Azure DDoS Protection Standard 概觀Azure DDoS Protection Standard overview

分散式阻斷服務 (DDoS) 攻擊是將應用程式移至雲端的客戶所面臨的最大可用性和安全性顧慮之一。Distributed denial of service (DDoS) attacks are some of the largest availability and security concerns facing customers that are moving their applications to the cloud. DDoS 攻擊會嘗試耗盡應用程式的資源,讓合法使用者無法使用該應用程式。A DDoS attack attempts to exhaust an application’s resources, making the application unavailable to legitimate users. DDoS 攻擊可以鎖定可透過網際網路公開觸達的任何端點。DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.

結合應用程式設計最佳做法的 Azure DDoS 保護可提供 DDoS 攻擊的防禦。Azure DDoS protection, combined with application design best practices, provide defense against DDoS attacks. Azure DDoS 保護提供下列服務層級:Azure DDoS protection provides the following service tiers:

  • 基本:自動啟用 Azure 的平台的一部分。Basic: Automatically enabled as part of the Azure platform. 常見網路層級攻擊的永遠可用流量監視和即時安全防護功能,可提供 Microsoft 的線上服務所使用的相同防禦。Always-on traffic monitoring, and real-time mitigation of common network-level attacks, provide the same defenses utilized by Microsoft’s online services. Azure 全域網路的整體規模可用於分散和減少跨區域攻擊流量。 The entire scale of Azure’s global network can be used to distribute and mitigate attack traffic across regions. 針對 IPv4 和 IPv6 Azure 公用 IP 位址提供保護。 Protection is provided for IPv4 and IPv6 Azure public IP addresses.
  • 標準: 提供特別針對 Azure 虛擬網路資源會調整的基本服務層的額外安全防護功能。Standard: Provides additional mitigation capabilities over the Basic service tier that are tuned specifically to Azure Virtual Network resources. DDoS 保護「標準」層級很容易啟用,而且不需要變更應用程式。DDoS Protection Standard is simple to enable, and requires no application changes. 保護原則是透過專用的流量監視和機器學習演算法進行調整。Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. 原則會套用至與虛擬網路中所部署資源相關聯的公用 IP 位址,例如 Azure Load Balancer、Azure 應用程式閘道和 Azure Service Fabric 執行個體,但是此保護功能不適用於 App Service Environments。Policies are applied to public IP addresses associated to resources deployed in virtual networks, such as Azure Load Balancer, Azure Application Gateway, and Azure Service Fabric instances, but this protection does not apply to App Service Environments. 在攻擊期間,可透過 Azure 監視器檢視取得即時遙測與歷史記錄。 Real-time telemetry is available through Azure Monitor views during an attack, and for history. 透過診斷設定可以獲得豐富的攻擊風險降低分析。Rich attack mitigation analytics are available via diagnostic settings. 透過 Azure 應用程式閘道 Web 應用程式防火牆,或者從 Azure Marketplace 安裝第 3 方防火牆,可以加上應用程式層保護。Application layer protection can be added through the Azure Application Gateway Web Application Firewall or by installing a 3rd party firewall from Azure Marketplace. 針對 IPv4 和 IPv6 Azure 公用 IP 位址提供保護。Protection is provided for IPv4 and IPv6 Azure public IP addresses.

Azure DDoS 保護部落格與標準

DDoS Protection Standard 可降低風險的 DDoS 攻擊類性Types of DDoS attacks that DDoS Protection Standard mitigates

DDoS 保護標準層可降低下列攻擊類型的風險:DDoS Protection Standard can mitigate the following types of attacks:

