How to defend against denial of service attacks with Azure DDoS Protection | Azure Friday

How to defend against denial of service attacks with Azure DDoS Protection | Azure Friday


>>Hey friends. You know that
the ability to instigate a DDoS attack is getting
more and more accessible, but the technology to defend against those attacks continues to
increase in sophistication. Azure DDoS Protection
Standard can help protect your applications
against targeted DDS attacks. Aman Bhardwaj is here to show
me why I should be using it for every public IP resource I
own today on Azure Friday. [MUSIC]>>Hey friends, it’s Azure Friday. I’m Scott Hanselman. I’m
here with on Aman Bhardwaj. We’re going to talk about DDoS
protection. Very important. We’re always thinking about
these attacks that are coming from the bad guys and how
we can protect ourselves.>>Absolutely. Thanks, Scott.>>So one of the things I
want to highlight is that the frequency of the DDoS attacks
continues to grow every year. It’s not only the frequency of
the attacks that’s growing, it’s also the volume of the
attacks that’s growing as well. Now, it doesn’t have to
be like one terabits per second of an attack traffic
to take an application down. All it needs is to be a one specific targeted attack that will impact the availability of any application running
in Azure which is receiving traffic from the public
IP or the public Internet.>>Now I have my
applications in Azure. I think I just have front
door in front of them. What kind of attack
prevention do I have already? Does anything come built in
just because I’m in the Cloud?>>So one thing that we
actually tell all our customers is that you should think in terms of defense-in-depth or zero trust. So front-door offer some
inherent protection against the volumetric attacks
due to the scale-up render. But think about if you’re deploying your back end application which is the front or back end in a virtual network and you’re
exposing that application. The example of the application
could be a load balancer. It could be an application gateway. Now that application
receives traffic from the front or public IP on its own IP, which means that the public IP of that application gateway
in the VNet is still exposed over the
Internet and it still can be targeted with a DDoS attack. So again, the
recommendation is deploy your application for
acceleration with front-door, the backend of the
application which is the virtual networks
should be protected with DDoS protection standard.>>So any exposed public IP
address should be protected.>>That’s true.>>But what about
third-party products like we hear about
Cloudflare and we hear about terms like this where I can
put it at the DNS level and say, “I can just protect
everything by just changing my DNS.” Is
that not a solution?>>So it is one of the solution. We have seen our customers
using Cloudflare as well apart from our DDoS
protection standard. The key differentiator there is
that your traffic actually goes to the Cloudflare data center and form there it gets
routed into Azure. With DDoS protection standard, the traffic always remain
within the Azure data center. So it also helps with the performance as well because as we are
doing the attack mitigation, the traffic now leaves
the data center. We mitigate the bad traffic
closest to the application. But if you do identify that the
attack volume is significant, then we leverage the global scale of our Azure networking to defend the
attack where it is originating.>>So then given my setup, where I’ve got about 19
or 20 Azure app services, I would put a virtual
network around them. I’ve got front-door already, Azure DDoS protection which sit between front-door
and my application and protect the dotted line that I’m going to draw
around my app services.>>That’s another way to go about it.>>All right. Fantastic.
Showing your diagram here because this explains
exactly how this is laid out.>>So a couple of features that I want to highlight here is one I’ve already talked about that we
leverage the global scale of Azure networking which means that anytime we are
deploying the data center, we continue to grow our
worldwide mitigation capacity. So DDoS service number goes down and we have like 30 plus terabits of mitigation capacity
which means that not only we can mitigate attacks
lot more frequently, but also attacks all at the same
time of significant volume. The other thing which I want to highlight here is
the adaptive tuning. Now, every applications traffic
pattern will be different. So in DDoS, there’s a detection
and then there’s a mitigation. So what we do is using the proprietary
machine learning algorithm, we understand what does the traffic pattern look
like for your application? Based on that, we build an
application traffic profile, such that now we understand at nine o’clock Monday
morning the traffic, you receive on your business
critical application, is very different from nine
o’clock Sunday morning. We understand how the traffic
pattern changes every minute. We understand how it shifts
every hour day or day, week over week, month over month. If you give it enough time and also understand the
seasonality differences. So now let’s say that
your application, your web app receives somewhere
around 30,000 packets per second. Now, we will learn that and we’ll put the DDoS mitigation policy
which would be closer to that. So let’s say we put it to 40
thousand packets per second. Now, if someone is trying
to DDoS your application, the traffic volume would search. At that point we’ll say something seems anomalous
with the traffic. Let’s start inspecting in real time whether the traffic incoming
to your application is good or bad and we’ll drop the bad
traffic so that it never impacts the availability and
performance of your application. Now as we are doing that, we also provide rich
analytics as well as metrics through Azure Monitor
and Azure Diagnostics setting. So everything is completely
integrated within the Azure system itself and all
of these is done automatically. So there’s no customer
configuration that needs to be put in place to do
the traffic profiling. We do that automatically. Once we detect an attack, we start doing the
mitigation automatically. We’ll make sure that we
send the notifications to Azure Security Center
