• 3 min read

DDoS Protection Attack Analytics and rapid response

Azure distributed denial of service (DDoS) Protection provides countermeasures against the most sophisticated DDoS threats. New features announced today provide enterprise-grade visibility to customers when their resources are under attack.

Sophistication and frequency of DDoS attacks continue to increase, hitting nearly two in five businesses. DDoS attacks are the prevalent cause of service outages. With the proliferation of compromised IoT devices that are weaponized as Botnets to launch mega DDoS attacks, hackers are well equipped more than ever to achieve their nefarious goals.

Azure DDoS Protection provides countermeasures against the most sophisticated DDoS threats. The service provides enhanced DDoS mitigation capabilities for your application and resources deployed in your virtual networks. Protection is simple to enable on any new or existing virtual network and requires no application or resource changes.

New features announced today provide enterprise grade visibility and support to customers when their resources are under attack. DDoS Attack Analytics provides attack insights that can be used for compliance, security audits and post attack analysis to optimize defense strategies and security operations. DDoS Rapid Response will enable customers to engage DDoS experts during an active attack for specialized support.

Today we are announcing the general availability of three new exciting features for Azure DDoS Protection Standard customers: Attack Mitigation Reports, Attack Mitigation Flow Logs and DDoS Rapid Response. Customers protecting their virtual networks against DDoS attacks with Azure DDoS Protection will now have detailed visibility into attack traffic and actions taken to mitigate the attack, via diagnostic settings in Azure Monitor. In addition, DDoS Rapid Response can help with attack investigation, custom mitigations during an attack and post-attack analysis.

Attack Mitigation Reports

Attack Mitigation Reports use aggregated network flow data to provide detailed information about attacks targeted at your resources. Attack Mitigation Reports can be enabled simply via Diagnostic Settings in Azure Monitor. Once enabled, Attack Mitigation Reports will be processed with Log Analytics, an Azure Storage account or Event Hub for downstream integration with SIEM systems like Splunk or Stream Analytics.

Diagnostic Settings

When a customer’s Public IP resource is the target of a DDoS attack, then attack data will be generated every five minutes. When an attack finishes, a post-mitigation report will be generated for the entire duration of the DDoS attack.

Post-Mitigation Report

Attack Mitigation Report schema

Both the incremental and post-attack Mitigation Reports include the following fields:

  • Attack vectors
  • Traffic statistics
  • Reason for dropped packets
  • Protocols involved
  • Top 10 source countries or regions
  • Top 10 source ASNs

For more information and sample report, refer to the DDoS Protection Standard documentation.

Attack Mitigation Flow Logs

Attack Mitigation Flow Logs allow you to review the dropped traffic, forwarded traffic and other attack data in near real-time during an active DDoS attack. Customers using Azure DDoS Protection Standard can ingest this data into SIEM systems like Splunk or Stream Analytics for near-real-time monitoring.

Attack Mitigation Flow Logs

Like Attack Mitigation Reports, Attack Mitigation Flow Logs are enabled via diagnostic settings in Azure Monitor for a given Public IP resource and can be integrated with log analytics, storage account or event hub.

Diagnotic-Settings

Attack Mitigation Flow Logs schema

Flow logs will have the following fields:

  • Source IP
  • Destination IP
  • Source Port
  • Destination port
  • Protocol type
  • Action taken during mitigation

DDoS Attack Analytics will give you complete visibility into DDoS attacks with near real-time streams and reports of ongoing or historical attacks. In addition, we are also pleased to announce that customers onboarded to DDoS Protection Standard now have access to DDoS experts during an active attack. DDoS experts can help with custom mitigations during an attack and post-attack analysis.

DDoS Rapid Response (DRR)

DDoS Protection Standard customers now have access to Rapid Response team during an active attack. DRR can help with attack investigation, custom mitigations during an attack and post-attack analysis.

Follow the steps below to engage DRR during an active attack:

1. From Azure Portal while creating a new support request, choose Issue Type as Technical.

2. Choose Service as DDOS Protection.

3. Choose a resource in the resource drop down menu. You must select a DDoS Plan that’s linked to the virtual network being protected by DDoS Protection Standard to engage DRR.

Basics

4. On the next Problem page select the severity as A -Critical Impact and Problem Type as ‘Under attack.’

Problem

5. Complete additional details and submit the support request.

DRR follows the Azure Rapid Response support model. Refer to Support scope and responsiveness for more information on Rapid Response..

To learn more, read the DDoS Protection Standard documentation.

DDoS Protection Planning

Planning and preparing for a DDoS attack is crucial in understanding the availability and response of an application during an actual attack. Organizations should also establish a well vetted DDoS incident management response plan.

To assist in this planning we have published an end to end DDoS Protection – Best Practices and Reference Architecture guide and encourage all customers to apply those practices while designing applications for resiliency against DDoS attacks in Azure.

Learn how Microsoft Azure DDoS Protection Standard customers benefit from proactive, continuous DDoS protection planning when securing cloud resources.

We would love to hear your feedback, questions, and comments through our regular channels including forums, StackOverFlow, or UserVoice.