This blog post was co-authored by Alethea Toh, Program Manager and Syed Pasha, Principal Network Engineer, Azure Networking.
In early August, we shared Azure’s Distributed Denial-of-Service (DDoS) attack trends for the first half of 2021. We reported a 25 percent increase in the number of attacks compared to Q4 of 2020, albeit a decline in maximum attack throughput, from one terabit per second (Tbps) in Q3 of 2020 to 625 Mbps in the first half of 2021.
The last week of August, we observed a 2.4 Tbps DDoS attack targeting an Azure customer in Europe. This is 140 percent higher than 2020’s 1 Tbps attack and higher than any network volumetric event previously detected on Azure.
Figure 1—maximum attack bandwidth (terabit per second) in 2020 vs. August 2021 attack.
The attack traffic originated from approximately 70,000 sources and from multiple countries in the Asia-Pacific region, such as Malaysia, Vietnam, Taiwan, Japan, and China, as well as from the United States. The attack vector was a UDP reflection spanning more than 10 minutes with very short-lived bursts, each ramping up in seconds to terabit volumes. In total, we monitored three main peaks, the first at 2.4 Tbps, the second at 0.55 Tbps, and the third at 1.7 Tbps.
Figure 2—attack lifespan and progress.
Azure’s massive scale DDoS protection
Attacks of this size demonstrate the ability of bad actors to wreak havoc by flooding targets with gigantic traffic volumes trying to choke network capacity. However, Azure’s DDoS protection platform, built on distributed DDoS detection and mitigation pipelines, can absorb tens of terabits of DDoS attacks. This aggregated distributed mitigation capacity can massively scale to absorb the highest volume of DDoS threats, providing our customers the protection they need.
Attack mitigation lifecycle is orchestrated by our control plane logic that dynamically allocates mitigation resources to the most optimal locations, closest to the attack sources. In this case, attack traffic which originated in the Asia-Pacific region and the United States did not reach the customer region but was instead mitigated at the source countries.
Azure provides additional protections beyond ample mitigation capacity. Azure’s DDoS mitigation employs fast detection and mitigation of large attacks by continuously monitoring our infrastructure at many points across the network. When deviations from baselines are extremely large, our DDoS control plane logic cuts through normal detection steps, needed for lower-volume floods, to immediately kick-in mitigation. This ensures the fastest time-to-mitigation and prevents collateral damage from such large attacks.
Whether in the cloud or on-premises, every organization with internet-exposed workloads is vulnerable to DDoS attacks. Because of Azure's global absorption scale and advanced mitigation logic, the customer did not suffer any impact or downtime. If the customer had been running in their own datacenter, they would most probably have incurred extensive financial damage, alongside any intangible costs.
How to protect your workloads from DDoS attacks
The pace of digital transformation has accelerated significantly during the COVID-19 pandemic, alongside the adoption of cloud services. Bad actors, now more than ever, continuously look for ways to take applications offline. Therefore, organizations should give their utmost attention to developing a robust DDoS response strategy with Azure.
Azure DDoS Protection Standard provides enhanced DDoS mitigation features to defend against DDoS attacks. It is automatically tuned to protect all public IP addresses in virtual networks. Protection is simple to enable on any new or existing virtual network and does not require any application or resource changes.
Besides the timely protection against DDoS attacks, another key feature of Azure DDoS Protection Standard is cost protection, whereby customers enrolled in DDoS Protection Standard receive data-transfer and application scale-out service credit for resource costs incurred because of documented DDoS attacks. It is imperative to have such cost protection with large attacks that may incur significant costs. To assist customers in tracking and documenting DDoS attacks, we provide rich attack telemetry and logs.