Tag Archives: Virtual Network

Azure DDoS Protection Preview in Action

DDoS attacks are the most commonly using method by attackers against resources which can access via internet. It can be website or application. DDoS attack can crash or slowdown service or application by sending large amount of access requests in short period of time. This applies to public cloud as well. There for Microsoft recently released Azure DDoS protection service to protect workloads in azure from DDoS attacks. This is currently in preview but it is not too early to check its capabilities. 

This feature comes as two versions,

Basic – This comes as part of the Azure subscription without any additional cost. This is same level of real time monitoring and mitigation applies to Microsoft services. This is applying to Azure global network across all region. This applies to Azure IPv4 and IPv6 public ip addresses. 

Standard – This comes with additional traffic monitoring and machine leaning algorithms tunes specifically to protect Azure virtual networks resources such as azure application gateway, azure load balancer. Real time monitoring data is available via Azure Monitor. Users also can enable alerting for the events. Standard protection is coming with additional fee. This applies to Azure IPv4 public ip addresses.

According to Microsoft, under standard subscription following type of DDoS attacks will be prevented. 

Volumetric attacks: The attack's goal is to flood the network layer with a substantial amount of seemingly legitimate traffic. It includes UDP floods, amplification floods, and other spoofed-packet floods. DDoS Protection Standard mitigates these potential multi-gigabyte attacks by absorbing and scrubbing them, leveraging Azure’s global network scale, automatically.

Protocol attacks: These attacks render a target inaccessible by exploiting a weakness in the layer 3 and layer 4 protocol stack. It includes, SYN flood attacks, reflection attacks, and other protocol attacks. DDoS Protection Standard mitigates these attacks, differentiating between malicious and legitimate traffic, by interacting with the client and blocking malicious traffic.

Application layer attacks: These attacks target web application packets to disrupt the transmission of data between hosts. It includes HTTP protocol violations, SQL injection, cross-site scripting, and other layer 7 attacks. Use the Azure Application Gateway web application firewall, with DDoS Protection Standard, to provide defense against these attacks.

Also, Standard version features include,

Native platform integration: Natively integrated into Azure and includes configuration through the Azure portal and PowerShell. DDoS Protection Standard understands your resources and resource configuration.

Always-on traffic monitoring: Your application traffic patterns are monitored 24 hour a day, 7 days a week, looking for indicators of DDoS attacks. Mitigation is performed when protection policies are exceeded.

Turn-key protection: Simplified configuration immediately protects all resources on a virtual network as soon as DDoS Protection Standard is enabled. No intervention or user definition is required. DDoS Protection Standard instantly and automatically mitigates the attack, once it is detected.

Adaptive tuning: Intelligent traffic profiling learns your application’s traffic over time, and selects and updates the profile that is the most suitable for your service. The profile adjusts as traffic changes over time.

Layer 3 to layer 7 protection: Provides full stack DDoS protection, when used with an application gateway.

Extensive mitigation scale: Over 60 different attack types can be mitigated, with global capacity, to protect against the largest known DDoS attacks.

Attack metrics: Summarized metrics from each attack are accessible through Azure Monitor.

Attack alerting: Alerts can be configured at the start and stop of an attack, and over the attack’s duration, using built-in attack metrics. Alerts integrate into your operational software like Microsoft Operations Management Suite, Splunk, Azure Storage, Email, and the Azure portal.

Cost guarantee: Data-transfer and application scale-out service credits for documented DDoS attacks.

Let’s see how we can get this feature enable and configure. 

In order to enable Azure DDoS Protection Preview service, first you need to request it using http://aka.ms/ddosprotection . This feature also only available for East US, East US 2, West US, West Central US, North Europe, West Europe, Japan West, Japan East, East Asia, and Southeast Asia regions.

