Amazon Shield Advanced metrics - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Shield Advanced metrics

Shield Advanced publishes Amazon CloudWatch detection, mitigation, and top contributor metrics for all resources that it protects. These metrics improve your ability to monitor your resources by making it possible to create and configure CloudWatch dashboards and alarms for them.

The Shield Advanced console presents summaries of many of the metrics that it records. For information, see Visibility into DDoS events with Shield Advanced.

If you enable automatic application layer DDoS mitigation for an application layer protection,

Metric reporting locations

Shield Advanced reports metrics in the US East (N. Virginia) Region, us-east-1 for the following:

For other resource types, Shield Advanced reports metrics in the resource's Region.

Timing of metric reporting

Shield Advanced reports metrics to Amazon CloudWatch on an Amazon resource more frequently during DDoS events than while no events are underway. Shield Advanced reports metrics once a minute during an event, and then once right after the event ends.

While no events are underway, Shield Advanced reports metrics once a day, at a time assigned to the resource. This periodic report keeps the metrics active and available for use in custom CloudWatch alarms and dashboards.

Alarm recommendations

We recommend that you create alarms to notify you of circumstances that require attention. As a starting point, you could create an alarm for each protected resource that reports when the DDoSDetected detection metric is non zero. A non-zero value in this metric doesn't necessarily imply that a DDoS attack is underway, but we recommend looking closer at the resource status when the metric is in this state.

For request floods, we recommend that you create alarms for composite checks that also consider factors such as application health and web request volume. You may choose to alarm on the other three metrics that report on the volume of traffic for various attack vector dimensions. By considering the capacity of your application and alarming when traffic is approaching your application limitations, you can create a set of rules that notify you as needed, without too much unwanted noise.

Detection metrics

Shield Advanced provides the metrics and dimensions in the AWS/DDoSProtection namespace.

Detection metrics
Metric Description
DDoSDetected Indicates whether a DDoS event is underway for a particular Amazon Resource Name (ARN).

This metric has a non-zero value during an event.

DDoSAttackBitsPerSecond The number of bits observed during a DDoS event for a particular Amazon Resource Name (ARN). This metric is available only for network and transport layer (layer 3 and layer 4) DDoS events.

This metric has a non-zero value during an event.

Units: Bits

DDoSAttackPacketsPerSecond The number of packets observed during a DDoS event for a particular Amazon Resource Name (ARN). This metric is available only for network and transport layer (layer 3 and layer 4) DDoS events.

This metric has a non-zero value during an event.

Units: Packets

DDoSAttackRequestsPerSecond The number of requests observed during a DDoS event for a particular Amazon Resource Name (ARN). This metric is available only for layer 7 DDoS events. The metric is reported only for the most significant layer 7 events.

This metric has a non-zero value during an event.

Units: Requests

Shield Advanced posts the DDoSDetected metric with no other dimensions. The remaining detection metrics include the AttackVector dimensions that correspond to the type of attack, from the following list:

  • ACKFlood

  • ChargenReflection

  • DNSReflection

  • GenericUDPReflection

  • MemcachedReflection

  • MSSQLReflection

  • NetBIOSReflection

  • NTPReflection

  • PortMapper

  • RequestFlood

  • RIPReflection

  • SNMPReflection

  • SSDPReflection

  • SYNFlood

  • UDPFragment

  • UDPTraffic

  • UDPReflection

Mitigation metrics

Shield Advanced provides metrics and dimensions in the AWS/DDoSProtection namespace.

Mitigation metrics
Metric Description
VolumePacketsPerSecond The number of packets per second that were dropped or passed by a mitigation that was deployed in response to a detected event.

Units: packets

Mitigation dimensions
Dimension Description

ResourceArn

Amazon Resource Name (ARN)

MitigationAction

The outcome of an applied mitigation. Possible values are Pass or Drop.

Top contributors metrics

Shield Advanced provides metrics in the AWS/DDoSProtection namespace.

Top contributors metrics
Metric Description
VolumePacketsPerSecond The number of packets per second for a top contributor.

Units: packets

VolumeBitsPerSecond The number of bits per second for a top contributor.

Units: bits

Shield Advanced posts top contributors metrics by dimension combinations that characterize the event contributors. You can use any of the following combinations of dimensions for any of the top contributors metrics:

  • ResourceArn, Protocol

  • ResourceArn, Protocol, SourcePort

  • ResourceArn, Protocol, DestinationPort

  • ResourceArn, Protocol, SourceIp

  • ResourceArn, Protocol, SourceAsn

  • ResourceArn, TcpFlags

Top contributors dimensions
Dimension Description

ResourceArn

Amazon Resource Name (ARN).

Protocol

IP protocol name, either TCP or UDP.

SourcePort

Source TCP or UDP port.

DestinationPort

Destination TCP or UDP port.

SourceIp

Source IP address.

SourceAsn

Source autonomous system number (ASN).

TcpFlags

A combination of flags present in a TCP packet, separated by a dash (-). Monitored flags are ACK, FIN, RST, SYN. This dimension value always appears sorted alphabetically. For example, ACK-FIN-RST-SYN, ACK-SYN, and FIN-RST.