Mitigating DDoS Threats with Azure Advanced Protection Tools

What is DDoS?

A distributed denial of service (DDoS) attack affects the normal behavior of an application, disrupting the normal traffic (from authorize users), so the service cannot respond within the time frame to the normal user, causing the service to be unavailable to legitimate users.

Multiple malicious agents (bots) make requests to the service and saturate the service with malicious traffic.

Common types of DDoS attacks

Application layer attack
An application layer attack, also known as a Layer 7 attack, aims to flood or exhaust the server's resources, preventing it from responding to legitimate requests. An example of this type of attack is targeting the DNS service to make it unable to respond to DNS queries.

Protocol attack
A protocol attack occurs at Layers 3 and 4 and exploits weaknesses in the protocol stack (internet protocols). These attacks alter the way the protocol functions but are complex to execute and slow to propagate. An example of this attack is the ping of death (PoD) attack, where the malicious user sends packets larger than the maximum allowable size, causing the target machine to crash. This type of attack has been mitigated in most operating systems.

Volumetric attack
A volumetric attack can occur at Layers 3, 4, or 7 and involves using a massive amount of traffic (measured in gigabits or even terabits per second) generated by bots or hijacked computers. The aim is to overwhelm the target machine's capacity to absorb the traffic, effectively rendering it unable to function.

An example of this attack could be TCP or UDP flood attack.

Detection

It's crucial to understand the state of your systems: Are they healthy? Do they respond within the allowed time frame? To ensure this, you need a robust monitoring strategy to identify potential issues before they become unmanageable.

Implementing various alerts within Azure is key. When a threshold is breached, an alert can be triggered, allowing cloud administrators to proactively make configuration changes. This helps prevent the application or service from becoming unavailable.

Hardening

One common cause of successful DDoS attacks is outdated systems, which can make it easier for attackers to exploit vulnerabilities. Mitigating an ongoing DDoS attack is much more challenging if your systems are not properly patched and updated. Ensuring your systems are always up-to-date with the latest security patches is essential for maintaining their resilience against such attacks.

Azure DDoS protection

Azure DDoS is a layer 3/4 protection, if need layer 7 protection, you need to deploy WAF for enhanced protection.

Protected resources

Visit Azure DDoS Protection reference architectures | Microsoft Learn to learn more.

Azure DDoS Features

Azure's DDoS protection features are designed to proactively safeguard applications and networks from potential threats with minimal user intervention. By leveraging automation and advanced technologies like machine learning (ML), it ensures continuous monitoring and rapid mitigation to keep systems secure.

• Monitoring 7x24x365 indicators of possible DDoS attacks and mitigating them immediately if detected
• Learning your application traffic over time and adjusting the profile accordingly
• Using ML to auto-configure traffic profiles and initiate DDoS mitigation when thresholds are breached
• Contacting the Azure DDoS Rapid Response team to help investigate attacks
• Simplifying configuration to enable immediate protection without user configurations or interventions

DDoS at layer 7

Azure Front Door and Application Gateway provide platform-level protection against DDoS attacks through web application firewall (WAF) integration.

DDoS protection with Azure Front Door

 
Azure Front Door is a global service, meaning it can distribute attacks across all points of presence (POPs) worldwide, reducing the impact on any single location. Front Door provides Layer 3 and Layer 4 DDoS protection and has additional capabilities for handling Layer 7 DDoS attacks when integrated with WAF.

Key features of Azure Front Door for DDoS mitigation include:

• Layer 3/4 protection: Front Door offers built-in protection against network-level attacks, ensuring basic DDoS protection.
• Layer 7 protection with WAF: When integrated with WAF, Front Door can handle more sophisticated application-level DDoS attacks.
• Caching: Front Door's caching feature helps protect backend servers from large volumes of traffic, both normal and malicious, by serving cached content to reduce the load on the servers.
• Rate limiting: This feature blocks incoming requests that exceed a certain threshold within a specified time frame, effectively mitigating high-traffic attacks by limiting the rate at which requests are processed.

DDoS protection on application gateway

 
We can combine DDoS protection and WAF to protect your application gateway traffic:

DDoS protection can be configured on the VNET where the application gateway is deployed for layer 3/4 protection and add WAF to the application gateway for layer 7 protection.

TP is a proud AWS advanced tier service partner

Our extensive expertise and experience empower us to assist customers in leveraging the AWS Well-Architected Framework. This framework provides best practices and guidelines that ensure your workloads on AWS are designed and operated to be reliable, secure, efficient, and cost-effective. We are here to listen, understand, and help you achieve your goals. Learn more.