Azure DDoS Protection Standard

1. Azure DDoS Protection Standard
Arnaud Lheureux
Cloud Chief Security Officer
One Commercial Partner
Microsoft APAC
Twitter: @arnaudLheureux

2. Attack
Frequency
Attack
Size
Attack
Vectors
58%
Vs. 2017
1.7 Tbps
Peak
4X
> 50Gbps
56%
Multi-vector
• Continued growth in frequency, size,
sophistication, and impact
• Often utilized as ‘cyber smoke screen’ to mask
infiltration attacks
400 Gbps
(NTP amp)
650 Gbps
(Mirai)
1.7 Tbps
(Memcached)
2+ Tbps
(???)
Attackers Use UPnP to SidestepDDoS Defenses
May 2018
Attack
Downtime
35%
Businesses
impacted
Major cyber attack disrupts internet
service across Europe & US using
Mirai botnet
Oct 2016
Feb 2018

3. DDoS attack types
Volumetric attacks
Example attacks
Protocol attacks
Example attacks
Resource attacks
Example attacks

4. VM
Firewall
Azure
Deployments
LB/NAT DDoSNVA/WAF Internet
NSG
&
UDR
Azure
Defense in Depth for Virtual Networks

5. DDoS Shared Responsibility Model

7. Azure DDoS System Overview
Region
AZ-2
AZ-3AZ-1
RN RN
DC DC
Edge
DC DC
DC DC
Edge
DDoS Protection
Express
Route
Internet
Peers
DDoS Protection
Continuous
monitoring
Edge mitigation
protects datacenter
bandwidth
Global distribution of
attack traffic
Regional failover
Global mitigation
platform

8. Azure DDoS Protection Standard Overview
Virtual Network

10. Azure DDoS Defense
Designed into the global network
Global distribution of attack traffic
during large scale attacks
25+ Tbps global mitigation
capacity
Continuous monitoring, learning,
and protection signature
improvements
Proven defense for Microsoft
services
Specifically tuned protection for
your app
Active traffic monitoring to
proactively detect emerging threats
and attack vectors
Traffic
Monitoring
DDoS Protection
DDoS Protection
Azure Host
SDN
Emerging attack
patterns
Virtual Network
Your applications

13. Simple to provision for all your virtual network resources
Always on monitoring with near real time telemetry and alerting
Automatic network layer attack
DDoS Attack Analytics
Attack data snapshots and full post attack summary
DDoS Rapid Response
Azure Security Center integration
Cloud scale DDoS protection for your applications

14. Choose DDoS Protection Standard
when
• You have been a victim of
targeted DDoS attacks in past
• You’re running your business
critical applications in Azure
• You need visibility when your
resources are under attack.
• You want DDoS policies tuned
to the traffic pattern of your
application
• You have to prove DDoS
mitigation compliance
assurance

18. Azure Marketplace WAF

19. Azure Security Center

21. Best Practices & Reference Architecture
http://aka.ms/ddosbest
Design for scalability
Ensure that your VM
architecture includes more
than one VM and that each
VM is included in an
availability set.
Recommend using Virtual
machine Scale Sets for
autoscaling capabilities …….
Defense in depth
deploy Azure services in a
virtual network
Using service endpoints
will switch service traffic to
use virtual network private
addresses …….
Design for security
Focus on the 5 pillars of
software quality.
Security and privacy are
built right into the Azure
platform, beginning with
the Security Development
Lifecycle (SDL)………

