11.3. DDoS Protection
Distributed Denial of Service (DDoS) attacks have become one of the most pernicious threats faced by organizations operating on the internet. These attacks overwhelm network resources by flooding them with massive volumes of traffic from multiple sources, often distributed globally. For cloud-based services, particularly those on platforms like Microsoft Azure, a DDoS attack can disrupt services, erode user trust, and cause significant financial losses. Azure’s DDoS Protection service is specifically designed to combat this threat, providing a critical layer of security for applications and services running in the Azure cloud.
The Nature of DDoS Attacks
Understanding DDoS Protection requires a fundamental understanding of DDoS attacks themselves. DDoS attacks can target various layers of a network:
● Volume-Based Attacks: This is the most common form of DDoS, which includes ICMP floods and UDP floods where the attacker overwhelms the bandwidth of the targeted site.
● Protocol Attacks: These include SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS, and more, aiming to consume actual server resources or those of intermediate communication equipment, such as firewalls and load balancers.
● Application Layer Attacks: These are more sophisticated, targeting the web application layer where web pages are generated on the server and delivered in response to HTTP requests.
Overview of Azure DDoS Protection
Azure DDoS Protection leverages Microsoft’s global infrastructure and network to protect against DDoS attacks. It’s composed of two service tiers:
● Basic: Automatically enabled as part of the Azure platform, this tier provides protection against common network-level attacks.
● Standard: This tier provides enhanced DDoS mitigation capabilities that are tuned specifically to Azure Virtual Network resources.
Azure DDoS Protection Basic
The Basic service tier is designed to protect all Azure services from the most common and known network volumetric attacks. Here’s how it functions:
● Always On Traffic Monitoring: The Azure platform continuously monitors traffic to identify potential DDoS threats.
● Adaptive Tuning: Based on standard DDoS protection practices, Azure automatically mitigates the attack by filtering out the malicious traffic.
● No User Configuration or Intervention Required: Basic protection is applied to all Azure services automatically, without any user configuration, providing immediate and continuous protection.
Azure DDoS Protection Standard
The Standard service tier provides additional protection over the Basic tier and is tailored to protect Azure Virtual Network resources. Its features include:
● Enhanced DDoS Mitigation Policies: Customized to the specific profile of your Azure resources, adapting over time to provide optimal protection.
● Application Layer Protection: It extends the protection to the application layer for more sophisticated and targeted attacks.
● Real-Time Metrics and Reports: Provides detailed insight into the attack and how it was mitigated through Azure Monitor.
● Alerting: Allows you to set up alerts based on DDoS policy, providing immediate notifications during an attack.
● Cost Protection: Offers DDoS cost protection, helping safeguard against the scale-out of resources during an attack that could lead to additional charges.
