DDoS attack mitigation on Azure infrastructure - azure

I have a Django based web application hosted on Azure provisioned virtual machines (Ubuntu OS). My application recently experienced a DDoS attack and we were helpless against it.
The problem is that once traffic hits the server - even if it's blocked at a firewall or throttled in my webserver - the traffic is already consuming my network bandwidth. I can do nothing about it. This needs to be blocked "upstream", in the routing gear servicing my server.
Is there any DDoS protection Azure can offer me? Or at the very least, make recommendations as to how I might deploy my application so that it's more resistant to these attacks? Please advise.

Current, Azure provides DDOS protection at the network level, but not at the application level. So, if you are receiving a bunch of ACK requests, for example, this should be blocked by the platform itself.
For app level DDOS protection, you need to consider an upstream provider such as Incapsula or Silverline. Integrating them is quite easy. See https://www.incapsula.com/blog/how-to-add-incapsula-to-your-microsoft-azure-instance.html for an example.
Essentially, you will setup Incapsula and configure it with the DNS label of the web app (something.azurewebsites.net). Your DNS (www.domain.com) will then point to the incapsula service and they will handle the rest.
Please note that separating the DDOS from the service still allows for an attack against the service itself (ie: if someone hits something.azurewebsites.net then Incapsula will not protect this traffic).
Hope that helps!

First: Azure allows for IP-whitelisting (or blacklisting), so you can add malicious IP addresses to your block-list on incoming traffic (port 80/443 for instance). And you can modify IP addresses / ranges programmatically. This should prevent traffic from hitting your web app. Note: This is specific to Azure Virtual Machines, which you're using.
Second: Azure provides the Azure Security Center, which is designed to detect such things as DoS attacks, intrusion attacks, etc. Not that it solves your problem, but it can be used for alerting you to issues.

Using incapsula will be the right answer for you , since incapsula hides your origin ip and mitigate the attack before it even reached Azure.
in addition it provides CDN and cache which helped us save on bandwidth costs on AWS and make our application work faster.

Related

Is there any need for a firewall for an Azure Web App?

I understand that Azure Web Apps as a PaaS offering are inherently more secure than if hosting on your own VM ... but does that mean a firewall solution is not required at all?
Azure offers a few solutions, but anything acting as a firewall seems expensive - so we are wondering if we can just do without one.
Not required as long as you are secured login for sensitive data and enabled CORN rules. For other protections you can definitely add to your subscription like firewall and DDoS protection.
It is not required; however, depending on the type of application you are building it is greatly encouraged, if not required by specific industries.
Depending on your architecture and/or approach and if cost is a concern I'd recommend Azure FrontDoor w/ Web Application Firewall (WAF) enabled. This will cover additional security for your application at a reasonable cost as well as potentially server as a Traffic/Manager Load balancer.

Is Azure WebApp automatically rate limited / DOS protected?

I'm building a service that allows to enter activation keys in a desktop application, which will then call a web service to check the key and return a license. This call does not require authorization.
The web application is running as Azure "App Service". I'm afraid someone will be trying to "guess" activation keys and slow down my service. (I'm not afraid they will be able to correctly guess, they are long enough).
Do Azure WebApps have some kind of automatic rate-limiting or DOS-protection, or do I need to configure/code this myself?
If I have to do it myself, can you point me into the right direction?
As far as I know, we could use Dynamic IP Restrictions in web app.
The Dynamic IP Restrictions Extension for IIS provides IT Professionals and Hosters a configurable module that helps mitigate or block Denial of Service Attacks or cracking of passwords through Brute-force by temporarily blocking Internet Protocol (IP) addresses of HTTP clients who follow a pattern that could be conducive to one of such attacks. This module can be configured such that the analysis and blocking could be done at the Web Server or the Web Site level.
About how to config this feature. We could remote connect to the azure web app IIS and set it.
About how to remote connect web app IIS, you could refer to this article.
More details, you could also refer to this blog.

What is the best practice for ddos protection on Windows Azure virtual machine?

