Edge Security
  • Overview
  • DDoS Protection
    • DDoS Protection Overview
    • Exclusive DDoS Protection Usage
    • Configuration of Exclusive DDoS protection Rules
      • Increase DDoS Protection Level
      • Exclusive DDoS Traffic Alarm
      • Configuration IP blocklist/allowlist
      • Configuration Region Blocking Rule
      • Configuration Port Filtering
      • Configuration Features Filtering
      • Configuration Protocol Blocking Rule
      • Configuration Connections Attack Protection
      • Related References
        • Action
        • Related Concepts Introduction
  • Web Protection
    • Overview
    • Managed rules
    • CC attack defense
    • Custom rule
    • Custom Rate Limiting Rules
    • Exception Rules
    • Managed Custom Rules
    • Web security monitoring alarm
    • Refer
      • Web Protection Request Processing Order
      • Action
      • Match Condition
  • Bot Management
    • Overview
    • Bot Intelligent analysis
    • Bot Basic Feature Management
    • Client Reputation
    • Active Detection
    • Custom Bot Rule
    • Bot Exception Rule
    • Related References
      • Action
  • Rules Template
  • IP and IP Segment Grouping
  • Origin Protection
  • Custom Response Page
  • Alarm Notification
  • SSL/TLS
    • Overview
    • Deploying/Updating SSL Certificate for A Domain Name
    • Configuring A Free Certificate for A Domain Name
    • HTTPS Configuration
      • Forced HTTPS Access
      • Enabling HSTS
      • SSL/TLS Security Configuration
        • Configuring SSL/TLS Security
        • TLS Versions and Cipher Suites
      • Enabling OCSP Stapling

Exclusive DDoS Traffic Alarm

The DDoS attack traffic alert function allows users to set custom attack traffic rate alert thresholds for DDoS protection instances. When the detected attack traffic rate exceeds the set threshold, the system will send an alert notification to help users understand and respond to potential DDoS attacks in a timely manner. Upon receiving the attack traffic rate alert, users should pay attention to the operation of their business, refer to the number of connections, visitor volume, normal session count, and other normal business indicators, combined with the number of online users and other business indicators, to evaluate the health of their business and determine whether it is affected by a DDoS attack.
Note:
This function is only applicable to users who have subscribed to a separate DDoS protection instance, and the alert is only for L3/L4 (network layer) attack traffic rates.

Scenario: Configure alert thresholds for L4 proxy standalone DDoS protection instances

Example Scenario

A game client's current business has purchased a standalone DDoS protection capability for L4 proxy service, with a guaranteed protection capacity of 30,000 Mbps. When encountering a DDoS attack traffic exceeding 20,000 Mbps, the client needs to be informed and pay attention in advance so that they can take measures to upgrade their protection capability in time to avoid affecting the normal access of their business.

Directions

1. Log in to the EdgeOne console, click on the site list in the left menu bar, click on the site to be configured in the site list, and enter the site details page.
2. On the site details page, click on security protection > notification push, and enter the notification push details page.
3. In the DDoS attack traffic alert card, click on the setting.
4. In the alert configuration page, for the current scenario, you can select the L4 proxy instance you need to configure, enable the custom threshold switch, click on edit, modify the alert threshold to 20000 Mbps, and click save to take effect.
Note:
The default alert domain is effective for all business types. If you need to customize the alert threshold, you need to enable the custom threshold switch.




Related Reference

Monitoring Range

The monitoring range of the DDoS attack traffic alert function is corresponding to the IP. In actual operation, multiple domain services may use the same protection instance IP, so the alert is for the protection instance, not the specific domain.
The set alert threshold is only for the detected attack traffic rate, not the total business traffic rate.

Trigger Method

Note:
The attack traffic rate alert is based on the instantaneous peak, while the attack traffic rate trend chart on the console is based on the minute dimension average, so there may be differences when comparing the two.
The DDoS attack traffic alert function uses the attack traffic rate instantaneous peak as the statistical method, with the unit being Mbps. The alert function monitors the traffic situation of the protection instance, and when the attack traffic rate reaches or exceeds the user-set threshold, it sends an alert notification.