Home NewsX Monitoring Azure DDoS Protection Mitigation Triggers

Monitoring Azure DDoS Protection Mitigation Triggers

by info.odysseyx@gmail.com
0 comment 4 views


Azure DDoS Protection Mitigation Trigger Monitoring

In today’s digital environment, distributed denial of service (DDoS) attacks pose a significant threat to the availability and performance of online services. Azure DDoS Protection provides a powerful mechanism to protect your applications and services from these attacks. In this blog post, we will look at how to monitor Azure DDoS Protection metrics for public IPs and show you how to make the most of the available metrics to monitor your public IPs for DDoS attacks.

Understanding Public IPs and Azure DDoS Protection Metrics

Azure DDoS Protection provides a variety of metrics that provide insight into potential threats targeting your resources. There are also public IP platform metrics that you can leverage to monitor traffic patterns. These metrics are accessible through Azure Monitor and can be used to set up alerts and automatic responses. Key metrics include:

Metric Name

explanation

unit

Aggregation type

BytesDDoS Delete

Inbound bytes dropped by DDoS mitigation system

bytes per second

best

BytesForwardedDDoS

Inbound bytes delivered by DDoS mitigation system

bytes per second

best

Bytes of DDoS

Total inbound bytes processed by the DDoS mitigation system

bytes per second

best

DDoSTriggerSYN packet

Inbound SYN packets that trigger DDoS mitigation

counts per second

best

DDoSTriggerTCP packet

Inbound TCP packets that trigger DDoS mitigation

counts per second

best

DDoSTriggerUDP packet

Inbound UDP packets that trigger DDoS mitigation

counts per second

best

IfUnderDDoSAttack

Indicates whether a public IP resource is under a DDoS attack.

count

best

Packet Dropping DDoS

Inbound packets dropped by the DDoS mitigation system

counts per second

best

Packet forwarding DDoS

Inbound packets delivered by the DDoS mitigation system

counts per second

best

Packet-based DDoS

Total inbound packets processed by the DDoS mitigation system

counts per second

best

TCP ByteDropDDoS

Inbound TCP bytes dropped by DDoS mitigation system

bytes per second

best

TCPBytesForwardedDDoS

Inbound TCP bytes delivered by DDoS mitigation system

bytes per second

best

TCP ByteInDDoS

Total inbound TCP bytes processed by the DDoS mitigation system

bytes per second

best

TCP Packet Dropping DDoS

Inbound TCP packets dropped by the DDoS mitigation system

counts per second

best

TCP Packet Forwarding DDoS

Inbound TCP packets delivered by the DDoS mitigation system

counts per second

best

TCP packet DDoS

Total inbound TCP packets processed by the DDoS mitigation system

counts per second

best

Number of bytes

Total number of bytes transferred within a time period

byte

gun

SYN count

Total number of SYN packets transmitted within a time period.

count

gun

Number of packets

Total number of packets transmitted within a specific period of time.

count

gun

memo: The aggregation labeled ‘Total’ in this table represents the sum of all values ​​recorded during the aggregation interval. It is also called the Sum aggregation. For more information, see this Azure Monitor Metrics Aggregation and Display Explained – Azure Monitor | Microsoft Learn

These metrics provide a comprehensive view of traffic patterns and potential threats targeting your Azure resources, allowing you to establish effective monitoring and mitigation strategies. In this blog post, we will focus on three specific metrics. “DDoSTriggerSYNPackets”, “SYN count”and “If there is a DDoSAttack” Monitors DDoS SYN packet thresholds.

Steps to monitor public IP metrics

  1. Go to Azure Monitor: Sign in to the Azure Portal and navigate to Azure Monitor.
  2. Select Metric: From the Azure Monitor menu, select “Metrics.”
  3. Select a range: Select a range by selecting the subscription and specific public IP addresses you want to monitor.
  4. Add metrics: Click “Add Metric” and select the desired metric, such as “DDoSTriggerSYNPackets”.
  5. Set the aggregation type: Select the aggregation type.

Understanding Traffic Thresholds

When monitoring traffic, it is important to understand the thresholds set by Azure DDoS Protection Auto-Tuning. How can you compare your actual traffic to these thresholds to determine if you are close to the threshold? It is also important to evaluate whether the thresholds are appropriate for your environment and downstream architecture.

You can add metrics for this. “DDoSTriggerSYNPackets” Then add it to your public IP metrics “SYN count” On the same chart. This comparison helps us understand how real traffic measures up against the threshold. However, the problem arises because the aggregations used in these metrics are maximum and sum. Maximum aggregate For ~ “DDoSTriggerSYNPackets” While only the maximum data point in the interval is displayed, Total aggregation For ~ “SYN count” Sum all data points in the interval. This discrepancy can result in charts that lack information.