What is the best practice for ddos protection on Windows Azure virtual machine?
I have multiple domains connected to my vm
and a static ip
Azure provides DDOS protection on all their services, but they do this in a selfish manner. IE: They are protecting their service, not necessarily yours.
I think when trying to enable DDOS protection you have the following options
Use VMs from the Azure Marketplace. There are leading security
solutions for sale, and you can put those in-line with your VMs
Use an upstream service such as Incapsula, cloudflare, or
Silverline
There really is no one single best practice solution, you need to balance cost vs risk to determine the best solution for you or your client.
Azure officially partners with Imperva Incapsula to provide WAF and DDoS Mitigation:
https://azure.microsoft.com/en-us/blog/azure-security-center-adds-new-partners-detections-and-more/
https://www.incapsula.com/ddos-protection-for-microsoft-azure.html
If you want a hint, look at who protects Microsoft's own blog...
http://blogs.microsoft.com/blog/2016/02/25/enterprise-security-for-our-mobile-first-cloud-first-world-2/
Using incapsula is the correct way to go, it will mitigate all of the ddos attack, provide CDN and Cache for your app which will speed it up.
Today we use incapsula to mitigate both attacks and as a CDN + cache and it actually saved us on AWS traffic and speed up the application.
There is a lot happening around making Azure more secure. Most of that is described in the Azure Trust Center. You can request the penetration testing as well if you want.
And, if you want some additional features, there is partners offerings marketplace called Azure Marketplace where you can find a lot of manageable solutions.

Organizing DDoS protection on Windows Azure

If we have some spherical application in vacuum hosted on Microsoft Azure, that we would like to protect against DDoS attack with minimum economic impact and maximum reliability then:
Is it useful to organize reverse proxy like squid or nginx as a
protection level against DDoS?
If true - does it make sense to deploy reverse proxy on Azure or as
dedicated server?
If we deploy proxy on Azure, should/can it be multiinstantinated and if
not, won't it become a bottleneck?
If false - what measures can be appplied to effective respond on
ddos attack real time, except scaling out by throwing more instances
to keep up with traffic surge and relying on Azure's Load Balancer?
The Microsoft Datacenters that host Windows Azure already have protections for items such as DDoS attacks. That said, it is still up to you to monitor your application for unexpected and potentially invalid spikes in traffic and to react accordingly. This can be scaling up your capacity to handle the load using multiple service instances, or by submitted support tickets to have the invalid traffic blocked by MSFT's datacenter protections.

Windows Azure VPN and IP restriction

We integrate with a third-party service where we can run queries which is right now secured using HTTPS encryption and username/password. We send our queries from a service running on the Windows Azure cloud.
The third-party provider wants to migrate towards better security and they have asked us to either
Setup a VPN - which is problematic because for we'd need to use Azure Connect and they'd have to install the client endpoint service on their part.
Provide some IP address where the queries will come from so they can filter out anyone else at the firewall level - which is problematic because AFAIK you cannot fix the IP addresses of the Windows Azure Compute nodes.
Suggest another secure alternative - the only thing I could think of is to set up the VPN with them on a non-Azure server and then tunnel the requests through using Azure Connect - which is obviously extra work for us and also defeats the point of hosting the service on a cloud if it depends on a non-cloud service.
Any ideas?
Can they install the Azure Connect endpoint on another server on their DMZ network? i.e. not the actual server which hosts their service?
Can we somehow provide them with static IPs for incoming queries?
Any other solution that is scalable?
Thanks
If I understand the scenario correctly, your Azure service is a client to a 3rd party service. This scenario may be solved through the use of the Windows Azure AppFabric Service Bus. You would need to install a proxy app in the 3rd party's datacenter that would be responsible for establishing the connection to the service bus. The connection comes from inside the 3rd party's datacenter, so no new incoming holes in the firewall. The connection can handle WCF connections with all its security strengths, and users can be authenticated with ACS.
Here is a starting point: http://msdn.microsoft.com/en-us/library/ee732537.aspx
There is a hands on lab in the Windows Azure Platform Training Kit that explains most of the details that you'll need.
IMHO, HTTPS is already very good; and I don't exactly see how a VPN would make the system any more secure. In particular, VPN is no silver bullet, if your VM is compromised then the VPN connection is compromised too (same for HTTPS). On the other hand, the IP restriction would indeed reduce the attack surface.
Then, using a server outside the cloud is a poor idea indeed. Not only it defeats most of the benefits of the cloud (been there, done that and suffered a lot), but also it also makes the whole thing less secure with more complexity and more attack surface.
Windows Azure does not provide anything that look like a static IP at this point. In our experience, IP addresses for a given service change once in a while even if the service is only upgraded (and never deleted). Static IP addresses have been an important feature request for a long time, Microsoft will probably provide it at some point, but it might still take many months.

Resources