Loading...

Monitoring Azure DDoS Protection Mitigation Triggers

Monitoring Azure DDoS Protection Mitigation Triggers

Monitoring Azure DDoS Protection Mitigation Triggers

In today’s digital landscape, Distributed Denial of Service (DDoS) attacks pose a significant threat to the availability and performance of online services. Azure DDoS Protection provides robust mechanisms to protect your applications and services against such attacks. In this blog post, we’ll explore how to monitor Azure DDoS Protection metrics for public IPs and demonstrate how to fully utilize the available metrics to monitor your public IPs for DDoS attacks.

 

Understanding Public IP and Azure DDoS Protection Metrics

Azure DDoS Protection offers a variety of metrics that provide insights into potential threats targeting your resources. Additionally, there are public IP platform metrics that we can leverage for monitoring traffic patterns. These metrics are accessible through Azure Monitor and can be used to set up alerts and automated responses. Key metrics include:

 

Metric Name

Description

Unit

Aggregation Type

BytesDroppedDDoS

Inbound bytes dropped by the DDoS mitigation system

BytesPerSecond

Maximum

BytesForwardedDDoS

Inbound bytes forwarded by the DDoS mitigation system

BytesPerSecond

Maximum

BytesInDDoS

Total inbound bytes processed by the DDoS mitigation system

BytesPerSecond

Maximum

DDoSTriggerSYNPackets

Inbound SYN packets triggering DDoS mitigation

CountPerSecond

Maximum

DDoSTriggerTCPPackets

Inbound TCP packets triggering DDoS mitigation

CountPerSecond

Maximum

DDoSTriggerUDPPackets

Inbound UDP packets triggering DDoS mitigation

CountPerSecond

Maximum

IfUnderDDoSAttack

Indicates if the Public IP resource is under a DDoS attack

Count

Maximum

PacketsDroppedDDoS

Inbound packets dropped by the DDoS mitigation system

CountPerSecond

Maximum

PacketsForwardedDDoS

Inbound packets forwarded by the DDoS mitigation system

CountPerSecond

Maximum

PacketsInDDoS

Total inbound packets processed by the DDoS mitigation system

CountPerSecond

Maximum

TCPBytesDroppedDDoS

Inbound TCP bytes dropped by the DDoS mitigation system

BytesPerSecond

Maximum

TCPBytesForwardedDDoS

Inbound TCP bytes forwarded by the DDoS mitigation system

BytesPerSecond

Maximum

TCPBytesInDDoS

Total inbound TCP bytes processed by the DDoS mitigation system

BytesPerSecond

Maximum

TCPPacketsDroppedDDoS

Inbound TCP packets dropped by the DDoS mitigation system

CountPerSecond

Maximum

TCPPacketsForwardedDDoS

Inbound TCP packets forwarded by the DDoS mitigation system

CountPerSecond

Maximum

TCPPacketsInDDoS

Total inbound TCP packets processed by the DDoS mitigation system

CountPerSecond

Maximum

Byte count

Total number of Bytes transmitted within time period

Bytes

Total

SYN Count

Total number of SYN Packets transmitted within time period

Count

Total

Packet count

Total number of Packets transmitted within a time period

Count

Total

 

Note: In this table, the aggregation labeled 'Total' represents the sum of all values recorded during the aggregation interval. It is also known as the Sum aggregation. For more details, please refer to this Azure Monitor metrics aggregation and display explained - Azure Monitor | Microsoft Learn

 

These metrics provide a comprehensive view of the traffic patterns and potential threats targeting your Azure resources, enabling you to set up effective monitoring and mitigation strategies. For this blog post, I will focus on three specific metrics: “DDoSTriggerSYNPackets”“SYN Count”, and “IfUnderDDoSAttack” to monitor the DDoS SYN packets threshold.

 

Steps to Monitor Public IP Metrics

  1. Navigate to Azure Monitor: Sign in to the Azure portal and go to Azure Monitor.
  2. Select Metrics: In the Azure Monitor menu, select “Metrics.”
  3. Choose Scope: Select the scope by choosing the subscription and the specific public IP address you want to monitor.
  4. Add Metric: Click on “Add metric” and select the desired metric, such as “DDoSTriggerSYNPackets.”
  5. Set Aggregation Type: Choose the aggregation type.

 

Understanding Traffic Thresholds

When monitoring your traffic, it’s crucial to understand the threshold set by Azure DDoS protection auto-tuning. How do you compare your real traffic to this threshold to determine if you are close to or far from it? Additionally, it’s important to assess if the threshold is suitable for your environment and downstream architecture.

To do this, you can add the metric “DDoSTriggerSYNPackets” to your public IP metrics and then add “SYN Count” to the same chart. This comparison helps you understand how your real traffic measures up against the threshold. However, a challenge arises because the aggregations used for these metrics are Max and Sum. The Max aggregation for “DDoSTriggerSYNPackets” shows only the maximum data point in an interval, while the Sum aggregation for “SYN Count” sums up all data points in the interval. This discrepancy can result in a chart that is not informative.

 

SaleemBseeu_4-1727194016486.png

 

Understanding Sum and Max Aggregation

Sum Aggregation:

  • Definition: Sum adds up all values within a time range.
  • Use Case: Ideal for finding total values, such as the total number of requests or bytes.
  • Example: If TCP packets per minute are [50, 60, 45, 55, 40], the sum for 5 minutes is: 50 + 60 + 45 + 55 + 40 = 250.

Max Aggregation:

  • Definition: Max picks the highest value within the time range.
  • Use Case: Useful for identifying peaks, such as highest CPU usage or maximum response time.
  • Example: Using the same data, the max aggregation gives: Max = 60 requests.

