Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 3: Deploy Azure DDoS Protection by Using the Azure Portal
- Distributed Denial of Service (DDoS)
- DoS attack that has goal of preventing access to services/systems
- Originates from one location
- DDoS attack originates from multiple networks and systems
- DDoS are largely available and security concern facing customers moving apps to the cloud
- DDoS tries to drain API’s or app resources making it unavailable
- DDoS can be targeted at endpoints that are publicly reachable via internet
- DDoS Implementation
- Azure DDoS Protection, combining with app design best practices aids in defense again DDoS attacks.
- Multiple service tiers available
- Network Protection
- Provides mitigation capabilities over DDoS infra Protection
- Tuned specifically to AZ VNet resources
- Simple to enable and requires no app modification
- Policies applied to public IP associated with resources in VNet
- Real-time telemetry through Azure Monitor views during attach, and historically
- Rich mitigation analytics via diagnostic settings
- App layer protection available via Azure App Gateway WAF
- Protection for IPv4 and IPv6 public addrs
- IP Protection
- DDoS IP Protection is pay-per protected IP
- Contains same core features as DDoS Network Protection
- Value-added services such as
- DDoS rapid response support
- Cost Protection
- Discounts on WAF
- Network Protection
- Protects resources in VNets
- Protection includes:
- VM Public IP Addresses
- Load Balancers
- App Gateways
- When coupled with App. Gateway WAF can provide full L3-7 mitigation capabilities
- Types of DDoS Attacks
- Can mitigate the following types of attacks
- Volumetric attacks
- Flood network layer with large amounts of what looks like legit traffic
- Include UDP floods, amplification flood, and other spoofed-packet floods
- Protocol Attacks
- Attack renders target inaccessible exploiting L3 and L4 weaknesses
- Includes SYN flood, reflection, and other protocol attacks
- Resource (App) layer attacks
- Target web application packets to disrupt transmission between hosts
- Includes HTTP protocol violations, SQL injection, cross-site scripting, and other L7 attacks
- Volumetric attacks
- Can mitigate the following types of attacks
- Azure DDoS protection features
- Examples include
- Native platform integration
- Native integration into Azure and configured via portal
- Turnkey protection
- Simplified config protecting all resource right away
- Always-on traffic monitoring
- App traffic patterns monitored 24/7
- Adaptive tuning
- Profiling and adjusting to service traffic
- Attack analytics
- Detailed reports every 5 mins during attack
- Complete summary after attack ends
- Attack Metricks and alerts
- Summary metrics from each attack through. Azure Monitor
- Alerts configured at start/stop of attack, and duration of attack
- Uses built-in attack metrics
- Multi-layered protection
- When deployed with WAF, DDoS Protection protected network and app layer
- Native platform integration
- Examples include
- More details about some of the above DDoS Protection Features
- Always-on traffic monitoring
- Monitors actual traffic utilization
- Constantly compares against defined thresholds
- When threshold exceeded, mitigation initiated automatically
- When back below threshold, mitigation stopped
- During mitigation, traffic towards protected resource redirected and checks performed
- Ensure packets conform to inet specs and aren’t malformed
- Interact with client to determine if traffic potentially spoofed (e.g. SYN Auth or SYN Cookie or dropping packet to force re-transmit)
- Rate-limit packets if no other enforcement can be performed
- DDoS protection drops attack traffic and forwards remaining traffic
- Within a few minutes – notified using Azure Monitor metrics
- Configuring logging on DDOS Protection telemetry logs for future analysis
- Metric data is retained for 30 days.
- Adaptive real-time tuning
- DDoS Protection service aids to protect customers and prevent impacts to others
- Attack metrics, alerts, logs
- DDoS Protection exposes rich telemetry using Azure Monitor
- Configure alerts for any metric DDoS Protection uses
- Integrate logging with Splunk (Azure Event Hubs, Azure Monitor Logs, and Azure Storage for advanced analysis using Azure Monitor Diagnostics
- Steps
- In Portal
- Monitor > Metrics
- Select Resource group
- Select resource type of Public IP Address
- Select the Azure Public IP Address
- DDoS metrics visible in the Available metrics pane
- Monitor > Metrics
- In Portal
- DDoS Protection applies 3 autotuned mitigation policies for each public IP of protected resource in VNet DDoS is enabled
- SYN
- TCP
- UDP
- View policy thresholds
- Inbound [SYN/TCP/UDP] packets to trigger mitigation metrics
- Policy thresholds autoconf via machine learning-based network traffic profiling
- DDoS mitigation occurs for IP under attack only when threshold exceeded
- If pub IP under attack, value for Under DDoS attack or not metric changes to 1 while mitigation being performed
- Multi-layered Protection
- Specific resource attacks at app layer – recommended a WAF be configured
- WAF inspected inbound web traffic to block SQL Injection, Cross Site Scripting, DDoS, and other L3 attacks
- Azure provides WAF as feature of App Gateway for centralized protection of web apps
- Other WAF offerings from partners in Azure Marketplace
- Even web app FW are susceptible to volumetric and state exhaustion
- Enable DDoS protection on WAF VNet to aid in protection of these
- Deploying DDoS Protection Plan
- Key stages of deploying DDoS Protection:
- Create Resource Group
- Create DDoS Protection Plan
- Enable DDoS Protection on new/existing VNet or IP addr
- Configure DDoS telemetry
- Configure DDoS diagnostic logs
- Configure DDoS alerts
- Run a test DDoS attack to verify results
- Key stages of deploying DDoS Protection: