below confirm this.

As you can see from the chart, the DDoS mitigation feature was activated exactly when the amount of synchronized traffic exceeded the threshold both times, effectively detecting the DDoS attack.

Configure Notifications

Now that you have a good understanding of DDoS protection metrics, you can also set up alerts based on them. Some useful metrics to set up alerts for include: “If there is a DDoSAttack”. Here’s how:

1. On the chart with the “IfUnderDDoSAttack” metric, click New Alert Rule.
2. Keep the signal name as “Is Under DDoS Attack?”
3. Select Maximum as the Aggregation Type.
4. Select “greater than or equal to” as the operator.
5. Select ‘Quantity’ as the unit.
6. Set the threshold to “1”. (since the values ​​are only 0 and 1, 1 indicates active DDoS mitigation).
7. Click Next and in the Actions tab, choose how you want to be notified. (This will depend on your organization’s preferences).
8. Click Review + Create.

This notification will notify you when there is an active DDoS mitigation. Other useful notifications include: “SYN count” Metrics. Previous alerts will notify you of a DDoS attack, but in some cases you may want to receive an alert that notifies you of a spike in traffic before your threshold is reached.

Set up advance warning

You can create a notification using similar steps as before. “SYN count” Metric:

1. In the chart with the “SYN Count” metric, click New Notification Rule.
2. Keep the signal name as “SYN Count Alert”.
3. Select Average as the aggregation type.
4. Select ‘greater than’ for the operator.
5. Select ‘Quantity’ as the unit.
6. Set thresholds based on the average traffic displayed in the chart.Choose a value that is lower than your DDoS threshold. This will help you to know when traffic starts to increase suddenly and prepare for a potential DDoS attack.
7. Click Next and in the Actions tab, choose how you want to be notified..
8. Click Review + Create.

conclusion

Monitoring Azure DDoS protection metrics is critical to maintaining the availability and performance of your applications. By leveraging the SYN Count metric with average aggregation and triggering DDoS mitigation with maximum aggregation using TCP SYN packets, you can effectively monitor your resources against DDoS attacks. Be vigilant and proactive in your DDoS protection strategy to ensure uninterrupted service delivery.

resources

Azure DDoS Protection Monitoring | Microsoft Learn

Azure DDoS Protection Overview | Microsoft Learn

Tutorial: Configure Azure DDoS Protection Metric Alerts via the Portal | Microsoft Learn

Supported Metrics – Microsoft.Network/publicIPAddresses | Microsoft Learn

Public IP Address Monitoring | Microsoft Learn