Azure DDoS Protection Standard overview

Important

Azure DDoS Protection Standard is currently in preview. A limited number of Azure resources support DDoS Protection Standard, and in a select number of regions. You need to register for the service during the limited preview to get DDoS Protection Standard enabled for your subscription. You are contacted by the Azure DDoS team upon registration to guide you through the enablement process. DDoS Protection Standard is available in US East, US West, and West Central US regions. During preview, you are not charged for using the service.

Distributed Denial of Service (DDoS) attacks are one of the largest availability and security concerns facing customers moving their applications to the cloud. A DDoS attack attempts to exhaust an application’s resources making the application unavailable to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the Internet.

Azure DDoS Protection combined with application design best practices together provide defense against these attacks. These two service tiers are provided:

  • Azure DDoS Protection Basic - is already automatically enabled as part of the Azure platform at no additional charge. Always-on traffic monitoring and real-time mitigation of common network level attacks provides the same defenses utilized by Microsoft’s online services. The entire scale of Azure’s global network can be used to distribute and mitigate attack traffic across regions.
  • Azure DDoS Protection Standard - provides additional mitigation capabilities tuned specifically to Virtual Network resources. It is simple to enable and requires no application changes. Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms and applied to public IPs associated with Virtual Network resources such as Load Balancer, Application Gateway, and Service Fabric instances. Real time telemetry is available through Azure Monitor views during an attack and for history. Application layer protections can be added through Application Gateway Web Application Firewall.

Azure DDoS Protection Standard

For development and test scenarios, you are welcome to try DDoS Protection Standard and use these resources to provide feedback on your experiences:

For support issues, you can open an Azure support ticket.

Types of DDoS attacks that DDoS Protection Standard mitigates

DDoS Protection Standard can mitigate these types of attacks:

  • Volumetric attacks - The attack's goal is to flood the network layer with substantial amount of seemingly legitimate traffic. It includes UDP floods, amplification floods and other spoofed-packet floods. DDoS Protection Standard mitigates these potential multi-gigabyte attacks by absorbing & scrubbing them leveraging Azure’s global network scale automatically.
  • Protocol attacks - These attacks render a target inaccessible by exploiting a weakness in the Layer 3 and Layer 4 protocol stack. It includes, SYN flood attacks, reflection attacks, and other protocol attacks. DDoS Protection Standard mitigates these attacks differentiating between malicious and legitimate traffic by interacting with the client and blocking malicious traffic.
  • Application layer attacks - These attacks target web application packets to disrupt the transmission of data between hosts. It includes HTTP Protocol Violations, SQL injection, cross-site scripting and other layer 7 attacks. Using Application Gateway WAF with DDoS Protection Standard to provide defense against these attacks.

DDoS Protection Standard protects resources in a virtual network including Public IPs associated with VMs, internal load balancers, and application gateways. When coupled with the Application Gateway WAF SKU, DDoS Protection Standard can provide full L3 to L7 mitigation capability.

DDoS Protection Standard features

DDoS functionality

DDoS Protection Standard features include:

  • Native platform integration: DDoS Protection Standard is natively integrated into Azure and includes configuration through the Azure portal and PowerShell. DDoS Protection Standard understands your resources and resource configuration.
  • Always-on traffic monitoring: Your application traffic patterns are monitored 24x7, looking for indicators of DDoS attacks. Mitigation is performed when protection policies are exceeded.
  • Turn-key protection: Simplified configuration immediately protects all resources on a virtual network as soon as DDoS Protection Standard is enabled. No intervention or user definition is required - DDoS Protection Standard instantly and automatically mitigates the attack once it has been detected.
  • Adaptive tuning: Intelligent traffic profiling learns your application’s traffic over time, and selects and updates the profile that is the most suitable for your service. The profile adjusts as traffic changes over time.
  • L3 to L7 Protection with an application gateway: Application Gateway WAF features providing full stack DDoS protection.
  • Extensive mitigation scale: Over 60 different attack types can be mitigated with global capacity to protect against the largest known DDoS attacks.
  • Attack metrics: Summarized metrics from each attack are accessible through Azure Monitor.
  • Attack alerting: Alerts can be configured at the start and stop of an attack, and over the attack’s duration using built-in attack metrics. Alerts integrate into your operational software like OMS, Splunk, Azure Storage, Email, and Azure portal.
  • Cost guarantee: Data-transfer and application scale-out service credits for documented DDoS attacks.

DDoS Protection Standard mitigation

Microsoft’s DDoS Protection service monitors actual traffic utilization and constantly compares it against the thresholds defined in the DDoS Policy. When that traffic threshold is exceeded, then DDoS mitigation is initiated automatically. When traffic returns below the threshold, the mitigation is removed.

During mitigation, traffic towards the protected resource is redirected by the DDoS Protection service and several checks are performed. These checks generally perform the following function:

  • Ensure packets conform to Internet specifications and are not malformed.
  • Interact with the client to determine if it is potentially a spoofed packet (e.g: SYN Auth or SYN Cookie or by dropping a packet for the source to retransmit it).
  • Rate-limit packets if no other enforcement method can be performed.

The DDoS Protection blocks attack traffic and forward remaining traffic to intended destination. Within a few minutes of attack detection, you are notified using Azure Monitor metrics. By configuring logging on DDoS Protection Standard telemetry, you can write the logs to available options for future analysis. Metric data in Azure Monitor for DDoS Protection Standard is currently retained for 30 days.

We do not advise customers to simulate their own DDoS attacks. Instead, customers can use the support channel to request a DDoS attack simulation executed by Azure Networking. An Engineer will contact you to arrange the details of the DDoS attack (ports, protocols, target IPs) and arrange a time to schedule the test.

Next steps