Azure DDoS Protection

Azure DDoS Protection, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks. It is automatically tuned to help protect your specific Azure resources in a virtual network. Protection is simple to enable on any new or existing virtual network, and it requires no application or resource changes.

Key Features

Azure DDoS Protection offers a robust defense against distributed denial-of-service (DDoS) attacks, safeguarding your cloud resources and ensuring service availability. Here's a breakdown of its key features, incorporating the additional points you mentioned:

Always-on Traffic Monitoring

Azure DDoS Protection continuously monitors your network traffic patterns for anomalies that might indicate a DDoS attack. This vigilance ensures swift detection and response before legitimate users experience disruption.

Adaptive Real-time Tuning

This feature goes beyond simple monitoring.  Azure DDoS Protection intelligently analyzes your traffic patterns over time and automatically tailors its mitigation strategies to fit your specific needs. This ensures optimal protection without unnecessary disruptions to legitimate traffic flow.

DDoS Protection Analytics, Metrics, and Alerting

Attack Analytics

Gain deeper insights into the nature of DDoS attacks you encounter. Azure DDoS Protection provides detailed reports on attack vectors, traffic patterns, and attack sources. This knowledge helps you understand your attack landscape and refine your defense strategies.

Attack Metrics

Track key performance indicators (KPIs) related to DDoS attacks. These metrics provide real-time data on attack traffic volume, duration, and effectiveness of mitigation strategies. This allows you to monitor the situation and assess the impact of the attack.

Attack Alerting

Be notified promptly when an attack is detected. Azure DDoS Protection can send configurable alerts via various channels, including email, SMS, and Azure Monitor, enabling you to take timely action.

Rapid Response

This service provides access to a team of security specialists for advanced threat analysis and guidance during complex DDoS attacks. Leverage their expertise to optimize mitigation strategies and ensure the most effective response.

Native Platform Integration

Azure DDoS Protection is seamlessly integrated with other Azure security services. This allows for centralized management and a unified security posture across your cloud environment. You can leverage services like Azure Firewall and Azure Security Center for a comprehensive defense strategy.

Turnkey Protection

Azure DDoS Protection offers a user-friendly experience. Basic protection is typically enabled by default on your virtual networks, requiring minimal configuration. Standard and Advanced tiers provide more granular control while still maintaining ease of use.

Extensive Mitigation Scale

Azure DDoS Protection is designed to handle massive traffic spikes during an attack. The service automatically scales its resources to accommodate the increased load and ensure your resources remain accessible.

Cost Guarantee (Available in some regions)

For added peace of mind, some regions offer a cost-guarantee program for Azure DDoS Protection. This program ensures you won't incur unexpected charges exceeding a predefined threshold during a DDoS attack.

Azure DDoS SKUs

Microsoft Azure has two offerings for DDoS Protection.

Azure DDoS Basic

• Enabled by default (free).

• It mitigates common network attacks.

Azure DDoS Protection Standard

DDoS Protection Standard protects resources in a virtual network, including public IP addresses associated with virtual machines, load balancers, and application gateways. When coupled with the Application Gateway web application firewall or a third-party web application firewall deployed in a virtual network with a public IP, DDoS Protection Standard can provide full layer 3 to layer 7 mitigation capability.

DDoS Protection Standard can mitigate the following types of attacks:

Volumetric attacks

These attacks flood the network layer with a substantial amount of seemingly legitimate traffic. They include UDP floods, amplification floods, and other spoofed-packet floods. DDoS Protection Standard mitigates these potential multi-gigabyte attacks by absorbing and scrubbing them with Azure's global network scale automatically.

Protocol attacks:

These attacks render a target inaccessible by exploiting a weakness in the layer 3 and layer 4 protocol stack. They include SYN flood attacks, reflection attacks, and other protocol attacks. DDoS Protection Standard mitigates these attacks, differentiating between malicious and legitimate traffic by interacting with the client and blocking malicious traffic.

