Monitoring Azure DDoS Protection Mitigation Triggers
Monitoring Azure DDoS Protection Mitigation Triggers
In today’s digital landscape, Distributed Denial of Service (DDoS) attacks pose a significant threat to the availability and performance of online services. Azure DDoS Protection provides robust mechanisms to protect your applications and services against such attacks. In this blog post, we’ll explore how to monitor Azure DDoS Protection metrics for public IPs and demonstrate how to fully utilize the available metrics to monitor your public IPs for DDoS attacks.
Understanding Public IP and Azure DDoS Protection Metrics
Azure DDoS Protection offers a variety of metrics that provide insights into potential threats targeting your resources. Additionally, there are public IP platform metrics that we can leverage for monitoring traffic patterns. These metrics are accessible through Azure Monitor and can be used to set up alerts and automated responses. Key metrics include:
Metric Name
Description
Unit
Aggregation Type
BytesDroppedDDoS
Inbound bytes dropped by the DDoS mitigation system
BytesPerSecond
Maximum
BytesForwardedDDoS
Inbound bytes forwarded by the DDoS mitigation system
BytesPerSecond
Maximum
BytesInDDoS
Total inbound bytes processed by the DDoS mitigation system
BytesPerSecond
Maximum
DDoSTriggerSYNPackets
Inbound SYN packets triggering DDoS mitigation
CountPerSecond
Maximum
DDoSTriggerTCPPackets
Inbound TCP packets triggering DDoS mitigation
CountPerSecond
Maximum
DDoSTriggerUDPPackets
Inbound UDP packets triggering DDoS mitigation
CountPerSecond
Maximum
IfUnderDDoSAttack
Indicates if the Public IP resource is under a DDoS attack
Count
Maximum
PacketsDroppedDDoS
Inbound packets dropped by the DDoS mitigation system
CountPerSecond
Maximum
PacketsForwardedDDoS
Inbound packets forwarded by the DDoS mitigation system
CountPerSecond
Maximum
PacketsInDDoS
Total inbound packets processed by the DDoS mitigation system
CountPerSecond
Maximum
TCPBytesDroppedDDoS
Inbound TCP bytes dropped by the DDoS mitigation system
BytesPerSecond
Maximum
TCPBytesForwardedDDoS
Inbound TCP bytes forwarded by the DDoS mitigation system
BytesPerSecond
Maximum
TCPBytesInDDoS
Total inbound TCP bytes processed by the DDoS mitigation system
BytesPerSecond
Maximum
TCPPacketsDroppedDDoS
Inbound TCP packets dropped by the DDoS mitigation system
CountPerSecond
Maximum
TCPPacketsForwardedDDoS
Inbound TCP packets forwarded by the DDoS mitigation system
CountPerSecond
Maximum
TCPPacketsInDDoS
Total inbound TCP packets processed by the DDoS mitigation system
CountPerSecond
Maximum
Byte count
Total number of Bytes transmitted within time period
Bytes
Total
SYN Count
Total number of SYN Packets transmitted within time period
Count
Total
Packet count
Total number of Packets transmitted within a time period
Count
Total
Note: In this table, the aggregation labeled ‘Total’ represents the sum of all values recorded during the aggregation interval. It is also known as the Sum aggregation. For more details, please refer to this Azure Monitor metrics aggregation and display explained – Azure Monitor | Microsoft Learn
These metrics provide a comprehensive view of the traffic patterns and potential threats targeting your Azure resources, enabling you to set up effective monitoring and mitigation strategies. For this blog post, I will focus on three specific metrics: “DDoSTriggerSYNPackets”, “SYN Count”, and “IfUnderDDoSAttack” to monitor the DDoS SYN packets threshold.
Steps to Monitor Public IP Metrics
Navigate to Azure Monitor: Sign in to the Azure portal and go to Azure Monitor.
Select Metrics: In the Azure Monitor menu, select “Metrics.”
Choose Scope: Select the scope by choosing the subscription and the specific public IP address you want to monitor.
Add Metric: Click on “Add metric” and select the desired metric, such as “DDoSTriggerSYNPackets.”
Set Aggregation Type: Choose the aggregation type.
Understanding Traffic Thresholds
When monitoring your traffic, it’s crucial to understand the threshold set by Azure DDoS protection auto-tuning. How do you compare your real traffic to this threshold to determine if you are close to or far from it? Additionally, it’s important to assess if the threshold is suitable for your environment and downstream architecture.