  • 體積型攻擊:此攻擊的目標是流量的要填滿網路層,以大量看似合法。Volumetric attacks: The attack's goal is to flood the network layer with a substantial amount of seemingly legitimate traffic. 它包括 UDP 洪水攻擊、放大洪水攻擊和其他詐騙封包洪水攻擊。It includes UDP floods, amplification floods, and other spoofed-packet floods. DDoS 保護標準層可降低這些潛在多 GB 攻擊的風險,方法是自動使用 Azure 的全球網路規模來快吸並清除這些攻擊。DDoS Protection Standard mitigates these potential multi-gigabyte attacks by absorbing and scrubbing them, with Azure’s global network scale, automatically.
  • 通訊協定攻擊:這些攻擊所呈現的目標無法存取,利用第 3 層中的弱點和圖層的 4 個通訊協定堆疊。Protocol attacks: These attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack. 它包括 SYN 洪水攻擊、反映攻擊和其他通訊協定攻擊。It includes, SYN flood attacks, reflection attacks, and other protocol attacks. DDoS 保護標準層可透過與用戶端互動來區別惡意與合法流量並封鎖惡意流量,以降低這些攻擊的風險。DDoS Protection Standard mitigates these attacks, differentiating between malicious and legitimate traffic, by interacting with the client, and blocking malicious traffic.
  • 資源 (應用程式) 層攻擊:這些攻擊會鎖定 web 應用程式的封包,以中斷主機之間的資料傳輸。Resource (application) layer attacks: These attacks target web application packets, to disrupt the transmission of data between hosts. 攻擊包括 HTTP 通訊協定違規、SQL 插入、跨網站指令碼和其他第 7 層攻擊。The attacks include HTTP protocol violations, SQL injection, cross-site scripting, and other layer 7 attacks. 使用 Azure 應用程式閘道 Web 應用程式防火牆搭配 DDoS Protection Standard,以提供這些攻擊的防禦。Use the Azure Application Gateway web application firewall, with DDoS Protection Standard, to provide defense against these attacks. Azure Marketplace 還提供了協力廠商 Web 應用程式防火牆供應項目。There are also third-party web application firewall offerings available in the Azure Marketplace.

DDoS Protection Standard 可保護虛擬網路中的資源,包括與虛擬機器相關聯的公用 IP 位址、內部負載平衡器,以及應用程式閘道。DDoS Protection Standard protects resources in a virtual network including public IP addresses associated with virtual machines, load balancers, and application gateways. 與應用程式閘道 Web 應用程式防火牆搭配的 DDoS Protection Standard 可以提供完整的第 3 層至第 7 層安全防護功能。When coupled with the Application Gateway web application firewall, DDoS Protection Standard can provide full layer 3 to layer 7 mitigation capability.

DDoS Protection Standard 功能DDoS Protection Standard features

DDoS 功能

DDoS Protection Standard 功能包括:DDoS Protection Standard features include:

  • 原生平台整合: 原生整合至 Azure。Native platform integration: Natively integrated into Azure. 包括透過 Azure 入口網站進行設定。Includes configuration through the Azure portal. DDoS Protection Standard 了解您的資源和資源組態。DDoS Protection Standard understands your resources and resource configuration.
  • 現成的保護: 經過簡化的設定會在啟用「DDoS 保護標準」後,立即保護虛擬網路上的所有資源。Turn-key protection: Simplified configuration immediately protects all resources on a virtual network as soon as DDoS Protection Standard is enabled. 不需要任何介入或使用者定義。No intervention or user definition is required. 一旦偵測到攻擊,DDoS Protection Standard 就會立即自動減輕攻擊。DDoS Protection Standard instantly and automatically mitigates the attack, once it is detected.
  • 永遠可用流量監視: 您的應用程式流量模式受到全年無休的全天候監視,以尋找 DDoS 攻擊的指標。Always-on traffic monitoring: Your application traffic patterns are monitored 24 hour a day, 7 days a week, looking for indicators of DDoS attacks. 超出保護原則時,就會執行安全防護功能。Mitigation is performed when protection policies are exceeded.
  • 自適性調整: 智慧型流量分析經過一段時間,學習您的應用程式流量,並也會選取並更新最適合您的服務的設定檔。Adaptive tuning: Intelligent traffic profiling learns your application’s traffic over time, and selects and updates the profile that is the most suitable for your service. 設定檔會隨著時間調整流量變更。The profile adjusts as traffic changes over time.
  • 多層的保護: 與 Web 應用程式防火牆搭配使用時,提供完整堆疊 DDoS 保護。Multi-Layered protection: Provides full stack DDoS protection, when used with a web application firewall.
  • 廣泛的安全防護範圍: 可利用全域功能降低超過 60 種不同攻擊類型的風險,以抵禦最大的已知 DDoS 攻擊。Extensive mitigation scale: Over 60 different attack types can be mitigated, with global capacity, to protect against the largest known DDoS attacks.
  • 攻擊分析: 在攻擊期間取得以五分鐘為增量的詳細報告,在攻擊結束後取得完整摘要。Attack analytics: Get detailed reports in five-minute increments during an attack, and a complete summary after the attack ends. 將風險降低流量記錄串流至離線安全性資訊與事件管理 (SIEM) 系統,以便在攻擊期間進行近乎即時的監視。Stream mitigation flow logs to an offline security information and event management (SIEM) system for near real-time monitoring during an attack.
  • 攻擊計量: 透過 Azure 監視器可以存取每個攻擊的摘要計量。Attack metrics: Summarized metrics from each attack are accessible through Azure Monitor.
  • 攻擊警示: 警示可以設定為在開始和停止攻擊,並且在攻擊的持續時間,使用內建攻擊計量。Attack alerting: Alerts can be configured at the start and stop of an attack, and over the attack’s duration, using built-in attack metrics. 警示會整合到您的作業軟體,例如 Microsoft Azure 監視器記錄檔、 Splunk、 Azure 儲存體、 電子郵件和 Azure 入口網站。Alerts integrate into your operational software like Microsoft Azure Monitor logs, Splunk, Azure Storage, Email, and the Azure portal.
  • 成本保證: 資料傳輸和應用程式相應放大服務會針對記載的 DDoS 攻擊計算點數。Cost guarantee: Data-transfer and application scale-out service credits for documented DDoS attacks.

