Background
Before delving into the technical intricacies of Distributed Denial of Service (DDoS) attacks, allow me to provide a contextual background and outline my approach to this subject. In a recent discussion, I conversed with an acquaintance who serves as an application architect regarding the implications of DDoS attacks on public-facing applications and the available cloud-based services that can effectively safeguard against such attacks.
Distributed Denial of Service (DDoS) attacks are among the most common cyber threats organisations face today. These attacks can cripple a company’s online presence, causing significant financial and reputational damage. As more businesses move their operations to the cloud, ensuring that effective DDoS protection measures are in place becomes increasingly important.
What are DDOS attacks?
A DDoS attack floods a server or website with fake traffic using a network of computers controlled by the attacker. This overwhelms the system and prevents legitimate users from accessing it. It is imperative to acknowledge that any public-facing applications that receive traffic from the internet are susceptible to Distributed Denial of Service (DDoS) attacks, which can cause significant availability issues for the applications. The implications of such an attack can result in a considerable loss of the organisation’s data, revenue, and reputation. Any publicly accessible internet endpoint can be targeted for DDOS attacks.
What is Azure DDOS Protection?
The Azure platform provides a range of security features to help protect against DDoS attacks. These features include Azure DDoS Protection, a managed service that protects against attacks. The service is designed to automatically detect and mitigate DDoS attacks in real time, ensuring that your applications and services remain available to users.
Microsoft’s Azure DDoS Protection team safeguards all Microsoft properties and the entire Azure infrastructure. They aim to defend all internet-facing workloads in Azure against all known DDoS attacks at every network stack level. Azure DDoS Protection is a service that safeguards resources in a virtual network, including public IP addresses associated with virtual machines, load balancers, and application gateways.
When combined with the Application Gateway web application firewall or a third-party web application firewall deployed in a virtual network with a public IP, Azure DDoS Protection can deliver comprehensive layer 3 to layer 7 mitigation capability. Following application design best practices and utilising Azure DDoS Protection, you can effectively enhance the DDoS mitigation features and protect your network against DDoS attacks.
The Azure DDoS Protection can mitigate the following types of DDOS attacks:
- Volumetric – DDoS Protection stops large-scale network attacks. Azure DDoS Protection filters out UDP, amplification, and other spoofed-packet floods with Azure’s global network scale.
- Protocol – DDoS attacks exploit layer 3 and 4 protocol vulnerabilities, rendering a target unreachable. Examples include SYN flood and reflection attacks. Azure DDoS Protection filters malicious traffic by interacting with the client to identify legitimate requests.
- Resource (application) layer: Web application attacks aim to interrupt data transmission by targeting web application packets. These include HTTP violations, SQL injection, cross-site scripting, and other layer 7 attacks. Use a Web Application Firewall, Azure Application Gateway, and DDoS Protection for defense.
Azure DDOS Protection service offerings
Azure DDOS Infrastructure Protection:
- Azure DDoS Protection Basic was formally renamed Azure DDoS Infrastructure Protection.
- The plan is free and active by default. This helps when the attack is detected and mitigated.
- Azure offers continuous protection against Distributed Denial of Service (DDoS) attacks. This protection service does not store any customer data. Azure DDoS Infrastructure Protection also safeguards all Azure services that use public IPv4 and IPv6 addresses without extra cost.
- This protection service helps protect all Azure services, including Platform as a Service (PaaS) services like Azure DNS. The best part is that DDoS Infrastructure Protection does not require user configuration or application changes.
Azure DDOS Network Protection:
- Azure DDoS Network Protection, formerly Azure DDoS Protection Standard, was introduced. This service is designed to offer more control and visibility over DDoS defense for individual customer workloads.
- DDoS Network Protection offers advanced mitigation features that automatically adapt to protect your Azure resources within a virtual network.
- The following are the highlights of this offering:
- It protects 100 public IP resources and intelligent traffic profiling.
- It provides native integration into the Azure portal for setup and deployment.
- DDoS Network Protection secures all resources on a virtual network automatically.
- It monitors your network traffic for DDoS attacks and automatically mitigates them when detected.
- This offers multilayered protection for networks. It secures layers 3 and 4 at the network layer and includes Azure Web Application Firewall for layer 7 protection. DDoS Protection safeguards their network interfaces, making it a defense-in-depth protection strategy.
- During an attack, it provides detailed reports every five minutes and a summary report once the attack is over.
- It supports integrating mitigation logs with Microsoft Defender for Cloud, Microsoft Sentinel, or an offline security information and event management (SIEM) system for near real-time monitoring during an attack.
- Azure Monitor collects monitoring data from DDoS Network Protection to provide access to summarised attack metrics.
Azure DDOS IP Protection:
- DDoS IP Protection contains the same core engineering features as DDoS Network Protection but will differ in the following value-added services:
- DoS rapid response support
- Cost protection
- Discounts on WAF.
How does it work?
The Azure DDoS protection mechanism monitors network traffic. It compares it to the pre-determined thresholds set forth within the DDoS policy. “When the network traffic exceeds a pre-defined threshold, the system will automatically initiate DDoS mitigation to prevent potential attacks. During mitigation, the DDoS protection service re-routes packets directed to a safeguarded resource. The traffic is then scrutinised to ensure that the packets meet internet specifications and aren’t malformed. If the IP traffic is valid, it is forwarded to the intended service. DDoS protection applies three auto-tuned mitigation policies for each public IP address connected with a safeguarded resource: TCP SYN, TCP, and UDP. Mitigation stops if traffic falls below the threshold, except for App Service environments.
Refer to the diagram below to visualise the data flow through DDoS protection.
When protecting against DDoS attacks, it’s good to know that you can use a single DDoS protection plan across multiple subscriptions under one tenant. That means there’s no need to create multiple plans. Additionally, there’s no need to create a DDoS protection plan specifically for DDoS IP Protection. Instead, customers can enable DDoS IP protection on any public IP resource.
Enabling Network Protection at the virtual network (VNet) level automatically protects all resource types within the virtual network.
Pricing for DDOS Protection:
The Azure DDOS Network Protection comes with a fixed monthly charge covering 100 public IP resources. However, a monthly charge per resource will apply if you require protection for additional public IP resources. It’s important to note that a single Azure DDoS Protection plan can be used across multiple subscriptions in a tenant. The network protection fixed cost is USD 3K annually, billed monthly. For public IPs above 100, there is a monthly charge of USD 29.5 per resource.
Final thoughts:
In this age of digitalisation, the world is advancing towards new frontiers with the expansion of 5G and IoT. As a result, more businesses are adopting online strategies, leading to an increased online global footprint. Unfortunately, this also means that the threat of cyberattacks will continue to grow. Therefore, organisations must implement robust security measures to prevent and mitigate DDoS attacks. These measures include traffic filtering, rate limiting, and using content distribution networks (CDNs) to distribute traffic across multiple servers. Moreover, organisations should also have a comprehensive incident response plan to minimise the impact of a DDoS attack and prevent further damage.
To learn more about Azure DDOS protection, read the Microsoft article
Santhosh has over 15 years of experience in the IT organization. Working as a Cloud Infrastructure Architect and has a wide range of expertise in Microsoft technologies, with a specialization in public & private cloud services for enterprise customers. My varied background includes work in cloud computing, virtualization, storage, networks, automation and DevOps.