Monitoring Azure DDoS Protection Mitigation Triggers
Monitoring Azure DDoS Protection Mitigation Triggers
In today’s digital landscape, Distributed Denial of Service (DDoS) attacks pose a significant threat to the availability and performance of online services. Azure DDoS Protection provides robust mechanisms to protect your applications and services against such attacks. In this blog post, we’ll explore how to monitor Azure DDoS Protection metrics for public IPs and demonstrate how to fully utilize the available metrics to monitor your public IPs for DDoS attacks.
Understanding Public IP and Azure DDoS Protection Metrics
Azure DDoS Protection offers a variety of metrics that provide insights into potential threats targeting your resources. Additionally, there are public IP platform metrics that we can leverage for monitoring traffic patterns. These metrics are accessible through Azure Monitor and can be used to set up alerts and automated responses. Key metrics include:
Metric Name |
Description |
Unit |
Aggregation Type |
BytesDroppedDDoS |
Inbound bytes dropped by the DDoS mitigation system |
BytesPerSecond |
Maximum |
BytesForwardedDDoS |
Inbound bytes forwarded by the DDoS mitigation system |
BytesPerSecond |
Maximum |
BytesInDDoS |
Total inbound bytes processed by the DDoS mitigation system |
BytesPerSecond |
Maximum |
DDoSTriggerSYNPackets |
Inbound SYN packets triggering DDoS mitigation |
CountPerSecond |
Maximum |
DDoSTriggerTCPPackets |
Inbound TCP packets triggering DDoS mitigation |
CountPerSecond |
Maximum |
DDoSTriggerUDPPackets |
Inbound UDP packets triggering DDoS mitigation |
CountPerSecond |
Maximum |
IfUnderDDoSAttack |
Indicates if the Public IP resource is under a DDoS attack |
Count |
Maximum |
PacketsDroppedDDoS |
Inbound packets dropped by the DDoS mitigation system |
CountPerSecond |
Maximum |
PacketsForwardedDDoS |
Inbound packets forwarded by the DDoS mitigation system |
CountPerSecond |
Maximum |
PacketsInDDoS |
Total inbound packets processed by the DDoS mitigation system |
CountPerSecond |
Maximum |
TCPBytesDroppedDDoS |
Inbound TCP bytes dropped by the DDoS mitigation system |
BytesPerSecond |
Maximum |
TCPBytesForwardedDDoS |
Inbound TCP bytes forwarded by the DDoS mitigation system |
BytesPerSecond |
Maximum |
TCPBytesInDDoS |
Total inbound TCP bytes processed by the DDoS mitigation system |
BytesPerSecond |
Maximum |
TCPPacketsDroppedDDoS |
Inbound TCP packets dropped by the DDoS mitigation system |
CountPerSecond |
Maximum |
TCPPacketsForwardedDDoS |
Inbound TCP packets forwarded by the DDoS mitigation system |
CountPerSecond |
Maximum |
TCPPacketsInDDoS |
Total inbound TCP packets processed by the DDoS mitigation system |
CountPerSecond |
Maximum |
Byte count |
Total number of Bytes transmitted within time period |
Bytes |
Total |
SYN Count |
Total number of SYN Packets transmitted within time period |
Count |
Total |
Packet count |
Total number of Packets transmitted within a time period |
Count |
Total |
Note: In this table, the aggregation labeled 'Total' represents the sum of all values recorded during the aggregation interval. It is also known as the Sum aggregation. For more details, please refer to this Azure Monitor metrics aggregation and display explained - Azure Monitor | Microsoft Learn
These metrics provide a comprehensive view of the traffic patterns and potential threats targeting your Azure resources, enabling you to set up effective monitoring and mitigation strategies. For this blog post, I will focus on three specific metrics: “DDoSTriggerSYNPackets”, “SYN Count”, and “IfUnderDDoSAttack” to monitor the DDoS SYN packets threshold.
Steps to Monitor Public IP Metrics
- Navigate to Azure Monitor: Sign in to the Azure portal and go to Azure Monitor.
- Select Metrics: In the Azure Monitor menu, select “Metrics.”
- Choose Scope: Select the scope by choosing the subscription and the specific public IP address you want to monitor.
- Add Metric: Click on “Add metric” and select the desired metric, such as “DDoSTriggerSYNPackets.”
- Set Aggregation Type: Choose the aggregation type.
Understanding Traffic Thresholds
When monitoring your traffic, it’s crucial to understand the threshold set by Azure DDoS protection auto-tuning. How do you compare your real traffic to this threshold to determine if you are close to or far from it? Additionally, it’s important to assess if the threshold is suitable for your environment and downstream architecture.
To do this, you can add the metric “DDoSTriggerSYNPackets” to your public IP metrics and then add “SYN Count” to the same chart. This comparison helps you understand how your real traffic measures up against the threshold. However, a challenge arises because the aggregations used for these metrics are Max and Sum. The Max aggregation for “DDoSTriggerSYNPackets” shows only the maximum data point in an interval, while the Sum aggregation for “SYN Count” sums up all data points in the interval. This discrepancy can result in a chart that is not informative.
Understanding Sum and Max Aggregation
Sum Aggregation:
- Definition: Sum adds up all values within a time range.
- Use Case: Ideal for finding total values, such as the total number of requests or bytes.
- Example: If TCP packets per minute are [50, 60, 45, 55, 40], the sum for 5 minutes is: 50 + 60 + 45 + 55 + 40 = 250.