Enable DDoS Protection Standard Preview in Existing Virtual Network 
 
1. Once you receive the confirmation email from Azure team, log in to Azure portal https://portal.azure.com as global administrator.
2. Then go to Virtual Networks and click on the Virtual Network that you like to enable DDoS protection. 
 
ddos1
 
3. Then in properties window click on DDoS protection option. 
 
ddos2
 
4. In next window, click on Enabled and then click on Save to enable the feature. 
 
ddos3

Enable DDoS Protection Standard Preview in New Virtual Network
 
1. Once you receive the confirmation email from Azure team, log in to Azure portal https://portal.azure.com as global administrator.
2. Then go to Virtual Networks and click on Add
 
ddos4
 
3. In new page, provide relevant info for virtual network, select a region which support by DDoS feature and then click on Enabled under DDoS protection.
 
ddos5
 
4. At the end click on Create to complete the process. 
 
DDoS Monitoring 
 
Using Monitoring metrics, we can review historical DDoS threat related data for selected resources. Also, we can configure email alerts for events. 
In order to do so,
 
1. Log in to Azure portal https://portal.azure.com as global administrator.
2. Then go to Metrics | Monitor
 
ddos6
 
3. In the page select the relevant subscription, resource group, resource type and resource to view the relevant data. 
 
ddos7
 
4. Then under the available metrics you can select the metrics you like to review. In my demo I am going to use Under DDoS attack or not metric which going to show all the data. 
 
ddos8
 
5. Then it will show the relevant metrics. Using Time Range window, we can change the time and review specific data sets. 
 
ddos9
 
6. Using Char Type option we can change the view of the chart. 
 
ddos10
 
7. In order to configure alerts, click on No alerts configured for this resource. Click to add an alert option
 
ddos11
 
8. Then it opens up window where you can customize metric type, condition, threshold and notification type. 
 
ddos12
 
As you can see the setup, configuration and maintenance of Azure DDoS Protection is straightforward. This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Why I can’t connect PC to the Domain?

imagen21

This is one of the very common question I get from starters, students, admins who follow my blog. They says, the follow my step-by-step guides to install domain controller on the production or demo setup and at the end they can’t connect the computers to the domain. I’m sure if you are already working on domain infrastructure, you also face same experience in your job some times.

So I thought to share some tips to troubleshoot and get your pc connected to the domain.

Read the Error!!!

This is the very best friend of your initial troubleshooting. Read the error carefully. It will give you some clues where to start. It can be simple typo mistake, so first step, read the error twice or more until you get clear understanding, what it says.

Connectivity

To make successful communication between domain controller and pc it should have reliable connectivity. There are lot of ways where it can be interrupted.

1)    Local host
To start, first try the ping to local host ip from the pc ( ping 127.0.0.1) if it success it means local pc running with correct protocols and required components. If its not, its first place to start.

2)    Ipconfig /all
Try this on both server and pc and make sure client pc got valid ip assign. Make sure its in same range of ip addresses as server so they can talk to each other.

3)    DNS
This is very common issue for the joining pc to a domain. Make sure PC is using the domain DNS servers as its primary DNS resolver. Some time you may have uses a valid domain which ends up with .com, .org, net etc. in such case you need to make sure you have correct DNS entries to identify the local server instead of trying to resolve in to public DNS entry.
If all above are checked, then use “ping” from server as well as PC to make sure both can ping to each other ( if firewall is active in pc or server, allow the ICMP traffic temporally before troubleshooting)
If the pings fails then you need to look in to the network level, it can be the cable, vlan configurations, switch port configuration etc.

Time

This is also very common issue I have seen, make sure your domain controller and computer system time and dates are matched. Even you use common time servers some time there can be mismatch due to sync.

Virtualization

If you using virtualization software to build your home lap or even you production environment there are few things you should check. In these virtualization platforms you can setup the virtual networks as per your requirement. So some time even DC and PC is on same network range, those may not be in same virtual network. Make sure the interfaces are correctly assign for the relevant virtual network.

Beware!! Most of the time if we building a test lab with few virtual machines we use to clone them. Even in production environments engineers doing this. Not a long ago I had to look in to problem with joining virtual machines to domain. It was using one of famous virtualization software. So the engineer who setup the system, used to link-clone ( all vm are runs same initial image ) them. But when go to add those computers to domain only 1 of the vm can add to the domain and only one vm can login to DC. In setup there was 10 vm running. So what you think the problem is ? With the link clone it was copying all the network information as well. So if look in to each pc, every one of them were using same ip address, and same mac address. Interesting thing was even all of them are switched on none of them were giving ip duplication error. So if you used “clone” option to build the VM make sure it got unique ip address and mac address.
I believe above tipe will help you to troubleshoot issues with dc connection.

If you have any question feel free to contact me on rebeladm@live.com

Image source: https://pcpt.wordpress.com/2008/11/11/welcome/