22. Attack Mitigations
Attack defense originates in the region
where the application is hosted but we
utilize global capacity depending on
attack size
Users (and attackers) connect
to your applications via the
closest Azure edge location
Attack Type Description
Ping Flood
Server receives a lot of spoofed Ping packets from a very large set of source IP it is being targeted by a Ping Flood attack. Such
an attack’s goal is to flood the target with ping packets until it goes offline
IP Null Attack
TCP packet with none of the SYN, FIN, ACK, or RST flags set has been sent to a specific host., these packets can bypass security
measures.
CharGEN Flood
A CharGEN amplification attack is carried out by sending small packets carrying a spoofed IP of the target to internet enabled
devices running CharGEN. These spoofed requests to such devices are then used to send UDP floods as responses from these
devices to the target.
SNMP Amplification
SNMP amplification attack is carried out by sending small packets carrying a spoofed IP of the target to the internet enabled
devices running SNMP.These spoofed requests to such devices are then used to send UDP floods as responses from these
devices to the target. However, amplification effect in SNMP can be greater when compared with CHARGEN and DNS attacks.
NTP Reflection
The NTP amplification attack is carried out by sending small packets carrying a spoofed IP of the target to internet enabled
devices running NTP.These spoofed requests to such devices are then used to send UDP floods as responses from these devices
to the target.
DNS Reflection
The attacker spoofs look-up requests to domain name system (DNS) servers to hide the source of the exploit and direct the
response to the target.
DNS Water Torture
A randomized 12-character alphanumeric subdomain is prepended to the target domain and the attacking bots send their
queries to their locally-configured DNS servers, which are typically DNS servers at local ISPs.
SSDP Amplification
SSDP enabled network devices that are also accessible to UPnP from the internet are an easy source for generating SSDP
amplification floods. The SSDP amplification attack is also carried out by sending small packets carrying a spoofed IP of the
target to devices. These spoofed requests to such devices are used to send UDP floods as responses from these devices to the
target.
QUIC Flood It uses UDP-80 to generate reflection attack.
SYN Flood
This attack exploits the design of the three-way TCP communication process between a client, host, and a server. In this process,
a client initiates a new session by generating a SYN packet. The host assigns and checks these sessions until they are closed by
the client. To carry out a SYN Flood attack, an attacker sends a lot of SYN packets to the target server from spoofed IP
addresses.
SYN-ACK Flood
SYN-ACK packet is generated by the listening host to acknowledge an incoming SYN packet. A large amount of spoofed SYN-
ACK packets is sent to a target server in a SYN-ACK Flood attack.
ACK and PUSH ACK
Flood
During an active TCP-SYN session, ACK or PUSH ACK packets carry information to and from the host and client machines till the
session lasts. During an ACK & PUSH ACK flood attack, a large amount of spoofed ACK packets is sent to the target server to
deflate it.Since these packets are not linked with any session on the server’s connection list, the server spends more resources on
processing these requests.
ACK Flood
This attack exploits the design of the three-way TCP communication process between a client, host, and a server. In this process,
a client sent ACK packets to be part of existing session.
ACK Fragmentation
Fragmented ACK packets are used in this bandwidth consuming version of the ACK & PUSH ACK Flood attack. To execute this
attack, fragmented packets of 1500 bytes are sent to the target server.
RST/FIN Flood
After a successful three or four-way TCP-SYN session, RST or FIN packets are exchanged by servers to close the TCP-SYN
session between a host and a client machine. In an RST or FIN Flood attack, a target server receives a large number of spoofed
RST or FIN packets that do not belong to any session on the target server.
Synonymous TCP-SYN packets carrying the target server’s Source IP and Destination IP are sent to the target server.
STOMP ( Session
Flood Attack)
Disguise of a valid TCP session by carrying a SYN, multiple ACK and one or more RST or FIN packets.
UDP Flood
In this type of DDoS attack a server is flooded with UDP packets. Unlike TCP, there isn’t an end to end process of
communication between client and host. This makes it harder for defensive mechanisms to identify a UDP Flood attack. Random
source IP/PORT.

23. DDoS Protection Planning
Planning and preparing for a DDoS attack is crucial in
understanding the availability and response of an
application during an actual attack.
We’ve partnered with BreakingPoint Cloud to offer tooling
for Azure customers to generate traffic load against DDoS
Standard enabled public endpoints via a safe
environment.
ü Various test profiles available
ü Validate how Microsoft Azure DDoS Protection
protects your Azure resources
ü Optimize your incident response process
ü Document DDoS compliance
ü Train your network security teams

24. Deploying Azure DDoS Protection Standard
Demo

25. Next steps
Learn more about Azure DDoS Protection
http://aka.ms/ddosprotectiondocs
http://aka.ms/ddosbest
http://aka.ms/ddosanalyticsblog
http://aka.ms/ddosblog
Connect with DDoS Protection specialists
MSDN forums
Stack overFlow
Uservoice

26. Thanks for your attention!
Arnaud Lheureux, CISSP
https://aka.ms/arnaud
Twitter : @arnaudLheureux

27. https://customers.microsoft.com

28. © 2019 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to
changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date
of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.