DDoS Protection Standard 安全防護功能DDoS Protection Standard mitigation

DDoS 保護標準層會監視實際流量使用率,且時常將它與 DDoS 原則中定義的閾值比較。DDoS Protection Standard monitors actual traffic utilization and constantly compares it against the thresholds defined in the DDoS Policy. 當超過該流量閾值時,就會自動起始 DDoS 安全防護功能。When the traffic threshold is exceeded, DDoS mitigation is initiated automatically. 當傳回流量低於閾值時,就會移除安全防護功能。When traffic returns below the threshold, the mitigation is removed.

緩和

在安全防護期間,DDoS 保護服務會重新導向傳送至受保護資源的流量,而且會執行數個檢查,例如下列檢查:During mitigation, traffic sent to the protected resource is redirected by the DDoS protection service and several checks are performed, such as the following checks:

  • 確定封包符合網際網路規格,且格式正確無誤。Ensure packets conform to internet specifications and are not malformed.
  • 用戶端判斷流量是否可能是詐騙封包與互動 (例如:SYN Auth 或 SYN Cookie 或置放封包以將它重新傳輸的來源)。Interact with the client to determine if the traffic is potentially a spoofed packet (e.g: SYN Auth or SYN Cookie or by dropping a packet for the source to retransmit it).
  • 速率限制封包 (如果沒有其他強制方法可以執行)。Rate-limit packets, if no other enforcement method can be performed.

DDoS 保護會封鎖攻擊流量並將剩餘流量轉送至其目的地。DDoS protection blocks attack traffic and forwards the remaining traffic to its intended destination. 在偵測到攻擊的幾分鐘內,系統會使用 Azure 監視器計量通知您。Within a few minutes of attack detection, you are notified using Azure Monitor metrics. 藉由設定登入 DDoS Protection Standard 遙測,您可以將記錄寫入至可用的選項,以供日後分析。By configuring logging on DDoS Protection Standard telemetry, you can write the logs to available options for future analysis. 適用於 DDoS 保護標準層的 Azure 監視器中的計量資料會保留 30 天。Metric data in Azure Monitor for DDoS Protection Standard is retained for 30 days.

Microsoft 已與 BreakingPoint Cloud 合作建立一個介面,您可以針對啟用 DDoS 保護的公用 IP 位址產生流量,以進行模擬。Microsoft has partnered with BreakingPoint Cloud to build an interface where you can generate traffic against DDoS Protection-enabled public IP addresses for simulations. BreakPoint Cloud 模擬可讓您:The BreakPoint Cloud simulation allows you to:

  • 驗證 Microsoft Azure DDoS 保護標準層如何保護您的 Azure資源免受 DDoS 攻擊Validate how Microsoft Azure DDoS Protection Standard protects your Azure resources from DDoS attacks
  • 將遭受 DDoS 攻擊時的事件回應程序最佳化Optimize your incident response process while under DDoS attack
  • 記載 DDoS 合規性Document DDoS compliance
  • 訓練您的網路安全性小組Train your network security teams

後續步驟Next steps