/
Azure DDoS Protection Standard

Azure DDoS Protection Standard

Owned by Roger Cruz, created
Last updated: Feb 22, 2022

 

Intro

 

Documentation

 

Tips and Tidbits

  • A DDoS attack attempts to exhaust an application's resources, making the application unavailable to legitimate users.

  • DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.

  • Every property in Azure is protected by Azure's infrastructure DDoS (Basic) Protection at no additional cost.

    • DDoS Protection Basic requires no user configuration or application changes.

  • DDoS Protection Standard can mitigate the following types of attacks:

    • Volumetric attacks: These attacks flood the network layer with a substantial amount of seemingly legitimate traffic. They include UDP floods, amplification floods, and other spoofed-packet floods.

      • DDoS Protection Standard mitigates these potential multi-gigabyte attacks by absorbing and scrubbing them, with Azure's global network scale, automatically.

    • Protocol attacks: These attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack.

      • They include SYN flood attacks, reflection attacks, and other protocol attacks.

      • DDoS Protection Standard mitigates these attacks, differentiating between malicious and legitimate traffic, by interacting with the client, and blocking malicious traffic.

    • Resource (application) layer attacks: These attacks target web application packets, to disrupt the transmission of data between hosts.

      • They include HTTP protocol violations, SQL injection, cross-site scripting, and other layer 7 attacks.

      • Use a Web Application Firewall, such as the Azure Application Gateway web application firewall, as well as DDoS Protection Standard to provide defense against these attacks.

  • Multiple networks from different subscriptions can be linked to one DDoS Protection Standard plan

 

Deploy Azure DDoS Protection by using the Azure portal

  • Deploy Azure DDoS Protection by using the Azure portal

  • Policies are applied to public IP addresses associated to resources deployed in virtual networks, such as Azure Load Balancer, Azure Application Gateway, and Azure Service Fabric instances, but this protection does not apply to App Service Environments.

  • Basic: Automatically enabled as part of the Azure platform.

    • Always-on traffic monitoring, and real-time mitigation of common network-level attacks, provide the same defenses utilized by Microsoft's online services.

    • The entire scale of Azure's global network can be used to distribute and mitigate attack traffic across regions.

    • Protection is provided for IPv4 and IPv6 Azure public IP addresses.

  • DDoS Protection Standard monitors actual traffic utilization and constantly compares it against the thresholds defined in the DDoS Policy.

  • When the traffic threshold is exceeded, DDoS mitigation is initiated automatically.

  • When traffic returns below the thresholds, the mitigation is stopped.