您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure DDoS 保护标准概述Azure DDoS Protection Standard overview

分布式拒绝服务 (DDoS) 攻击是将应用程序移动到云的客户所面临的一些最大的可用性和安全性问题。Distributed denial of service (DDoS) attacks are some of the largest availability and security concerns facing customers that are moving their applications to the cloud. DDoS 攻击尝试耗尽应用程序的资源,使应用程序对于合法用户不可用。A DDoS attack attempts to exhaust an application’s resources, making the application unavailable to legitimate users. DDoS 攻击可能会将任何可通过 Internet 公开访问的终结点作为目标。DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.

Azure DDoS 保护与应用程序设计最佳做法相结合,可提供针对 DDoS 攻击的防御。Azure DDoS protection, combined with application design best practices, provide defense against DDoS attacks. Azure DDoS 防护提供了以下服务层级:Azure DDoS protection provides the following service tiers:

  • 基本:自动启用作为 Azure 平台的一部分。Basic: Automatically enabled as part of the Azure platform. 始终可用的流量监控和常见网络级别攻击的实时风险缓解提供了 Microsoft 联机服务所利用的相同防御。Always-on traffic monitoring, and real-time mitigation of common network-level attacks, provide the same defenses utilized by Microsoft’s online services. 整个 Azure 全球网络的规模可用于跨区域分散和缓解攻击流量。 The entire scale of Azure’s global network can be used to distribute and mitigate attack traffic across regions. 为 IPv4 和 IPv6 Azure 公共 IP 地址提供保护。 Protection is provided for IPv4 and IPv6 Azure public IP addresses.
  • 标准: 通过专门针对 Azure 虚拟网络资源优化的基本服务层提供的其他缓解功能。Standard: Provides additional mitigation capabilities over the Basic service tier that are tuned specifically to Azure Virtual Network resources. DDoS 保护标准易于启用,无需更改应用程序。DDoS Protection Standard is simple to enable, and requires no application changes. 通过专用流量监控和机器学习算法优化保护策略。Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. 策略应用到与部署在虚拟网络中资源相关的公共 IP 地址,例如 Azure 负载均衡器、Azure 应用程序网关和 Azure Service Fabric 实例,但此保护不适用于应用服务环境。Policies are applied to public IP addresses associated to resources deployed in virtual networks, such as Azure Load Balancer, Azure Application Gateway, and Azure Service Fabric instances, but this protection does not apply to App Service Environments. 可在攻击期间通过 Azure Monitor 视图并针对历史记录获得实时遥测。 Real-time telemetry is available through Azure Monitor views during an attack, and for history. 可通过诊断设置获取大量攻击缓解分析。Rich attack mitigation analytics are available via diagnostic settings. 可通过 Azure 应用程序网关 Web 应用程序防火墙或通过从 Azure 市场安装第三方防火墙来添加应用程序层保护。Application layer protection can be added through the Azure Application Gateway Web Application Firewall or by installing a 3rd party firewall from Azure Marketplace. 为 IPv4 和 IPv6 Azure 公共 IP 地址提供保护。Protection is provided for IPv4 and IPv6 Azure public IP addresses.

Azure DDoS 防护基本与标准

DDoS 保护标准可缓解的 DDoS 攻击类型Types of DDoS attacks that DDoS Protection Standard mitigates

DDoS 保护标准可缓解以下攻击类型:DDoS Protection Standard can mitigate the following types of attacks:

