Monitoring Azure DDoS Protection Mitigation Triggers by info.odysseyx@gmail.com September 24, 2024 written by info.odysseyx@gmail.com September 24, 2024 0 comment 4 views 4 Azure DDoS Protection Mitigation Trigger Monitoring In today’s digital environment, distributed denial of service (DDoS) attacks pose a significant threat to the availability and performance of online services. Azure DDoS Protection provides a powerful mechanism to protect your applications and services from these attacks. In this blog post, we will look at how to monitor Azure DDoS Protection metrics for public IPs and show you how to make the most of the available metrics to monitor your public IPs for DDoS attacks. Understanding Public IPs and Azure DDoS Protection Metrics Azure DDoS Protection provides a variety of metrics that provide insight into potential threats targeting your resources. There are also public IP platform metrics that you can leverage to monitor traffic patterns. These metrics are accessible through Azure Monitor and can be used to set up alerts and automatic responses. Key metrics include: Metric Name explanation unit Aggregation type BytesDDoS Delete Inbound bytes dropped by DDoS mitigation system bytes per second best BytesForwardedDDoS Inbound bytes delivered by DDoS mitigation system bytes per second best Bytes of DDoS Total inbound bytes processed by the DDoS mitigation system bytes per second best DDoSTriggerSYN packet Inbound SYN packets that trigger DDoS mitigation counts per second best DDoSTriggerTCP packet Inbound TCP packets that trigger DDoS mitigation counts per second best DDoSTriggerUDP packet Inbound UDP packets that trigger DDoS mitigation counts per second best IfUnderDDoSAttack Indicates whether a public IP resource is under a DDoS attack. count best Packet Dropping DDoS Inbound packets dropped by the DDoS mitigation system counts per second best Packet forwarding DDoS Inbound packets delivered by the DDoS mitigation system counts per second best Packet-based DDoS Total inbound packets processed by the DDoS mitigation system counts per second best TCP ByteDropDDoS Inbound TCP bytes dropped by DDoS mitigation system bytes per second best TCPBytesForwardedDDoS Inbound TCP bytes delivered by DDoS mitigation system bytes per second best TCP ByteInDDoS Total inbound TCP bytes processed by the DDoS mitigation system bytes per second best TCP Packet Dropping DDoS Inbound TCP packets dropped by the DDoS mitigation system counts per second best TCP Packet Forwarding DDoS Inbound TCP packets delivered by the DDoS mitigation system counts per second best TCP packet DDoS Total inbound TCP packets processed by the DDoS mitigation system counts per second best Number of bytes Total number of bytes transferred within a time period byte gun SYN count Total number of SYN packets transmitted within a time period. count gun Number of packets Total number of packets transmitted within a specific period of time. count gun memo: The aggregation labeled ‘Total’ in this table represents the sum of all values recorded during the aggregation interval. It is also called the Sum aggregation. For more information, see this Azure Monitor Metrics Aggregation and Display Explained – Azure Monitor | Microsoft Learn These metrics provide a comprehensive view of traffic patterns and potential threats targeting your Azure resources, allowing you to establish effective monitoring and mitigation strategies. In this blog post, we will focus on three specific metrics. “DDoSTriggerSYNPackets”, “SYN count”and “If there is a DDoSAttack” Monitors DDoS SYN packet thresholds. Steps to monitor public IP metrics Go to Azure Monitor: Sign in to the Azure Portal and navigate to Azure Monitor. Select Metric: From the Azure Monitor menu, select “Metrics.” Select a range: Select a range by selecting the subscription and specific public IP addresses you want to monitor. Add metrics: Click “Add Metric” and select the desired metric, such as “DDoSTriggerSYNPackets”. Set the aggregation type: Select the aggregation type. Understanding Traffic Thresholds When monitoring traffic, it is important to understand the thresholds set by Azure DDoS Protection Auto-Tuning. How can you compare your actual traffic to these thresholds to determine if you are close to the threshold? It is also important to evaluate whether the thresholds are appropriate for your environment and downstream architecture. You can add metrics for this. “DDoSTriggerSYNPackets” Then add it to your public IP metrics “SYN count” On the same chart. This comparison helps us understand how real traffic measures up against the threshold. However, the problem arises because the aggregations used in these metrics are maximum and sum. Maximum aggregate For ~ “DDoSTriggerSYNPackets” While only the maximum data point in the interval is displayed, Total aggregation For ~ “SYN count” Sum all data points in the interval. This discrepancy can result in charts that lack information. Understanding Sum and Max Aggregations Total Aggregation: definition: Sum adds all values within a time range. Use Cases: Ideal for finding total values, such as total number of requests