Max Aggregation:
- Definition: Max picks the highest value within the time range.
- Use Case: Useful for identifying peaks, such as highest CPU usage or maximum response time.
- Example: Using the same data, the max aggregation gives: Max = 60 requests.
Summary
- Sum Aggregation: Shows total values over time.
- Max Aggregation: Shows the highest point during the time period.
Currently, there is no way to correlate these two metrics 100%. However, the closest approach is to use the Avg aggregation for the “SYN Count” metric and decrease the interval to 5 or 1 minute to get as accurate data as possible. The Avg aggregation provides the average of all data points in the specific interval. The smaller the interval, the more closely it can correlate to the max aggregation of the threshold.
By changing the aggregation to Avg, you will see in the chart below how the data correlation becomes more accurate.
As you can see in the chart, there is minimal traffic for most of the day. However, we observe two sudden spikes, which are typically indicative of DDoS attacks. In this chart, these spikes have exceeded our threshold of 20k PPS (Packets per second).
Note: Since the time grain for these metrics is PT1M, meaning the metric is sampled every minute, you can obtain the packets per second value by dividing the datapoint value by 60. For more information about the resource metric, see Monitoring data reference for Public IP addresses | Microsoft Learn
To confirm whether Azure DDoS protection initiated mitigation, we will add another chart using the metric “IfUnderDDoSAttack”. This metric has only two values:
- 0: No active DDoS mitigation
- 1: Active DDoS mitigation
Below, you will see how both charts confirm this.
As you can see in the charts, DDoS mitigation was active exactly when the amount of Sync traffic exceeded the threshold at both times, effectively spotting the DDoS attack.
Configuring Alerts
Now that you have a good understanding of DDoS protection metrics, you can also set up an alert based on your metrics. A useful metric for configuring an alert is “IfUnderDDoSAttack”. Here’s how to do it:
- On your chart with the “IfUnderDDoSAttack” metric, click on New alert rule.
- Keep the signal name as “Under DDoS attack or not”.
- Select Maximum for the aggregation type.
- Choose “Greater than or equal to” for the operator.
- Select Count as the unit.
- Set the threshold value to “1” (since the values are only 0 and 1, where 1 indicates active DDoS mitigation).
- Click Next and under the Actions tab, choose how you want to be notified (this depends on your organization’s preference).
- Click on Review + create.
With this alert, you will be notified when there is active DDoS mitigation. Another useful alert is for the “SYN Count” metric. While the previous alert notifies you of a DDoS attack, in some cases, you may want to receive an alert even before the threshold is met, notifying you of a spike in traffic.
Setting Up a Preemptive Alert
Using similar steps as before, you can create an alert for the “SYN Count” metric:
- On your chart with the “SYN Count” metric, click on New alert rule.
- Keep the signal name as “SYN Count Alert”.
- Select Average for the aggregation type.
- Choose Greater than for the operator.
- Select Count as the unit.
- Set the threshold value based on the average traffic you see in the chart, choosing a value lower than the DDoS threshold. This way, you will be aware when traffic starts to increase suddenly and can prepare for a potential DDoS attack.
- Click Next and under the Actions tab, choose how you want to be notified.
- Click on Review + create.
Conclusion
Monitoring Azure DDoS Protection metrics is crucial for maintaining the availability and performance of your applications. By leveraging the SYN Count metric with average aggregation and using TCP SYN packets to trigger DDoS mitigation with maximum aggregation, you can effectively monitor your resources against DDoS attacks. Stay vigilant and proactive in your DDoS protection strategy to ensure uninterrupted service delivery.
Resources
Monitoring Azure DDoS Protection | Microsoft Learn
Azure DDoS Protection Overview | Microsoft Learn
Tutorial: Configure Azure DDoS Protection metric alerts through portal | Microsoft Learn
Supported metrics - Microsoft.Network/publicIPAddresses | Microsoft Learn
Published on:
Learn moreRelated posts
Azure Developer CLI (azd) – November 2024
This post announces the November release of the Azure Developer CLI (`azd`). The post Azure Developer CLI (azd) – November 2024 appeared...
Microsoft Purview | Information Protection: Auto-labeling for Microsoft Azure Storage and Azure SQL
Microsoft Purview | Information Protection will soon offer Auto-labeling for Microsoft Azure Storage and Azure SQL, providing automatic l...
5 Proven Benefits of Moving Legacy Platforms to Azure Databricks
With evolving data demands, many organizations are finding that legacy platforms like Teradata, Hadoop, and Exadata no longer meet their needs...
November Patches for Azure DevOps Server
Today we are releasing patches that impact our self-hosted product, Azure DevOps Server. We strongly encourage and recommend that all customer...
Elevate Your Skills with Azure Cosmos DB: Must-Attend Sessions at Ignite 2024
Calling all Azure Cosmos DB enthusiasts: Join us at Microsoft Ignite 2024 to learn all about how we’re empowering the next wave of AI innovati...
Query rewriting for RAG in Azure AI Search
Getting Started with Bicep: Simplifying Infrastructure as Code on Azure
Bicep is an Infrastructure as Code (IaC) language that allows you to declaratively define Azure resources, enabling automated and repeatable d...
How Azure AI Search powers RAG in ChatGPT and global scale apps
Millions of people use Azure AI Search every day without knowing it. You can enable your apps with the same search that enables retrieval-augm...