Resource (application) layer attacks:

These attacks target web application packets to disrupt the transmission of data between hosts. They include HTTP protocol violations, SQL injection, cross-site scripting, and other layer 7 attacks. Use a Web Application Firewall, such as the Azure Application Gateway web application firewall, as well as DDoS Protection Standard to provide defense against these attacks. There are also third-party web application firewall offerings available in the Azure Marketplace.

Azure DDoS Protection Standard Key Features

Always-on traffic monitoring

DDoS Protection Standard monitors actual traffic utilization and constantly compares it against the thresholds defined in the DDoS Policy. When the traffic threshold is exceeded, DDoS mitigation is initiated automatically. When traffic returns below the thresholds, the mitigation is stopped.

During mitigation, traffic sent to the protected resource is redirected by the DDoS protection service and several checks are performed, such as:

• Ensure packets conform to internet specifications and are not malformed.

• Interact with the client to determine if the traffic is potentially a spoofed packet (e.g. SYN Auth or SYN Cookie or by dropping a packet for the source to retransmit it).

• Rate-limit packets if no other enforcement method can be performed.

DDoS protection drops attack traffic and forwards the remaining traffic to its intended destination. Within a few minutes of attack detection, you are notified using Azure Monitor metrics. By configuring logging on DDoS Protection Standard telemetry, you can write the logs to available options for future analysis. Metric data in Azure Monitor for DDoS Protection Standard is retained for 30 days.

Adaptive real-time tuning

The complexity of attacks (for example, multi-vector DDoS attacks) and the application-specific behaviours of tenants call for per-customer, tailored protection policies. The service accomplishes this by using two insights:

• Automatic learning of per-customer (per-public IP) traffic patterns for Layers 3 and 4.

• Minimizing false positives, considering that the scale of Azure allows it to absorb a significant amount of traffic.

DDoS Protection telemetry, monitoring, and alerting

DDoS Protection Standard exposes rich telemetry via Azure Monitor. You can configure alerts for any of the Azure Monitor metrics that DDoS Protection uses. You can integrate logging with Splunk (Azure Event Hubs), Azure Monitor logs, and Azure Storage for advanced analysis via the Azure Monitor Diagnostics interface.

DDoS mitigation policies

In the Azure portal, select Monitor > Metrics. In the Metrics pane, select the resource group, select a resource type of Public IP Address, and select your Azure public IP address. DDoS metrics are visible in the Available metrics pane.

DDoS Protection Standard applies three autotuned mitigation policies (TCP SYN, TCP, and UDP) for each public IP of the protected resource in the virtual network that has DDoS enabled. You can view the policy thresholds by selecting the metric Inbound packets to trigger DDoS mitigation.

The policy thresholds are autoconfigured via machine learning-based network traffic profiling. DDoS mitigation occurs for an IP address under attack only when the policy threshold is exceeded.

A metric for an IP address under a DDoS attack

If the public IP address is under attack, the value for the metric Under DDoS attack or not changes to 1 as DDoS Protection performs mitigation on the attack traffic.

We recommend configuring an alert on this metric. You'll then be notified

Web Application Firewall for resource attacks

A WAF inspects inbound web traffic to block SQL injections, cross-site scripting, DDoS, and other Layer 7 attacks. Azure provides WAF as a feature of Application Gateway for centralized protection of your web applications from common exploits and vulnerabilities.

Even web application firewalls are susceptible to volumetric and state exhaustion attacks. We strongly recommend enabling the DDoS Protection Standard on the WAF virtual network to help protect from volumetric and protocol attacks.

Protection Planning

If you have a DDoS Protection Standard, make sure that it's enabled on the virtual network of internet-facing endpoints. Configuring DDoS alerts helps you constantly watch for any potential attacks on your infrastructure.

Monitor your applications independently. Understand the normal behaviour of an application. Prepare to act if the application is not behaving as expected during a DDoS attack.

Azure Basic vs Standard DDoS

Azure DDoS Cost

• Basic DDoS Protection provides protection at no additional charge.

• DDoS protection plans have a fixed monthly charge of $2,944 per month, which covers up to 100 public IP addresses. Protection for additional resources will cost an additional $30 per resource per month.

P.S. - Under a tenant, a single DDoS protection plan can be used across multiple subscriptions, so there is no need to create more than one DDoS protection plan.