If you are exposing your applications hosted in Microsoft Azure to the Internet, you are protected by the built-in DDoS (distributed denial of service) for free. The feature is always enabled in Azure as part of the protection of the platform. However, we can go to an extra level of security and enable the paid DDoS Standard feature, which brings additional functionalities to your cloud infrastructure.
DDoS attacks are classified into three types, based on Azure documentation. They are:
- Volumetric attacks: A bunch of connections tries to exhaust network resources. The attacker uses several infected systems to create connections at the same time using TCP, UDP, or ICMP,
- Protocol attacks: They target the application protocols. The attacker sends malformed packages to make the application answer and wait for a response, thus creating a delay or a crash.
- Resource attacks: The main goal is to exhaust resources by asking high-demand process to overwhelm their target. Usually, they are a target for the HTTP/HTTPS or DNS protocols.
What is the difference between free and DDoS Standard?
You may be wondering if I have the DDoS basic service for free as part of my subscription, what is the difference of the paid DDoS Standard option? Before answering the question, let’s understand what is being offered in DDoS basic.
DDoS protection in Azure comprises both software and hardware components, and all Azure customers share this protection. When there is a high traffic volume, and an attack seems imminent, the software portion of the DDoS moves the traffic to specific hardware appliances. These appliances will perform further analysis and remove any malicious requests. As a customer, you don’t have control of the scenario above. It is built-in to the Azure platform. Bear in mind that you are sharing the environment with several other tenants, and the basic protection goal is to protect Azure and not your specific application.
That summarizes the DDoS Basic (free). Now let’s see the additional features of DDoS Standard. For starters, the traffic of your application is being monitored 24/7. Thus, any possible DDoS attacks specific to your service will be protected. Perhaps the volume of the attack wouldn’t have been enough to trigger the protection of the DDoS basic but using DDoS Standard you will be protected. The second benefit is visibility — the cloud administrator can see the logs, use Azure Monitor, and contact a DDoS expert team during an attack.
When using Azure Application Gateway, DDoS protection will guard against common attacks such as HTTP protocol violations, SQL injection, XSS, and request-rate limit attacks.
Creating and enabling a DDoS protection plan
The configuration on the Microsoft Azure side is straightforward. We need to associate an existing DDoS Plan to a virtual network. To do that, open the desired virtual network blade in Azure Portal, then click on DDoS Protection.
By default, it is going to be configured as Basic. Click on Standard and select a DDoS Plan from the list. If that is your first one, click on Create a DDoS protection plan link.
The creation of a DDoS protection plan requires only the name that we want to assign to it, nothing else. The creation is depicted in the image below.
After creation, we can list all existing DDoS Protection Plans. Search for DDoS Protection, and on the Overview blade, a list of all protected virtual networks will be shown. Bear in mind that any public IP address associated with the VNet in use will be protected.
Testing the DDoS Standard offering
There is a Microsoft partner (Ixiacom) that allows simulation of a DDoS attack by generating traffic. It helps to see how the feature works and helps training your team to be prepared during an attack. We are going to use their free trial service to simulate a DDoS attack.
The first step is to get access to your trial using this link here. After providing your information and activating your email address, we can log on to the partner website, and we have the DDoS Test Configuration. We need to provide the Azure subscription (Item 1), and the process will require authentication into Azure to confirm the subscription.
After that, we need to enter the public IP address of the VM that we are going to test, port number, type of DDoS attack, the size of the test, and the duration. After filling out all that information, click on Start Test
Auditing the DDoS attack
We can check the Diagnostic Settings at the public IP and select all the DDoS logs (notifications, flow and mitigation) and store in a storage account, event hub or log analytics.
Using metrics and configuring alerts
When using DDoS Standard, the administrator can open Azure Monitor to check metrics related to DDoS. Select the public IP resource that is protected by DDoS Standard and select the DDoS metrics (they contain DDoS in their names).
An important one is the Under DDos Attack. When the value is 1 we know that that specific public IP is under attack.
We can use Azure Monitor to create rules to inform the Security/Operations teams when public IPs are under attack. We need to select the desired public IP address, select Metrics (Item 2), and All (Item 3), then choose Under DDoS attack or not.
DDoS Standard: Where to find cost information
The feature is excellent and brings a lot of value if you want to add an extra layer of security to your applications being hosted in Microsoft Azure.
A key point to consider is the price. DDoS Standard costs around $3,000 to be applied to up to 100 resources. If you have more than 100 resources (public IP-related), there is a fee of $30 per resource. On top of that, there is a cost for the data processed per month, the first tier is from 0 to 100 TB (terabytes), and the price is $0.05.
If you have multiple subscriptions, the resources are counted at the enrollment level, and the data processing fees are charged at the subscription level.
If you need more information about the cost of DDoS Standard, you can use this link here.
Featured image: Shutterstock