Access DDoS attack visibility telemetry

Google Cloud Armor Enterprise lets you use Cloud Logging and Cloud Monitoring to analyze DDoS attacks and their sources.

Google Cloud Armor automatically detects and mitigates network layer (Layer 3) and transportation layer (Layer 4) attacks, performing the mitigation before enforcing security policies and evaluating only well-formed requests against your security policy rules. Therefore, traffic dropped as a result of always-on DDoS protection does not appear in telemetry for security policies or backends.

Instead, the Cloud Logging and Cloud Monitoring metrics for DDoS mitigation events are part of DDoS attack visibility, a feature available exclusively for Google Cloud Armor Enterprise subscribers. The following sections explain how to use Logging and Monitoring to analyze DDoS attacks and their sources. DDoS attack visibility is available for the following load balancer types:

  • Global external Application Load Balancer
  • Classic Application Load Balancer

If you use cross-project service referencing, you can only view the telemetry and logging associated with DDoS attack visibility under the host or service project that includes your load balancer's frontend and URL map. You cannot view the telemetry and logging under the service project that includes the backend services.

Cloud Logging attack mitigation event logs

Google Cloud Armor generates three types of event log entries when mitigating DDoS attacks. The log formats include analyses of source IP addresses and geographies when possible. The following sections provide examples of the log format for each type of event log:

Mitigation started

   {
      "id": "20220101_1235_mitigiation_1.2.3.4",
      "mitigationType": "MITIGATION_STARTED",
      "targetVip": "1.2.3.4",
      "totalVolume": {
         "pps": "1234000",
         "bps": "9876000000"
      },
      "started": {
         "totalAttackVolume": {
            "pps": "1000000",
            "bps": "9000000000"
      },
      "topSourceIp": [
         {
            "ipAddress": "1.2.3.4",
            "volume": {
            "pps": "10000",
            "bps": "2000000"
            }
         },
         {
            "ipAddress": "2.3.4.5",
            "volume": {
            "pps": "5000",
            "bps": "1000000"
            }
         }
      ],
      "topSourceGeo": [
         {
            "geo": "US",
            "volume": {
            "pps": "100000",
            "bps": "20000000"
            }
         }
      ]
      }
   }
   

Mitigation ongoing

   {
      "id": "20220101_1235_mitigiation_1.2.3.4",
      "mitigationType": "MITIGATION_ONGOING",
      "targetVip": "1.2.3.4",
      "totalVolume": {
         "pps": "1234000",
         "bps": "9876000000"
      },
      "ongoing": {
         "totalAttackVolume": {
            "pps": "1000000",
            "bps": "9000000000"
         },
         "topSourceIp": [
         {
            "ipAddress": "1.2.3.4",
            "volume": {
               "pps": "10000",
               "bps": "2000000"
            }
         },
         {
            "ipAddress": "2.3.4.5",
            "volume": {
               "pps": "5000",
               "bps": "1000000"
            }
         }
      ],
      "topSourceGeo": [
         {
            "geo": "US",
            "volume": {
               "pps": "100000",
               "bps": "20000000"
            }
         }
      ]
      }
   }
   

Mitigation ended

   {
      "id": "20220101_1235_mitigiation_1.2.3.4",
      "mitigationType": "MITIGATION_ENDED",
      "targetVip": "1.2.3.4",
      "totalVolume": {
         "pps": "2314000",
         "bps": "9768000000"
      },
      "ended": {
         "attackDurationSeconds": 345
      }
   }
   

In the Google Cloud console, go to the Logs Explorer page and view the ProtectedEndpoint resource.

Go to Logs Explorer

Alternatively, you can view the network_dos_attack_mitigations log name.

Cloud Monitoring metrics

DDoS mitigation telemetry metrics are visible under the resource Protected Network Endpoint (ProtectedEndpoint), which is exclusive to application-layer (Layer 7) virtual IP addresses that are enrolled in Google Cloud Armor Enterprise. The available metrics are as follows:

  • Ingress bytes (/dos/ingress_bytes)
  • Ingress packets (/dos/ingress_packets)

You can group and filter the preceding metrics based upon the following labels:

Label Value
project_id The ID of your project that is enrolled in Cloud Armor Enterprise.
location The location of your protected endpoint.
vip The virtual IP address of the protected endpoint.
drop_status Possible values:
  • processed: Traffic was not denied by Google Cloud Armor always-on DDoS protection, meaning that it was evaluated against your security policies.
  • blocked: Traffic was denied by Google Cloud Armor always-on DDoS protection and dropped before being evaluated against your security policies.

In the Google Cloud console, go to the Metrics Explorer page.

Go to Metrics Explorer

Interpreting telemetry metrics for virtual IP addresses with low traffic volumes

For virtual IP addresses (VIPs) that receive fewer than 100,000 packets per second, we recommend that you use a longer time window to view metrics in Cloud Monitoring. For example, where a higher-traffic VIP might use an ALIGN_RATE of one minute, we instead recommend an ALIGN_RATE of 10 minutes. Using a longer time window helps reduce the volume of artifacts that result from a poor signal-to-noise ratio.

In addition, some components of the rate at which Google Cloud Armor drops traffic (the drop rate) are inferred by statistical means, and might be less accurate for low-traffic VIPs. This means that during a DDoS attack, the drop rate that Cloud Monitoring reports might be slightly lower than the true drop rate. This reduces statistical artifacts that can lead to an overestimation of the volume of dropped traffic, especially for VIPs that receive a low volume of traffic and are not under attack.