or number of bytes. yes: TCP packets per minute [50, 60, 45, 55, 40]The sum for 5 minutes is 50 + 60 + 45 + 55 + 40 = 250. Maximum aggregate: definition: Max selects the highest value within the time range. Use Cases: Useful for identifying peaks such as highest CPU usage or maximum response times. yes: When using the same data, the maximum aggregation is: Max = 60 requests. summation Total aggregation: Shows the total value over time. Maximum aggregate: Shows the highest point during the period. There is currently no way to 100% correlate these two indicators, but the closest thing you can get is to use: Average Aggregation For “SYN count” Use metrics and reduce the interval to 5 minutes or 1 minute to get the most accurate data possible. The Avg aggregation provides the average of all data points in a given interval. The smaller the interval, the more closely it can be correlated to the maximum aggregation of the threshold. If we change the aggregation to Avg, we can see in the chart below how much more accurate the data correlation becomes. As you can see from the chart, traffic is minimal most of the day. However, two sudden spikes were observed, indicating DDoS attacks. In this chart, these spikes exceeded the threshold of 20k PPS (packets per second). memo: Since the time unit for these metrics is PT1M, the metrics are sampled every minute, so you can divide the data point value by 60 to get the packets per second value. For more information about resource metrics, see: See monitoring data for public IP addresses | Microsoft Learn Add another chart with metrics to verify that Azure DDoS protection has started mitigating. “If there is a DDoSAttack”. This metric has only two values: 0: No active DDoS mitigation 1: Active DDoS Mitigation Let’s look at how the two charts below confirm this. As you can see from the chart, the DDoS mitigation feature was activated exactly when the amount of synchronized traffic exceeded the threshold both times, effectively detecting the DDoS attack. Configure Notifications Now that you have a good understanding of DDoS protection metrics, you can also set up alerts based on them. Some useful metrics to set up alerts for include: “If there is a DDoSAttack”. Here’s how: On the chart with the “IfUnderDDoSAttack” metric, click New Alert Rule. Keep the signal name as “Is Under DDoS Attack?” Select Maximum as the Aggregation Type. Select “greater than or equal to” as the operator. Select ‘Quantity’ as the unit. Set the threshold to “1”. (since the values are only 0 and 1, 1 indicates active DDoS mitigation). Click Next and in the Actions tab, choose how you want to be notified. (This will depend on your organization’s preferences). Click Review + Create. This notification will notify you when there is an active DDoS mitigation. Other useful notifications include: “SYN count” Metrics. Previous alerts will notify you of a DDoS attack, but in some cases you may want to receive an alert that notifies you of a spike in traffic before your threshold is reached. Set up advance warning You can create a notification using similar steps as before. “SYN count” Metric: In the chart with the “SYN Count” metric, click New Notification Rule. Keep the signal name as “SYN Count Alert”. Select Average as the aggregation type. Select ‘greater than’ for the operator. Select ‘Quantity’ as the unit. Set thresholds based on the average traffic displayed in the chart.Choose a value that is lower than your DDoS threshold. This will help you to know when traffic starts to increase suddenly and prepare for a potential DDoS attack. Click Next and in the Actions tab, choose how you want to be notified.. Click Review + Create. conclusion Monitoring Azure DDoS protection metrics is critical to maintaining the availability and performance of your applications. By leveraging the SYN Count metric with average aggregation and triggering DDoS mitigation with maximum aggregation using TCP SYN packets, you can effectively monitor your resources against DDoS attacks. Be vigilant and proactive in your DDoS protection strategy to ensure uninterrupted service delivery. resources Azure DDoS Protection Monitoring | Microsoft Learn Azure DDoS Protection Overview | Microsoft Learn Tutorial: Configure Azure DDoS Protection Metric Alerts via the Portal | Microsoft Learn Supported Metrics – Microsoft.Network/publicIPAddresses | Microsoft Learn Public IP Address Monitoring | Microsoft Learn Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post Getting Started with Azure DDoS Protection REST API: A Step-by-Step Guide next post Build and secure your apps with Azure App Service and Defender for Cloud You may also like How to strengthen AI security with MLSecOps December 6, 2024 The Sonos Arc Ultra raises the bar for home theater audio December 5, 2024 Aptera Motors will showcase its solar EV at CES 2025 December 3, 2024 How Chromebook tools strengthen school cybersecurity December 2, 2024 Nvidia unveils the ‘Swiss Army Knife’ of AI audio tools: Fugato November 26, 2024 Nvidia Blackwell and the future of data center cooling November 25, 2024 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.