[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[[["\u003cp\u003eGoogle Cloud Armor Enterprise provides DDoS attack visibility through Cloud Logging and Cloud Monitoring, allowing for detailed analysis of attacks and their sources.\u003c/p\u003e\n"],["\u003cp\u003eDDoS mitigation event logs in Cloud Logging include analyses of source IP addresses and geographies, and are categorized as mitigation started, ongoing, or ended.\u003c/p\u003e\n"],["\u003cp\u003eDDoS mitigation telemetry metrics, visible in Cloud Monitoring under the "Protected Network Endpoint" resource, include ingress bytes and packets, which can be filtered by project ID, location, virtual IP, and drop status.\u003c/p\u003e\n"],["\u003cp\u003eFor virtual IP addresses with low traffic volumes (less than 100,000 packets per second), a longer time window (e.g., 10 minutes) is recommended for viewing metrics in Cloud Monitoring to improve signal-to-noise ratio and overall accuracy.\u003c/p\u003e\n"]]],[],null,["# Access DDoS attack visibility telemetry\n\nGoogle Cloud Armor Enterprise lets you use Cloud Logging and Cloud Monitoring to\nanalyze DDoS attacks and their sources.\n\nGoogle Cloud Armor automatically detects and mitigates network layer (Layer 3)\nand transportation layer (Layer 4) attacks, performing the mitigation before\nenforcing security policies and evaluating only well-formed requests against\nyour security policy rules. Therefore, traffic dropped as a result of always-on\nDDoS protection does not appear in telemetry for security policies or backends.\n\nInstead, the Cloud Logging and Cloud Monitoring metrics for DDoS\nmitigation events are part of DDoS attack visibility, a feature available\nexclusively for\n[Google Cloud Armor Enterprise](/armor/docs/armor-enterprise-overview) subscribers.\nThe following sections explain how to use Logging and\nMonitoring to analyze DDoS attacks and their sources. DDoS attack\nvisibility is available for the following load balancer types:\n\n- Global external Application Load Balancer\n- Classic Application Load Balancer\n\nIf you use\n[cross-project service referencing](/load-balancing/docs/https#cross-project),\nyou can only view the telemetry and logging associated with DDoS attack\nvisibility under the host or service project that includes your load balancer's\nfrontend and URL map. You cannot view the telemetry and logging under the\nservice project that includes the backend services.\n\nIn order to ensure proper logging and reporting, Cloud Armor requires\naccess to the following logs. These must be stored in Cloud Logging, or routed\nto a [logging bucket](/logging/docs/buckets) which Cloud Armor can\naccess.\n\n- `networksecurity.googleapis.com/dos_attack`\n- `networksecurity.googleapis.com/network_dos_attack`\n- `networksecurity.googleapis.com/network_dos_attack_mitigations`\n\nCloud Logging attack mitigation event logs\n------------------------------------------\n\nCloud Armor generates three types of event log entries when mitigating\nDDoS attacks. The log formats include analyses of source IP addresses and\ngeographies when possible. The following sections provide examples of the log\nformat for each type of event log:\n\n### Mitigation started\n\n\u003cbr /\u003e\n\n```\n {\n \"id\": \"20220101_1235_mitigiation_1.2.3.4\",\n \"mitigationType\": \"MITIGATION_STARTED\",\n \"targetVip\": \"1.2.3.4\",\n \"totalVolume\": {\n \"pps\": \"1234000\",\n \"bps\": \"9876000000\"\n },\n \"started\": {\n \"totalAttackVolume\": {\n \"pps\": \"1000000\",\n \"bps\": \"9000000000\"\n },\n \"topSourceIp\": [\n {\n \"ipAddress\": \"1.2.3.4\",\n \"volume\": {\n \"pps\": \"10000\",\n \"bps\": \"2000000\"\n }\n },\n {\n \"ipAddress\": \"2.3.4.5\",\n \"volume\": {\n \"pps\": \"5000\",\n \"bps\": \"1000000\"\n }\n }\n ],\n \"topSourceGeo\": [\n {\n \"geo\": \"US\",\n \"volume\": {\n \"pps\": \"100000\",\n \"bps\": \"20000000\"\n }\n }\n ]\n }\n }\n \n```\n\n\u003cbr /\u003e\n\n### Mitigation ongoing\n\n\u003cbr /\u003e\n\n```\n {\n \"id\": \"20220101_1235_mitigiation_1.2.3.4\",\n \"mitigationType\": \"MITIGATION_ONGOING\",\n \"targetVip\": \"1.2.3.4\",\n \"totalVolume\": {\n \"pps\": \"1234000\",\n \"bps\": \"9876000000\"\n },\n \"ongoing\": {\n \"totalAttackVolume\": {\n \"pps\": \"1000000\",\n \"bps\": \"9000000000\"\n },\n \"topSourceIp\": [\n {\n \"ipAddress\": \"1.2.3.4\",\n \"volume\": {\n \"pps\": \"10000\",\n \"bps\": \"2000000\"\n }\n },\n {\n \"ipAddress\": \"2.3.4.5\",\n \"volume\": {\n \"pps\": \"5000\",\n \"bps\": \"1000000\"\n }\n }\n ],\n \"topSourceGeo\": [\n {\n \"geo\": \"US\",\n \"volume\": {\n \"pps\": \"100000\",\n \"bps\": \"20000000\"\n }\n }\n ]\n }\n }\n \n```\n\n\u003cbr /\u003e\n\n### Mitigation ended\n\n\u003cbr /\u003e\n\n```\n {\n \"id\": \"20220101_1235_mitigiation_1.2.3.4\",\n \"mitigationType\": \"MITIGATION_ENDED\",\n \"targetVip\": \"1.2.3.4\",\n \"totalVolume\": {\n \"pps\": \"2314000\",\n \"bps\": \"9768000000\"\n },\n \"ended\": {\n \"attackDurationSeconds\": 345\n }\n }\n \n```\n\n\u003cbr /\u003e\n\nIn the Google Cloud console, go to the Logs Explorer page and view the\n`ProtectedEndpoint` resource.\n| **Note:** The `topSourceIp` field might not be populated.\n\n[Go to Logs Explorer](https://console.cloud.google.com/logs/query;query=resource.type%3D%22networksecurity.googleapis.com%2FProtectedEndpoint%22)\n\nAlternatively, you can view the `network_dos_attack_mitigations` log name.\n\nCloud Monitoring metrics\n------------------------\n\nDDoS mitigation telemetry metrics are visible under the resource\n**Protected Network Endpoint** (`ProtectedEndpoint`), which is exclusive to\napplication-layer (Layer 7) virtual IP addresses that are enrolled in\nGoogle Cloud Armor Enterprise. The available metrics are as follows:\n\n- Ingress bytes (`/dos/ingress_bytes`)\n- Ingress packets (`/dos/ingress_packets`)\n\nYou can group and filter the preceding metrics based upon the\nfollowing labels:\n\nIn the Google Cloud console, go to the Metrics Explorer page.\n\n[Go to Metrics Explorer](https://console.cloud.google.com/monitoring/metrics-explorer)\n\n### Interpreting telemetry metrics for virtual IP addresses with low traffic volumes\n\nFor virtual IP addresses (VIPs) that receive fewer than 100,000 packets per\nsecond, we recommend that you use a longer time window to view metrics in\nCloud Monitoring. For example, where a higher-traffic VIP might use an\n`ALIGN_RATE` of one minute, we instead recommend an `ALIGN_RATE` of 10 minutes.\nUsing a longer time window helps reduce the volume of artifacts that result from\na poor signal-to-noise ratio.\n\nIn addition, some components of the rate at which Cloud Armor drops\ntraffic (the drop rate) are inferred by statistical means, and might be less\naccurate for low-traffic VIPs. This means that during a DDoS attack, the drop\nrate that Cloud Monitoring reports might be slightly lower than the true\ndrop rate. This reduces statistical artifacts that can lead to an overestimation\nof the volume of dropped traffic, especially for VIPs that receive a low volume\nof traffic and are not under attack."]]