To do this, you can add the metric “DDoSTriggerSYNPackets” to your public IP metrics and then add “SYN Count” to the same chart. This comparison helps you understand how your real traffic measures up against the threshold. However, a challenge arises because the aggregations used for these metrics are Max and Sum. The Max aggregation for “DDoSTriggerSYNPackets” shows only the maximum data point in an interval, while the Sum aggregation for “SYN Count” sums up all data points in the interval. This discrepancy can result in a chart that is not informative.
Understanding Sum and Max Aggregation
Sum Aggregation:
Definition: Sum adds up all values within a time range.
Use Case: Ideal for finding total values, such as the total number of requests or bytes.
Example: If TCP packets per minute are [50, 60, 45, 55, 40], the sum for 5 minutes is: 50 + 60 + 45 + 55 + 40 = 250.
Max Aggregation:
Definition: Max picks the highest value within the time range.
Use Case: Useful for identifying peaks, such as highest CPU usage or maximum response time.
Example: Using the same data, the max aggregation gives: Max = 60 requests.
Summary
Sum Aggregation: Shows total values over time.
Max Aggregation: Shows the highest point during the time period.
Currently, there is no way to correlate these two metrics 100%. However, the closest approach is to use the Avg aggregation for the “SYN Count” metric and decrease the interval to 5 or 1 minute to get as accurate data as possible. The Avg aggregation provides the average of all data points in the specific interval. The smaller the interval, the more closely it can correlate to the max aggregation of the threshold.
By changing the aggregation to Avg, you will see in the chart below how the data correlation becomes more accurate.
As you can see in the chart, there is minimal traffic for most of the day. However, we observe two sudden spikes, which are typically indicative of DDoS attacks. In this chart, these spikes have exceeded our threshold of 20k PPS (Packets per second).
Note: Since the time grain for these metrics is PT1M, meaning the metric is sampled every minute, you can obtain the packets per second value by dividing the datapoint value by 60. For more information about the resource metric, see Monitoring data reference for Public IP addresses | Microsoft Learn
To confirm whether Azure DDoS protection initiated mitigation, we will add another chart using the metric “IfUnderDDoSAttack”. This metric has only two values:
0: No active DDoS mitigation
1: Active DDoS mitigation
Below, you will see how both charts confirm this.
As you can see in the charts, DDoS mitigation was active exactly when the amount of Sync traffic exceeded the threshold at both times, effectively spotting the DDoS attack.
Configuring Alerts
Now that you have a good understanding of DDoS protection metrics, you can also set up an alert based on your metrics. A useful metric for configuring an alert is “IfUnderDDoSAttack”. Here’s how to do it:
On your chart with the “IfUnderDDoSAttack” metric, click on New alert rule.
Keep the signal name as “Under DDoS attack or not”.
Select Maximum for the aggregation type.
Choose “Greater than or equal to” for the operator.
Select Count as the unit.
Set the threshold value to “1” (since the values are only 0 and 1, where 1 indicates active DDoS mitigation).
Click Next and under the Actions tab, choose how you want to be notified (this depends on your organization’s preference).
Click on Review + create.
With this alert, you will be notified when there is active DDoS mitigation. Another useful alert is for the “SYN Count” metric. While the previous alert notifies you of a DDoS attack, in some cases, you may want to receive an alert even before the threshold is met, notifying you of a spike in traffic.
Setting Up a Preemptive Alert
Using similar steps as before, you can create an alert for the “SYN Count” metric:
On your chart with the “SYN Count” metric, click on New alert rule.
Keep the signal name as “SYN Count Alert”.
Select Average for the aggregation type.
Choose Greater than for the operator.
Select Count as the unit.
Set the threshold value based on the average traffic you see in the chart, choosing a value lower than the DDoS threshold. This way, you will be aware when traffic starts to increase suddenly and can prepare for a potential DDoS attack.
Click Next and under the Actions tab, choose how you want to be notified.
Click on Review + create.
Conclusion
Monitoring Azure DDoS Protection metrics is crucial for maintaining the availability and performance of your applications. By leveraging the SYN Count metric with average aggregation and using TCP SYN packets to trigger DDoS mitigation with maximum aggregation, you can effectively monitor your resources against DDoS attacks. Stay vigilant and proactive in your DDoS protection strategy to ensure uninterrupted service delivery.
Resources
Monitoring Azure DDoS Protection | Microsoft Learn
Azure DDoS Protection Overview | Microsoft Learn
Tutorial: Configure Azure DDoS Protection metric alerts through portal | Microsoft Learn
Supported metrics – Microsoft.Network/publicIPAddresses | Microsoft Learn
Monitor Public IP addresses | Microsoft Learn
Microsoft Tech Community – Latest Blogs –Read More