  • 容量耗尽攻击:攻击的目标是流量的涌入网络层借助大量看似合法。Volumetric attacks: The attack's goal is to flood the network layer with a substantial amount of seemingly legitimate traffic. 它包括 UDP 洪水、放大洪水以及其他欺骗性数据包洪水。It includes UDP floods, amplification floods, and other spoofed-packet floods. 借助 Azure 的全球网络规模,DDoS 保护标准通过自动吸收和清理这些潜在的数千兆字节攻击,从而缓解这些攻击。DDoS Protection Standard mitigates these potential multi-gigabyte attacks by absorbing and scrubbing them, with Azure’s global network scale, automatically.
  • 协议攻击:这些攻击通过利用第 3 层中的漏洞和层 4 协议堆栈使目标无法访问。Protocol attacks: These attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack. 它包括 SYN 洪水攻击、反射攻击和其他协议攻击。It includes, SYN flood attacks, reflection attacks, and other protocol attacks. DDoS 保护标准通过与客户端交互来区分恶意流量和合法流量并阻止恶意流量,从而缓解这些攻击。DDoS Protection Standard mitigates these attacks, differentiating between malicious and legitimate traffic, by interacting with the client, and blocking malicious traffic.
  • 应用程序层攻击的资源 (应用程序) :这些攻击以 web 应用程序数据包来中断主机之间的数据传输为目标。Resource (application) layer attacks: These attacks target web application packets, to disrupt the transmission of data between hosts. 这些攻击包括 HTTP 协议冲突、SQL 注入、跨站点脚本和其他第 7 层攻击。The attacks include HTTP protocol violations, SQL injection, cross-site scripting, and other layer 7 attacks. 使用 Azure 应用程序网关 Web 应用程序防火墙与标准 DDoS 保护可提供对这些攻击的防御。Use the Azure Application Gateway web application firewall, with DDoS Protection Standard, to provide defense against these attacks. Azure 市场中还提供了第三方 Web 应用程序防火墙产品。There are also third-party web application firewall offerings available in the Azure Marketplace.

标准 DDoS 保护可保护虚拟网络中的资源,包括与虚拟机、负载均衡器和应用程序网关相关联的公共 IP 地址。DDoS Protection Standard protects resources in a virtual network including public IP addresses associated with virtual machines, load balancers, and application gateways. 与应用程序网关 Web 应用程序防火墙结合使用时,标准 DDoS 保护可提供从第 3 层到第 7 层的完整缓解功能。When coupled with the Application Gateway web application firewall, DDoS Protection Standard can provide full layer 3 to layer 7 mitigation capability.

DDoS 保护标准功能DDoS Protection Standard features

DDoS 功能

DDoS 保护标准功能包括:DDoS Protection Standard features include:

  • 本机平台集成: 以本机方式集成到 Azure 中。Native platform integration: Natively integrated into Azure. 包括通过 Azure 门户进行配置。Includes configuration through the Azure portal. DDoS 保护标准了解你的资源和资源配置。DDoS Protection Standard understands your resources and resource configuration.
  • 成套保护: 一旦启用 DDoS 保护标准,简化后的配置会立即保护虚拟网络上的所有资源。Turn-key protection: Simplified configuration immediately protects all resources on a virtual network as soon as DDoS Protection Standard is enabled. 要求没有干预或用户定义。No intervention or user definition is required. 一旦检测到攻击,标准 DDoS 保护会立即自动减轻攻击。DDoS Protection Standard instantly and automatically mitigates the attack, once it is detected.
  • 始终可用的流量监控: 应用程序流量模式将全天候受到监控,以寻找 DDoS 攻击的迹象。Always-on traffic monitoring: Your application traffic patterns are monitored 24 hour a day, 7 days a week, looking for indicators of DDoS attacks. 将在超出保护策略范围时执行缓解措施。Mitigation is performed when protection policies are exceeded.
  • 自适应优化: 智能流量分析了解不同时段,应用程序的流量和选择和更新最适合你的服务的配置文件。Adaptive tuning: Intelligent traffic profiling learns your application’s traffic over time, and selects and updates the profile that is the most suitable for your service. 当流量随时间变化时,配置文件将进行调整。The profile adjusts as traffic changes over time.
  • 多层的保护: 与 Web 应用程序防火墙配合使用时,提供完整的堆栈 DDoS 保护。Multi-Layered protection: Provides full stack DDoS protection, when used with a web application firewall.
  • 广泛的缓解规模: 可以使用全球容量缓解超过 60 种不同攻击类型,从而防止最大的已知 DDoS 攻击。Extensive mitigation scale: Over 60 different attack types can be mitigated, with global capacity, to protect against the largest known DDoS attacks.
  • 攻击分析: 在攻击期间以五分钟为增量获取详细报告,在攻击结束后获取完整摘要。Attack analytics: Get detailed reports in five-minute increments during an attack, and a complete summary after the attack ends. 将缓解流日志流式传输到离线安全信息和事件管理 (SIEM) 系统,以便在攻击期间进行近实时监视。Stream mitigation flow logs to an offline security information and event management (SIEM) system for near real-time monitoring during an attack.
  • 攻击指标: 可以通过 Azure Monitor 访问每个攻击的汇总指标。Attack metrics: Summarized metrics from each attack are accessible through Azure Monitor.
  • 攻击警报: 在开始和停止攻击,可以配置警报和攻击的持续时间内使用内置攻击指标。Attack alerting: Alerts can be configured at the start and stop of an attack, and over the attack’s duration, using built-in attack metrics. 警报会集成到操作软件,如 Microsoft Azure Monitor 日志、 Splunk、 Azure 存储、 电子邮件和 Azure 门户。Alerts integrate into your operational software like Microsoft Azure Monitor logs, Splunk, Azure Storage, Email, and the Azure portal.
  • 成本保证: 记录的 DDoS 攻击的数据传输和应用程序横向扩展服务信用度。Cost guarantee: Data-transfer and application scale-out service credits for documented DDoS attacks.