Summary

  • Sum Aggregation: Shows total values over time.
  • Max Aggregation: Shows the highest point during the time period.

 

Currently, there is no way to correlate these two metrics 100%. However, the closest approach is to use the Avg aggregation for the “SYN Count” metric and decrease the interval to 5 or 1 minute to get as accurate data as possible. The Avg aggregation provides the average of all data points in the specific interval. The smaller the interval, the more closely it can correlate to the max aggregation of the threshold.

By changing the aggregation to Avg, you will see in the chart below how the data correlation becomes more accurate.

 

 

SaleemBseeu_5-1727194051687.png

 

As you can see in the chart, there is minimal traffic for most of the day. However, we observe two sudden spikes, which are typically indicative of DDoS attacks. In this chart, these spikes have exceeded our threshold of 20k PPS (Packets per second).

 

Note: Since the time grain for these metrics is PT1M, meaning the metric is sampled every minute, you can obtain the packets per second value by dividing the datapoint value by 60. For more information about the resource metric, see Monitoring data reference for Public IP addresses | Microsoft Learn

 

To confirm whether Azure DDoS protection initiated mitigation, we will add another chart using the metric “IfUnderDDoSAttack”. This metric has only two values:

  • 0: No active DDoS mitigation
  • 1: Active DDoS mitigation

Below, you will see how both charts confirm this.

 

SaleemBseeu_6-1727194105352.png

 

As you can see in the charts, DDoS mitigation was active exactly when the amount of Sync traffic exceeded the threshold at both times, effectively spotting the DDoS attack.

 

Configuring Alerts

Now that you have a good understanding of DDoS protection metrics, you can also set up an alert based on your metrics. A useful metric for configuring an alert is “IfUnderDDoSAttack”. Here’s how to do it:

  1. On your chart with the “IfUnderDDoSAttack” metric, click on New alert rule.
  2. Keep the signal name as “Under DDoS attack or not”.
  3. Select Maximum for the aggregation type.
  4. Choose “Greater than or equal to” for the operator.
  5. Select Count as the unit.
  6. Set the threshold value to “1” (since the values are only 0 and 1, where 1 indicates active DDoS mitigation).
  7. Click Next and under the Actions tab, choose how you want to be notified (this depends on your organization’s preference).
  8. Click on Review + create.

 

SaleemBseeu_8-1727194153612.png

 

With this alert, you will be notified when there is active DDoS mitigation. Another useful alert is for the “SYN Count” metric. While the previous alert notifies you of a DDoS attack, in some cases, you may want to receive an alert even before the threshold is met, notifying you of a spike in traffic.

 

Setting Up a Preemptive Alert

Using similar steps as before, you can create an alert for the “SYN Count” metric:

  1. On your chart with the “SYN Count” metric, click on New alert rule.
  2. Keep the signal name as “SYN Count Alert”.
  3. Select Average for the aggregation type.
  4. Choose Greater than for the operator.
  5. Select Count as the unit.
  6. Set the threshold value based on the average traffic you see in the chart, choosing a value lower than the DDoS threshold. This way, you will be aware when traffic starts to increase suddenly and can prepare for a potential DDoS attack.
  7. Click Next and under the Actions tab, choose how you want to be notified.
  8. Click on Review + create.

 

Conclusion

Monitoring Azure DDoS Protection metrics is crucial for maintaining the availability and performance of your applications. By leveraging the SYN Count metric with average aggregation and using TCP SYN packets to trigger DDoS mitigation with maximum aggregation, you can effectively monitor your resources against DDoS attacks. Stay vigilant and proactive in your DDoS protection strategy to ensure uninterrupted service delivery.

 

Resources

Monitoring Azure DDoS Protection | Microsoft Learn

Azure DDoS Protection Overview | Microsoft Learn

Tutorial: Configure Azure DDoS Protection metric alerts through portal | Microsoft Learn

Supported metrics - Microsoft.Network/publicIPAddresses | Microsoft Learn

Monitor Public IP addresses | Microsoft Learn

Published on:

Learn more
Azure Network Security Blog articles
Azure Network Security Blog articles

Azure Network Security Blog articles

Share post:

Related posts

Azure Developer CLI (azd) – November 2024

This post announces the November release of the Azure Developer CLI (`azd`). The post Azure Developer CLI (azd) – November 2024 appeared...

2 days ago

Microsoft Purview | Information Protection: Auto-labeling for Microsoft Azure Storage and Azure SQL

Microsoft Purview | Information Protection will soon offer Auto-labeling for Microsoft Azure Storage and Azure SQL, providing automatic l...

3 days ago

5 Proven Benefits of Moving Legacy Platforms to Azure Databricks

With evolving data demands, many organizations are finding that legacy platforms like Teradata, Hadoop, and Exadata no longer meet their needs...

4 days ago

November Patches for Azure DevOps Server

Today we are releasing patches that impact our self-hosted product, Azure DevOps Server. We strongly encourage and recommend that all customer...

4 days ago

Elevate Your Skills with Azure Cosmos DB: Must-Attend Sessions at Ignite 2024

Calling all Azure Cosmos DB enthusiasts: Join us at Microsoft Ignite 2024 to learn all about how we’re empowering the next wave of AI innovati...

4 days ago

Getting Started with Bicep: Simplifying Infrastructure as Code on Azure

Bicep is an Infrastructure as Code (IaC) language that allows you to declaratively define Azure resources, enabling automated and repeatable d...

6 days ago

How Azure AI Search powers RAG in ChatGPT and global scale apps

Millions of people use Azure AI Search every day without knowing it. You can enable your apps with the same search that enables retrieval-augm...

10 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy