Monitoring Azure DDoS Protection Mitigation Triggers

Monitoring Azure DDoS Protection Mitigation Triggers

In today’s digital landscape, Distributed Denial of Service (DDoS) attacks pose a significant threat to the availability and performance of online services. Azure DDoS Protection provides robust mechanisms to protect your applications and services against such attacks. In this blog post, we’ll explore how to monitor Azure DDoS Protection metrics for public IPs and demonstrate how to fully utilize the available metrics to monitor your public IPs for DDoS attacks.

 

Understanding Public IP and Azure DDoS Protection Metrics

Azure DDoS Protection offers a variety of metrics that provide insights into potential threats targeting your resources. Additionally, there are public IP platform metrics that we can leverage for monitoring traffic patterns. These metrics are accessible through Azure Monitor and can be used to set up alerts and automated responses. Key metrics include:

 

Metric Name	Description	Unit	Aggregation Type
BytesDroppedDDoS	Inbound bytes dropped by the DDoS mitigation system	BytesPerSecond	Maximum
BytesForwardedDDoS	Inbound bytes forwarded by the DDoS mitigation system	BytesPerSecond	Maximum
BytesInDDoS	Total inbound bytes processed by the DDoS mitigation system	BytesPerSecond	Maximum
DDoSTriggerSYNPackets	Inbound SYN packets triggering DDoS mitigation	CountPerSecond	Maximum
DDoSTriggerTCPPackets	Inbound TCP packets triggering DDoS mitigation	CountPerSecond	Maximum
DDoSTriggerUDPPackets	Inbound UDP packets triggering DDoS mitigation	CountPerSecond	Maximum
IfUnderDDoSAttack	Indicates if the Public IP resource is under a DDoS attack	Count	Maximum
PacketsDroppedDDoS	Inbound packets dropped by the DDoS mitigation system	CountPerSecond	Maximum
PacketsForwardedDDoS	Inbound packets forwarded by the DDoS mitigation system	CountPerSecond	Maximum
PacketsInDDoS	Total inbound packets processed by the DDoS mitigation system	CountPerSecond	Maximum
TCPBytesDroppedDDoS	Inbound TCP bytes dropped by the DDoS mitigation system	BytesPerSecond	Maximum
TCPBytesForwardedDDoS	Inbound TCP bytes forwarded by the DDoS mitigation system	BytesPerSecond	Maximum
TCPBytesInDDoS	Total inbound TCP bytes processed by the DDoS mitigation system	BytesPerSecond	Maximum
TCPPacketsDroppedDDoS	Inbound TCP packets dropped by the DDoS mitigation system	CountPerSecond	Maximum
TCPPacketsForwardedDDoS	Inbound TCP packets forwarded by the DDoS mitigation system	CountPerSecond	Maximum
TCPPacketsInDDoS	Total inbound TCP packets processed by the DDoS mitigation system	CountPerSecond	Maximum
Byte count	Total number of Bytes transmitted within time period	Bytes	Total
SYN Count	Total number of SYN Packets transmitted within time period	Count	Total
Packet count	Total number of Packets transmitted within a time period	Count	Total

 

Note: In this table, the aggregation labeled 'Total' represents the sum of all values recorded during the aggregation interval. It is also known as the Sum aggregation. For more details, please refer to this Azure Monitor metrics aggregation and display explained - Azure Monitor | Microsoft Learn

 

These metrics provide a comprehensive view of the traffic patterns and potential threats targeting your Azure resources, enabling you to set up effective monitoring and mitigation strategies. For this blog post, I will focus on three specific metrics: “DDoSTriggerSYNPackets”, “SYN Count”, and “IfUnderDDoSAttack” to monitor the DDoS SYN packets threshold.

 

Steps to Monitor Public IP Metrics

1. Navigate to Azure Monitor: Sign in to the Azure portal and go to Azure Monitor.
2. Select Metrics: In the Azure Monitor menu, select “Metrics.”
3. Choose Scope: Select the scope by choosing the subscription and the specific public IP address you want to monitor.
4. Add Metric: Click on “Add metric” and select the desired metric, such as “DDoSTriggerSYNPackets.”
5. Set Aggregation Type: Choose the aggregation type.

 

Understanding Traffic Thresholds

When monitoring your traffic, it’s crucial to understand the threshold set by Azure DDoS protection auto-tuning. How do you compare your real traffic to this threshold to determine if you are close to or far from it? Additionally, it’s important to assess if the threshold is suitable for your environment and downstream architecture.

To do this, you can add the metric “DDoSTriggerSYNPackets” to your public IP metrics and then add “SYN Count” to the same chart. This comparison helps you understand how your real traffic measures up against the threshold. However, a challenge arises because the aggregations used for these metrics are Max and Sum. The Max aggregation for “DDoSTriggerSYNPackets” shows only the maximum data point in an interval, while the Sum aggregation for “SYN Count” sums up all data points in the interval. This discrepancy can result in a chart that is not informative.

 

 

Understanding Sum and Max Aggregation

Sum Aggregation:

• Definition: Sum adds up all values within a time range.
• Use Case: Ideal for finding total values, such as the total number of requests or bytes.
• Example: If TCP packets per minute are [50, 60, 45, 55, 40], the sum for 5 minutes is: 50 + 60 + 45 + 55 + 40 = 250.

Max Aggregation:

• Definition: Max picks the highest value within the time range.
• Use Case: Useful for identifying peaks, such as highest CPU usage or maximum response time.
• Example: Using the same data, the max aggregation gives: Max = 60 requests.

Summary

• Sum Aggregation: Shows total values over time.
• Max Aggregation: Shows the highest point during the time period.

 

Currently, there is no way to correlate these two metrics 100%. However, the closest approach is to use the Avg aggregation for the “SYN Count” metric and decrease the interval to 5 or 1 minute to get as accurate data as possible. The Avg aggregation provides the average of all data points in the specific interval. The smaller the interval, the more closely it can correlate to the max aggregation of the threshold.

By changing the aggregation to Avg, you will see in the chart below how the data correlation becomes more accurate.

 

 

 

As you can see in the chart, there is minimal traffic for most of the day. However, we observe two sudden spikes, which are typically indicative of DDoS attacks. In this chart, these spikes have exceeded our threshold of 20k PPS (Packets per second).

 

Note: Since the time grain for these metrics is PT1M, meaning the metric is sampled every minute, you can obtain the packets per second value by dividing the datapoint value by 60. For more information about the resource metric, see Monitoring data reference for Public IP addresses | Microsoft Learn

 

To confirm whether Azure DDoS protection initiated mitigation, we will add another chart using the metric “IfUnderDDoSAttack”. This metric has only two values:

• 0: No active DDoS mitigation
• 1: Active DDoS mitigation

Below, you will see how both charts confirm this.

 

 

As you can see in the charts, DDoS mitigation was active exactly when the amount of Sync traffic exceeded the threshold at both times, effectively spotting the DDoS attack.

 

Configuring Alerts

Now that you have a good understanding of DDoS protection metrics, you can also set up an alert based on your metrics. A useful metric for configuring an alert is “IfUnderDDoSAttack”. Here’s how to do it:

1. On your chart with the “IfUnderDDoSAttack” metric, click on New alert rule.
2. Keep the signal name as “Under DDoS attack or not”.
3. Select Maximum for the aggregation type.
4. Choose “Greater than or equal to” for the operator.
5. Select Count as the unit.
6. Set the threshold value to “1” (since the values are only 0 and 1, where 1 indicates active DDoS mitigation).
7. Click Next and under the Actions tab, choose how you want to be notified (this depends on your organization’s preference).
8. Click on Review + create.

 

 

With this alert, you will be notified when there is active DDoS mitigation. Another useful alert is for the “SYN Count” metric. While the previous alert notifies you of a DDoS attack, in some cases, you may want to receive an alert even before the threshold is met, notifying you of a spike in traffic.

 

Setting Up a Preemptive Alert

Using similar steps as before, you can create an alert for the “SYN Count” metric:

1. On your chart with the “SYN Count” metric, click on New alert rule.
2. Keep the signal name as “SYN Count Alert”.
3. Select Average for the aggregation type.
4. Choose Greater than for the operator.
5. Select Count as the unit.
6. Set the threshold value based on the average traffic you see in the chart, choosing a value lower than the DDoS threshold. This way, you will be aware when traffic starts to increase suddenly and can prepare for a potential DDoS attack.
7. Click Next and under the Actions tab, choose how you want to be notified.
8. Click on Review + create.

 

Conclusion

Monitoring Azure DDoS Protection metrics is crucial for maintaining the availability and performance of your applications. By leveraging the SYN Count metric with average aggregation and using TCP SYN packets to trigger DDoS mitigation with maximum aggregation, you can effectively monitor your resources against DDoS attacks. Stay vigilant and proactive in your DDoS protection strategy to ensure uninterrupted service delivery.

 

Resources

Monitoring Azure DDoS Protection | Microsoft Learn

Azure DDoS Protection Overview | Microsoft Learn

Tutorial: Configure Azure DDoS Protection metric alerts through portal | Microsoft Learn

Supported metrics - Microsoft.Network/publicIPAddresses | Microsoft Learn

Monitor Public IP addresses | Microsoft Learn