Skip to main content
This page describes what to do in case of an Icinga alert. For more information you could search the govuk-puppet repo for the source of the alert
Warning This document has not been updated for a while now. It may be out of date.
Last updated: 17 Sep 2020

DDOS Detected

If there is a Distributed Denial of Service (DDoS) alert in Icinga this means that AWS have detected a probable DDoS attack on one or more of the AWS Shield Advanced protected resources.

If the alert is UNKNOWN, this means that the alert is not working properly.

If the alert is CRITICAL, you should take the following actions to investigate the issue:

  1. Check the CloudWatch dashboard. This should show the rate of DDoS requests, data throughput and packets which Amazon is detecting.
    • The dashboard might not display any graphs at all if no DDoS activity has been detected recently. This is a known issue and there is a support ticket open with Amazon about it. If the DDoSDetected alert is firing and the graphs are still not displayed, contact AWS support.
  2. If the attack is ongoing, contact AWS support:
  3. Inform them that the DDOSDetected alarm has been triggered.
  4. Enquire about the nature of the attack.
  5. Follow their instructions (if any).

The alert will appear on the Icinga dashboard for 24 hours after it was first triggered due to the sparse metrics.