Salem_Bish_4-1727194016486.png

Understanding Sum and Max Aggregations

Total Aggregation:

  • definition: Sum adds all values ​​within a time range.
  • Use Cases: Ideal for finding total values, such as total number of requests or number of bytes.
  • yes: TCP packets per minute [50, 60, 45, 55, 40]The sum for 5 minutes is 50 + 60 + 45 + 55 + 40 = 250.

Maximum aggregate:

  • definition: Max selects the highest value within the time range.
  • Use Cases: Useful for identifying peaks such as highest CPU usage or maximum response times.
  • yes: When using the same data, the maximum aggregation is: Max = 60 requests.

summation

  • Total aggregation: Shows the total value over time.
  • Maximum aggregate: Shows the highest point during the period.

There is currently no way to 100% correlate these two indicators, but the closest thing you can get is to use: Average Aggregation For “SYN count” Use metrics and reduce the interval to 5 minutes or 1 minute to get the most accurate data possible. The Avg aggregation provides the average of all data points in a given interval. The smaller the interval, the more closely it can be correlated to the maximum aggregation of the threshold.

If we change the aggregation to Avg, we can see in the chart below how much more accurate the data correlation becomes.

Salembiciu_5-1727194051687.png

As you can see from the chart, traffic is minimal most of the day. However, two sudden spikes were observed, indicating DDoS attacks. In this chart, these spikes exceeded the threshold of 20k PPS (packets per second).

memo: Since the time unit for these metrics is PT1M, the metrics are sampled every minute, so you can divide the data point value by 60 to get the packets per second value. For more information about resource metrics, see: See monitoring data for public IP addresses | Microsoft Learn

Add another chart with metrics to verify that Azure DDoS protection has started mitigating. “If there is a DDoSAttack”. This metric has only two values:

  • 0: No active DDoS mitigation
  • 1: Active DDoS Mitigation

Let’s look at how the two charts below confirm this.

Salem_Bish_6-1727194105352.png

As you can see from the chart, the DDoS mitigation feature was activated exactly when the amount of synchronized traffic exceeded the threshold both times, effectively detecting the DDoS attack.

Configure Notifications

Now that you have a good understanding of DDoS protection metrics, you can also set up alerts based on them. Some useful metrics to set up alerts for include: “If there is a DDoSAttack”. Here’s how:

  1. On the chart with the “IfUnderDDoSAttack” metric, click New Alert Rule.
  2. Keep the signal name as “Is Under DDoS Attack?”
  3. Select Maximum as the Aggregation Type.
  4. Select “greater than or equal to” as the operator.
  5. Select ‘Quantity’ as the unit.
  6. Set the threshold to “1”. (since the values ​​are only 0 and 1, 1 indicates active DDoS mitigation).
  7. Click Next and in the Actions tab, choose how you want to be notified. (This will depend on your organization’s preferences).
  8. Click Review + Create.

Salembiciu_8-1727194153612.png

This notification will notify you when there is an active DDoS mitigation. Other useful notifications include: “SYN count” Metrics. Previous alerts will notify you of a DDoS attack, but in some cases you may want to receive an alert that notifies you of a spike in traffic before your threshold is reached.

Set up advance warning

You can create a notification using similar steps as before. “SYN count” Metric:

  1. In the chart with the “SYN Count” metric, click New Notification Rule.
  2. Keep the signal name as “SYN Count Alert”.
  3. Select Average as the aggregation type.
  4. Select ‘greater than’ for the operator.
  5. Select ‘Quantity’ as the unit.
  6. Set thresholds based on the average traffic displayed in the chart.Choose a value that is lower than your DDoS threshold. This will help you to know when traffic starts to increase suddenly and prepare for a potential DDoS attack.
  7. Click Next and in the Actions tab, choose how you want to be notified..
  8. Click Review + Create.

conclusion

Monitoring Azure DDoS protection metrics is critical to maintaining the availability and performance of your applications. By leveraging the SYN Count metric with average aggregation and triggering DDoS mitigation with maximum aggregation using TCP SYN packets, you can effectively monitor your resources against DDoS attacks. Be vigilant and proactive in your DDoS protection strategy to ensure uninterrupted service delivery.

resources

Azure DDoS Protection Monitoring | Microsoft Learn

Azure DDoS Protection Overview | Microsoft Learn

Tutorial: Configure Azure DDoS Protection Metric Alerts via the Portal | Microsoft Learn

Supported Metrics – Microsoft.Network/publicIPAddresses | Microsoft Learn

Public IP Address Monitoring | Microsoft Learn





Source link

You may also like

Leave a Comment

Our Company

Welcome to OdysseyX, your one-stop destination for the latest news and opportunities across various domains.

Newsletter

Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Laest News

@2024 – All Right Reserved. Designed and Developed by OdysseyX