Amazon Shield Advanced metrics
Shield Advanced publishes Amazon CloudWatch detection, mitigation, and top contributor metrics for all resources that it protects. These metrics improve your ability to monitor your resources by making it possible to create and configure CloudWatch dashboards and alarms for them.
The Shield Advanced console presents summaries of many of the metrics that it records. For information, see Visibility into DDoS events with Shield Advanced.
If you enable automatic application layer DDoS mitigation for an application layer protection,
Metric reporting locations
Shield Advanced reports metrics in the US East (N. Virginia) Region, us-east-1
for the following:
The global services Amazon CloudFront and Amazon Route 53.
-
Protection groups. For information about protection groups, see Grouping your Amazon Shield Advanced protections.
For other resource types, Shield Advanced reports metrics in the resource's Region.
Timing of metric reporting
Shield Advanced reports metrics to Amazon CloudWatch on an Amazon resource more frequently during DDoS events than while no events are underway. Shield Advanced reports metrics once a minute during an event, and then once right after the event ends.
While no events are underway, Shield Advanced reports metrics once a day, at a time assigned to the resource. This periodic report keeps the metrics active and available for use in custom CloudWatch alarms and dashboards.
Alarm recommendations
We recommend that you create alarms to notify you of circumstances that require attention.
As a starting point, you could create an alarm for each protected resource that reports
when the DDoSDetected
detection metric is non zero. A non-zero value in this metric
doesn't necessarily imply that a DDoS attack is underway, but we recommend looking
closer at the resource status when the metric is in this state.
For request floods, we recommend that you create alarms for composite checks that also consider factors such as application health and web request volume. You may choose to alarm on the other three metrics that report on the volume of traffic for various attack vector dimensions. By considering the capacity of your application and alarming when traffic is approaching your application limitations, you can create a set of rules that notify you as needed, without too much unwanted noise.
Detection metrics
Shield Advanced provides the metrics and dimensions in the
AWS/DDoSProtection
namespace.
Metric | Description |
---|---|
DDoSDetected |
Indicates whether a DDoS event is underway for a
particular Amazon Resource Name (ARN). This metric has a non-zero value during an event. |
DDoSAttackBitsPerSecond |
The number of bits observed during a DDoS event for a
particular Amazon Resource Name (ARN). This metric is
available only for network and transport layer (layer 3 and layer 4) DDoS events.
This metric has a non-zero value during an event. Units: Bits |
DDoSAttackPacketsPerSecond |
The number of packets observed during a DDoS event for a
particular Amazon Resource Name (ARN). This metric is
available only for network and transport layer (layer 3 and layer 4) DDoS events.
This metric has a non-zero value during an event. Units: Packets |
DDoSAttackRequestsPerSecond |
The number of requests observed during a DDoS event for a
particular Amazon Resource Name (ARN). This metric is
available only for layer 7 DDoS events. The metric is
reported only for the most significant layer 7 events.
This metric has a non-zero value during an event. Units: Requests |
Shield Advanced posts the DDoSDetected
metric with no other
dimensions. The remaining detection metrics include the
AttackVector
dimensions that correspond to the type of
attack, from the following list:
-
ACKFlood
-
ChargenReflection
-
DNSReflection
-
GenericUDPReflection
-
MemcachedReflection
-
MSSQLReflection
-
NetBIOSReflection
-
NTPReflection
-
PortMapper
-
RequestFlood
-
RIPReflection
-
SNMPReflection
-
SSDPReflection
-
SYNFlood
-
UDPFragment
-
UDPTraffic
-
UDPReflection
Mitigation metrics
Shield Advanced provides metrics and dimensions in
the AWS/DDoSProtection
namespace.
Metric | Description |
---|---|
VolumePacketsPerSecond |
The number of packets per second that were dropped or
passed by a mitigation that was deployed in response to
a detected event. Units: packets |
Dimension | Description |
---|---|
|
Amazon Resource Name (ARN) |
|
The outcome of an applied mitigation. Possible values
are |
Top contributors metrics
Shield Advanced provides metrics in
the AWS/DDoSProtection
namespace.
Metric | Description |
---|---|
VolumePacketsPerSecond |
The number of packets per second for a top
contributor. Units: packets |
VolumeBitsPerSecond |
The number of bits per second for a top contributor.
Units: bits |
Shield Advanced posts top contributors metrics by dimension combinations that characterize the event contributors. You can use any of the following combinations of dimensions for any of the top contributors metrics:
-
ResourceArn
,Protocol
-
ResourceArn
,Protocol
,SourcePort
-
ResourceArn
,Protocol
,DestinationPort
-
ResourceArn
,Protocol
,SourceIp
-
ResourceArn
,Protocol
,SourceAsn
-
ResourceArn
,TcpFlags
Dimension | Description |
---|---|
|
Amazon Resource Name (ARN). |
|
IP protocol name, either |
|
Source TCP or UDP port. |
|
Destination TCP or UDP port. |
|
Source IP address. |
|
Source autonomous system number (ASN). |
|
A combination of flags present in a TCP packet,
separated by
a
dash ( |