We want to detect if a VM in our IaaS infra is under DDOS attack or not.
And We have several symptoms and metrics like: node_nf_conntrack_entries, node_network_receive_packets_total and also libvirt_domain_interface_stats_receive_packets_total
We do not want to have a false positive by setting a trigger point. Traffic > n then alert!
rate(libvirt_domain_interface_stats_receive_packets_total{host="x"}[5m])
rate(node_network_receive_packets_total{instance="y1"}[5m])
sum(node_nf_conntrack_entries_limit - node_nf_conntrack_entries) by (instance) < 1000
No comments:
Post a Comment