This blog post was co-authored by JR Mayberry, Principal PM Manager, Azure Networking.
Today we are excited to announce the general availability of the Azure DDoS Protection Standard service in all public cloud regions. This service is integrated with Azure Virtual Networks (VNet) and provides protection and defense for Azure resources against the impacts of DDoS attacks.
Distributed Denial of Service (DDoS) attacks are intended to disrupt a service by exhausting its resources (e.g., bandwidth, memory). DDoS attacks are one of the top availability and security concerns voiced by customers moving their applications to the cloud. With extortion and hacktivism being the common motivations behind DDoS attacks, they have been consistently increasing in type, scale, and frequency of occurrence as they are relatively easy and cheap to launch.
These concerns are justified as the number of documented DDoS amplification attacks increased by more than 357 percent in the fourth quarter of 2017, compared to 2016 according to data from Nexusguard. Further, more than 56 percent of all attacks exploit multiple vector combinations. In February 2018, Github was attacked via a reflection exploit in Memcached generating 1.35 terabits of attack traffic, the largest DDoS attack ever recorded.
As the types and sophistication of network attacks increases, Azure is committed to providing our customers with solutions that continue to protect the security and availability of applications on Azure. Security and availability in the cloud is a shared responsibility. Azure provides platform level capabilities and design best practices for customers to adopt and apply into application designs that meet their business objectives.
Azure DDoS Protection Service offerings
Azure has two DDoS service offerings that provide protection from network attacks (Layer 3 and 4) - DDoS Protection Basic and DDoS Protection Standard.
Azure DDoS Protection Basic service
Basic protection is integrated into the Azure platform by default and at no additional cost. The full scale and capacity of Azure’s globally deployed network provides defense against common network layer attacks through always-on traffic monitoring and real-time mitigation. No user configuration or application changes are required to enable DDoS Protection Basic. Basic protection also defends against the most common, frequently occurring Layer 7 DNS Query Floods and volumetric attacks that target your Azure DNS zones. This service also has a proven track record in protecting Microsoft’s enterprise and consumer services from large scale attacks.
Azure DDoS Protection Standard Service
Azure DDoS Protection Standard provides enhanced DDoS mitigation capabilities for your application and resources deployed in your virtual networks. Protection is simple to enable on any new or existing virtual network and requires no application or resource changes. DDoS Protection Standard utilizes dedicated monitoring and machine learning to configure DDoS protection policies tuned to your virtual network traffic profiles. Attack telemetry is available through Azure Monitor, enabling alerting when your application is under attack. Integrated Layer 7 application protection can be provided by Application Gateway WAF.
Azure DDoS Protection Standard service features
Native platform integration and turn-key protection
DDoS Protection Standard is natively integrated into the Azure platform and includes configuration through the Azure portal and PowerShell when you create a DDoS Protection Plan and enable DDoS Standard on a virtual network. Simplified provisioning immediately protects all resources in a virtual network with no additional application changes required.
Always-on monitoring and adaptive tuning
When DDoS Protection Standard is enabled, your application traffic patterns are continuously monitored for indicators of attacks. DDoS Protection understands your resources and resource configuration and customizes the DDoS Protection policy to your virtual network. Machine learning algorithms set and adjust protection policies as traffic patterns change over time.
L7 protection with Application Gateway
Azure DDoS Protection service in combination with Application Gateway Web Application Firewall provides DDoS Protection for common web vulnerabilities and attacks.
- Request rate-limiting
- HTTP protocol violations
- HTTP protocol anomalies
- SQL injection
- Cross site scripting
DDoS Protection Standard enabled on a Web application firewall VNet
More details on supported scenarios can be found in the Azure DDoS Protection Standard - Best Practices & Reference Design documentation.
DDoS Protection telemetry, monitoring, and alerting
Rich telemetry is exposed via Azure Monitor including detailed metrics during the duration of a DDoS attack. Alerting can be configured for any of the Azure Monitor metrics exposed by DDoS Protection. Logging can be further integrated with Splunk (Azure Event Hubs), OMS Log Analytics, and Azure Storage for advanced analysis via the Azure Monitor Diagnostics interface.
More details can be found in the Manage Azure DDoS Protection Standard using the Azure portal documentation.
SLA guarantee and cost protection
DDoS Protection Standard service is covered by 99.99% SLA, and cost protection will provide resource credits for scale out during a documented attack. For more details, refer to the Azure SLA page.
Planning and preparing for a DDoS attack is crucial in understanding the availability and response of an application during an actual attack. Organizations should also establish a well vetted DDoS incident management response plan.
To assist in this planning we have published an end to end DDoS Protection - Best Practices & Reference Architecture guide and encourage all customers to apply those practices while designing applications for resiliency against DDoS attacks in Azure.
We have also partnered with BreakingPoint Cloud to offer tooling for Azure customers to generate traffic load against DDoS Protection enabled public endpoints to simulate attacks. BreakPoint Cloud simulation will allow you to:
- Validate how Microsoft Azure DDoS Protection protects your Azure resources from DDoS attacks
- Optimize your incident response process while under DDoS attack
- Document DDoS compliance
- Train your network security teams
To learn more about the service, review the Azure DDoS Protection service documentation.