DDoS 保护标准缓解DDoS Protection Standard mitigation

DDoS 保护标准监控实际流量利用率,并不断将其与 DDoS 策略中定义的阈值进行比较。DDoS Protection Standard monitors actual traffic utilization and constantly compares it against the thresholds defined in the DDoS Policy. 当超过流量阈值时,将自动启动 DDoS 缓解。When the traffic threshold is exceeded, DDoS mitigation is initiated automatically. 当流量回到阈值以下时,缓解将移除。When traffic returns below the threshold, the mitigation is removed.

缓解措施

在风险缓解期间,DDoS 保护服务重定向发送到受保护资源的流量,并执行多个检查,如以下检查:During mitigation, traffic sent to the protected resource is redirected by the DDoS protection service and several checks are performed, such as the following checks:

  • 确保数据包符合 Internet 规范且格式正确。Ensure packets conform to internet specifications and are not malformed.
  • 与客户端确定该流量是否可能是欺骗性的数据包进行交互 (例如:SYN Auth 或 SYN Cookie 或者通过丢弃数据包,让源重新传输它)。Interact with the client to determine if the traffic is potentially a spoofed packet (e.g: SYN Auth or SYN Cookie or by dropping a packet for the source to retransmit it).
  • 如果没有其他可以执行的强制方法,将对数据包进行速率限制。Rate-limit packets, if no other enforcement method can be performed.

DDoS 保护会阻止攻击流量并将剩余流转至预期目的地。DDoS protection blocks attack traffic and forwards the remaining traffic to its intended destination. 在检测到攻击的几分钟内,会使用 Azure Monitor 指标通知你。Within a few minutes of attack detection, you are notified using Azure Monitor metrics. 通过在 DDoS 保护标准遥测上配置日志记录,可将日志写入可用选项以供将来分析。By configuring logging on DDoS Protection Standard telemetry, you can write the logs to available options for future analysis. Azure Monitor 中 DDoS 保护标准的指标数据会保留 30 天。Metric data in Azure Monitor for DDoS Protection Standard is retained for 30 days.

Mircosoft 已与 BreakingPoint Cloud 合作构建接口,用户可在其中针对已启用 DDoS 保护的公共 IP 地址生成用于模拟的流量。Microsoft has partnered with BreakingPoint Cloud to build an interface where you can generate traffic against DDoS Protection-enabled public IP addresses for simulations. 借助 BreakPoint Cloud 模拟,你可以:The BreakPoint Cloud simulation allows you to:

  • 验证 Microsoft Azure DDoS 防护标准如何保护 Azure 资源免受 DDoS 攻击Validate how Microsoft Azure DDoS Protection Standard protects your Azure resources from DDoS attacks
  • 受到 DDoS 攻击时优化事件响应过程Optimize your incident response process while under DDoS attack
  • 阐述 DDoS 符合性Document DDoS compliance
  • 培训网络安全团队Train your network security teams

后续步骤Next steps