and through Azure monitor.>>So it’ll tell me if it happens. But if I don’t even want
to think about it I can pretend and you’ll
just handle it for me.>>Certainly, yes.>>That’s cool.>>That’s the idea. One
last thing I’d like to also highlight is SLA guarantee
and cause protection. SLA guarantee is straightforward. We guarantee our DDoS
service will not go down. We’ll always ensure that the availability of
the application is protected during the
time or DDoS attack. The interesting thing
is cost protection. Now, during the time of DDoS attacks, what generally happens is
that the first of the attack can actually scale out the cost of the resources that are
deployed in Azure. It could be the network bandwidth
or it could be let’s say virtual machines scale set that grows from 10 machines to 1,000 machines. Customers were onboarded to
DDoS protection standard, they don’t have to worry about the
cost of the scale of resources. We will provide the cost
credit back if that happens.>>Really? So you’re basically
giving me DDoS insurance?>>That’s right. That is
actually incredibly cool. So do you have a demo? Can you
actually make an attack for me?>>So absolutely. So
let’s do this thing. So we have a product, it’s common third party
company called Ixia, where our customers can actually use this product to simulate the
DDoS attack without actually having to wait for an
attack to happen to really understand how trained their
security operations teams are. So here, the IP address is the IP address of my
application gateway. The port is 80 on
which it’s listening and I’m going to start
generating the DDoS attack here. Now, as I’m doing that, real quick what I want to show
is to onward to DDoS standard. You need to create a
DDoS protection plan. So all you need to do
is just type DDoS here. You’ll see DDoS
protection plans here. Now when you create a
DDoS protection plan and I already have one created. When you create the plan, all you need to do there is to give a name to the plan and link
it to the subscription. But even though you link the
plant to the subscription, it works for the entire tenant. So if you have multiple
subscriptions in your tenant, you can use the same
plan again and again. You don’t have to go and
create multiple plans.>>So just one per subscription?>>One per tenant.>>Per tenant.>>So for instance like you can have 100 subscriptions
in your tenant. You don’t have to go and
create multiple DDoS plan. It works cross-subscription
as well as cross-region.>>That’s great.>>So here’s the plan that I have. As you will see that
multiple subscriptions are linked to the same plan. Now the way you link it is these are the virtual networks
on which we have enabled it. So what I will do is, I’ll navigate to the virtual network. So the first step is you
create a DDoS protection plan. The next step is you navigate to the virtual network in which you have deployed your application
with the public IP. There’s a DDoS protection sublet
here and then all you need to do is to toggle it to standard and link it to the plan
that you have created. After that, everything is taken care of automatically
in the backend. There’s no custom
configuration required. There’s no application level
changes that are required. Really?>>It’s that easy.>>There is no control panels. Everything is done through Azure
monitor and security center.>>That’s right. Now, as you are
generating the attack right now. So as you see that we are
sending a lot of data. What we have done is, we provide the mitigation flow logs
and all of these is also coming in like near real-time, where what you see here is the
log analytics report dashboard that we have created
where the number of IPs. These are the IPs that are
participating in generating a DDoS attack against
the application gateway. We are highlighting these
statistics which means like what’s the total volume of
attack crafted that’s incoming and how much
traffic we are dropping. In this case, 100 percent of
the traffic is been dropped. We also highlight from
which continents, from which countries the
attack traffic is actually originating as well as why
are we dropping the traffic, what attack vectors are involved. So everything that the
security operations team really need to do the
offline analysis. We provide all that telemetry and
visibility in near real time.>>You said a lot of
different things. DDoS is not just simply
flooding you with traffic. It’s flooding you with
malformed packets or starting a request
and never finishing it. There’s lots of strings.
You handle all of that.>>That’s right. Absolutely.>>Well, that’s fantastic. So do you think everyone should have this?>>Everyone who has a public IP in the virtual network which is
receiving traffic on the Internet on at least one port and you care about the performance availability as well as the cost protection,
you should have it. In fact, why not? A lot of time the question comes in like I
have deployed Azure firewall, do I need DDoS protection standard? Or I have deployed Web
application firewall, do I DDoS? These are all complimentary services. Even in Azure firewall
or backward could be taken offline if you
send a lot of traffic. So yes, that’s a recommendation.>>Like a web application
gateway might be looking at URLs for SQL injection attacks which is different
than a DDoS attack. So if you want to multilayered
strategy for security, this is one piece of that process.>>Absolutely.>>Very cool.>>So this attack is going to happen and I can still get
to your application though.>>Can you elaborate?>>Like you’re right now, you’re
in the middle of an attack, but you said that to 100 percent
of the packet that being dropped. But if I visited it,
I’m not a bad guy. The application remains available.>>Available. That’s the whole idea.>>That’s amazing.>>So where can I go and learn more about this, is there a website?>>So you can learn more about on the product page which has the
Azure DDoS Protection product page. We also have very
thorough documentation as well as the blog articles.>>Fantastic. I’m going to go set up Azure DDoS Protection on my systems
right now and you should too. I’m learning all about it
today on Azure Friday. [MUSIC]

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2019 Toneatronic. All rights reserved.