DDoS attacks are the most commonly using method by attackers against resources which can access via internet. It can be website or application. DDoS attack can crash or slowdown service or application by sending large amount of access requests in short period of time. This applies to public cloud as well. There for Microsoft recently released Azure DDoS protection service to protect workloads in azure from DDoS attacks. This is currently in preview but it is not too early to check its capabilities.
This feature comes as two versions,
Basic – This comes as part of the Azure subscription without any additional cost. This is same level of real time monitoring and mitigation applies to Microsoft services. This is applying to Azure global network across all region. This applies to Azure IPv4 and IPv6 public ip addresses.
Standard – This comes with additional traffic monitoring and machine leaning algorithms tunes specifically to protect Azure virtual networks resources such as azure application gateway, azure load balancer. Real time monitoring data is available via Azure Monitor. Users also can enable alerting for the events. Standard protection is coming with additional fee. This applies to Azure IPv4 public ip addresses.
According to Microsoft, under standard subscription following type of DDoS attacks will be prevented.
Volumetric attacks: The attack's goal is to flood the network layer with a substantial amount of seemingly legitimate traffic. It includes UDP floods, amplification floods, and other spoofed-packet floods. DDoS Protection Standard mitigates these potential multi-gigabyte attacks by absorbing and scrubbing them, leveraging Azure’s global network scale, automatically.
Protocol attacks: These attacks render a target inaccessible by exploiting a weakness in the layer 3 and layer 4 protocol stack. It includes, SYN flood attacks, reflection attacks, and other protocol attacks. DDoS Protection Standard mitigates these attacks, differentiating between malicious and legitimate traffic, by interacting with the client and blocking malicious traffic.
Application layer attacks: These attacks target web application packets to disrupt the transmission of data between hosts. It includes HTTP protocol violations, SQL injection, cross-site scripting, and other layer 7 attacks. Use the Azure Application Gateway web application firewall, with DDoS Protection Standard, to provide defense against these attacks.
Also, Standard version features include,
Native platform integration: Natively integrated into Azure and includes configuration through the Azure portal and PowerShell. DDoS Protection Standard understands your resources and resource configuration.
Always-on traffic monitoring: Your application traffic patterns are monitored 24 hour a day, 7 days a week, looking for indicators of DDoS attacks. Mitigation is performed when protection policies are exceeded.
Turn-key protection: Simplified configuration immediately protects all resources on a virtual network as soon as DDoS Protection Standard is enabled. No intervention or user definition is required. DDoS Protection Standard instantly and automatically mitigates the attack, once it is detected.
Adaptive tuning: Intelligent traffic profiling learns your application’s traffic over time, and selects and updates the profile that is the most suitable for your service. The profile adjusts as traffic changes over time.
Layer 3 to layer 7 protection: Provides full stack DDoS protection, when used with an application gateway.
Extensive mitigation scale: Over 60 different attack types can be mitigated, with global capacity, to protect against the largest known DDoS attacks.
Attack metrics: Summarized metrics from each attack are accessible through Azure Monitor.
Attack alerting: Alerts can be configured at the start and stop of an attack, and over the attack’s duration, using built-in attack metrics. Alerts integrate into your operational software like Microsoft Operations Management Suite, Splunk, Azure Storage, Email, and the Azure portal.
Cost guarantee: Data-transfer and application scale-out service credits for documented DDoS attacks.
Let’s see how we can get this feature enable and configure.
In order to enable Azure DDoS Protection Preview service, first you need to request it using http://aka.ms/ddosprotection . This feature also only available for East US, East US 2, West US, West Central US, North Europe, West Europe, Japan West, Japan East, East Asia, and Southeast Asia regions.