Distributed Denial of Service is a large-scale DoS attack, where more than a single unique IP address is used, often from thousands of hosts infected with malware. Yet another reason that Internet connected bread toasters are a bad idea!
Azure DDoS protection, added to good application design, provide a defense against these types of attacks. There are 2 tiers of DDoS protection:
- Basic: This service is automatically enabled as part of the Azure platform. It provides always-on monitoring, and real-time mitigation of common network-level attacks.
- Standard: The standard tear provides additional mitigation capabilities over the basic tier. These capabilities are tuned specifically to the Azure Virtual network resources.
So what does Standard protect against?
The standard tier of DDoS protection is going to protect any resource in a VNet. Complementing it with application gateway, firewalls, you’re getting a full layer 3 to layer 7 mitigation of DDoS Attacks.
Volumetric attacks: Flooding the network layer with masses of, what looks like, legitimate traffic. This could be UDP floods, amplification floors, or any other spoofed-packet floods. This kind of attack is absorbed and scrubbed automatically.
Protocol attacks: Rendering a target inaccessible by exploiting weaknesses in the layer 3 and 4 stack.These could be reflection attacks, SYN floods, or others. THese kind of attacks will also be mitigated, this time by differentiating between malicious and legitimate traffic, by interacting with the client.
Resource or application layer attacks: Targetting web application packets, malicious personal will try to disrupt the transmission of data between hosts. Thes could be HTTP protocol violations, SQL injection, cross-site scripting or others. It’s best to combine DDoS protection with the Web application firewall to defend against these attacks.
- Native platform integration: Natively integrated into Azure. Includes configuration through the Azure portal. DDoS Protection Standard understands your resources and resource configuration.
- Turn-key protection: Simplified configuration immediately protects all resources on a virtual network as soon as DDoS Protection Standard is enabled. No intervention or user definition is required. DDoS Protection Standard instantly and automatically mitigates the attack, once it is detected.
- Always-on traffic monitoring: Your application traffic patterns are monitored 24 hour a day, 7 days a week, looking for indicators of DDoS attacks. Mitigation is performed when protection policies are exceeded.
- Adaptive tuning: Intelligent traffic profiling learns your application’s traffic over time, and selects and updates the profile that is the most suitable for your service. The profile adjusts as traffic changes over time.
- Multi-Layered protection: Provides full stack DDoS protection, when used with a web application firewall.
- Extensive mitigation scale: Over 60 different attack types can be mitigated, with global capacity, to protect against the largest known DDoS attacks.
- Attack analytics: Get detailed reports in five-minute increments during an attack, and a complete summary after the attack ends. Stream mitigation flow logs to an offline security information and event management (SIEM) system for near real-time monitoring during an attack.
- Attack metrics: Summarized metrics from each attack are accessible through Azure Monitor.
- Attack alerting: Alerts can be configured at the start and stop of an attack, and over the attack’s duration, using built-in attack metrics. Alerts integrate into your operational software like Microsoft Azure Monitor logs, Splunk, Azure Storage, Email, and the Azure portal.
- Cost guarantee: Data-transfer and application scale-out service credits for documented DDoS attacks.
How do I know it works?
Microsoft actually partnered with BreakingPoint Cloud to allow you to test the DDoS protection enabled public IP address by simultation an attack. You’ll be able to validation the protection that is inplace, optimize your incident respoince process, document DDoS compliance and even train your network security teams!