From 04812c0e18bf4c15240a39d31dac16c692a90ff2 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Wed, 14 Aug 2024 11:30:33 +0100
Subject: [PATCH] Add an alert for suspected DDoS

---
 .../templates/rules/alerts_ddos.yml              | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 roles/ai3-prometheus/templates/rules/alerts_ddos.yml

diff --git a/roles/ai3-prometheus/templates/rules/alerts_ddos.yml b/roles/ai3-prometheus/templates/rules/alerts_ddos.yml
new file mode 100644
index 00000000..264fe543
--- /dev/null
+++ b/roles/ai3-prometheus/templates/rules/alerts_ddos.yml
@@ -0,0 +1,16 @@
+groups:
+- name: roles/ai3-prometheus/templates/rules/alerts_ddos.conf
+  rules:
+
+  - alert: DDoS
+    expr: sum((sum(instance:node_network_packets_total:rate5m{device=~"en.*"}) by (host)) * on (host) role{role="frontend"}) > 100000
+    for: 5m
+    labels:
+      scope: global
+      service: nginx
+      severity: page
+    annotations:
+      summary: 'Suspected incoming DDoS'
+      description: 'High network packet count on public frontends'
+      runbook: '[[ alert_runbook_fmt | format("DDoS") ]]'
+
-- 
GitLab