Q&A
Inside Azure DDoS Protection: Scalable Defense Against Modern Attacks
Azure expert Aidan Finn previews how Microsoft's cloud-scale DDoS Protection detects, mitigates and monitors attacks ahead of his Live! 360 Orlando session.
Distributed denial-of-service attacks continue to challenge IT teams, overwhelming resources and disrupting services if left unchecked. Microsoft's Azure DDoS Protection is designed to address this threat at scale, using machine learning and the reach of the Azure global network to detect and mitigate attacks in real time.
In this Q&A with Redmondmag, Azure MVP Aidan Finn explains how the service distinguishes between legitimate traffic and malicious floods, what steps are needed for configuration, and how it works alongside tools like WAF, NSGs and Azure Firewall. The discussion also covers monitoring strategies and the advantage of cloud-based absorption at terabit levels.
And for more insights from Finn, make plans to be in attendance for his upcoming Live! 360 session, titled " Preventing A Tsunami with Azure DDoS Protection," taking place in Orland, Fla. this November. Attendees will gain insight into enabling Azure DDoS Protection, setting up alerts, and preparing operational responses, with practical guidance drawn from real-world examples of some of the largest attacks seen to date.
Redmondmag: How does Azure DDoS Protection distinguish between attack traffic and legitimate spikes?
Finn: The detection system is multi-layered. Each public IP address that is protected is monitored by a machine-learned and -powered system that maintains a history for that public IP address. The trends of traffic over time are remembered, so a typical spike that regularly happens is considered normal. In addition, Azure DDoS Protection analyses the packets. Are source IPs faked or random? Are there suspicious protocol markers such as flags, retransmissions or session state? Are packets malformed or is there no payload? Are there excessive amounts of SYNs or no ACKs? These patterns are compared with known attacks and used to identify an attack in progress.
What configuration steps are essential for effective DDoS mitigation?
From a technical perspective, there is very little to be configured. If you want to use the free plan, then there is nothing to do. If you want to pay for extra protection, then you enable the protection either in a Public IP Address or associate a plan with Virtual Networks that contain Public IP Addresses that you want to protect.
From a procedural point of view there is much more; DDoS attacks are a security event and should be treated as such with the normal procedures for the event, recovery, and post-attack analysis.
How should DDoS protection integrate with WAF, NSGs or Azure Firewall?
Integration is probably the wrong term. Cooperation might be a better term. Azure DDoS Protection focuses on L3/L4. A Web Application Firewall (Front Door or Application Gateway) is typically the largest entry point from the Internet to your organization's services. DDoS Protection will protect shared business services at the lower levels of the stack. The WAF will provide protection against L7 attacks; one should look into Bot Protection and Rate Limiting.
What proactive monitoring alerts should teams configure?
DDoS attack monitoring requires a paid-for plan; either the (per) IP Protection plan or the Network Protection plan. The diagnostics settings of the protected Public IP Address resources must be configured to send data to your monitoring system. If you are just using Azure Monitor, then you can configure an Alert/Action Group to trigger a response (such as an email) to inform you that certain metrics thresholds have been exceeded. The key metric (but not the only one) to monitor is called IfUnderDDoSAttack.
How is DDoS coverage scaled across regions or hybrid networks?
This is the beauty of the cloud. The protection is not handled by some appliance, but by the fabric. Imagine running your systems on the (estimated) second largest network on the planet with hundreds of entry points around the world. That's what Azure is. You have terabits of bandwidth and countless amounts of compute, powered by machine learning and one of the best funded security intelligence systems on the planet. The levels of protection and, importantly, absorption for DDoS attacks provided by Azure are lightyears ahead of what a normal enterprise can build for themselves. In 2021, a customer in Asia was subjected to a 3.47 Terabits Per Second (!) attack for 15 minutes from over 10,000 sources across multiple countries. The attack was automatically mitigated and the customer suffered no downtime. That was the third largest publicly acknowledged DDoS attack of all time. How many of us can honestly say that we can build that level of protection in our own computer rooms or datacenters?