Skip to main content
Table of contents
This page describes what to do in case of an Icinga alert. For more information you could search the govuk-puppet repo for the source of the alert

Icinga alerts

DDOS Detected

If there is a Distributed Denial of Service (DDoS) alert in Icinga this means that AWS have detected a probable DDoS attack on one or more of the AWS Shield Advanced protected resources.

If the alert is UNKNOWN, this means that the alert is not working properly.

If the alert is CRITICAL, you should take the following actions to investigate the issue:

  1. Check the CloudWatch dashboard. This should show the rate of DDoS requests, data throughput and packets which Amazon is detecting.
    • The dashboard might not display any graphs at all if no DDoS activity has been detected recently. This is a known issue and there is a support ticket open with Amazon about it. If the DDoSDetected alert is firing and the graphs are still not displayed, contact AWS support.
  2. If the attack is ongoing, contact AWS support: https://console.aws.amazon.com/support/home
  3. Inform them that the DDOSDetected alarm has been triggered.
  4. Enquire about the nature of the attack.
  5. Follow their instructions (if any).

The alert will appear on the Icinga dashboard for 24 hours after it was first triggered due to the sparse metrics.

This page was last reviewed on 14 November 2019. It needs to be reviewed again on 14 May 2020 by the page owner #govuk-2ndline .
This page was set to be reviewed before 14 May 2020 by the page owner #govuk-2ndline. This might mean the content is out of date.