Azure DDoS Protection is currently in Preview. For those DDoS or DoS is not familiar, I will open it a bit before going thru Microsoft service.
Table of Contents
What is Denial-Of-Service attack?
Denial Of Service means that the attacker will send malformed packages to your servers, this could be done with any normal protocols (UDP, TCP)
The attacker will send too big or too much or both to your network devices, servers or even client. The only goal is to make your network not function.
The HTTP Flood DoS attack is happening in the 7th layer of OSI model and protocol attacks like SYN flood happen in layer 3 and 4. Then there is also the Volumetric attacks which will send DNS-request until your flooded.
And because they get mixed with real traffic, it will be hard to defend against them.
What about DDoS?
Distributed Denial-Of-Service attack is happening by an army of infected devices. Attacker will install malicious code that will trigger the attack when needed.
The has been various Botnet’s that were shutdown by the officials and still they keep coming up.
The new version of Lucifer can use infected Linux machines to DoS and DDoS attacks.
|G0007||APT28||In 2016, APT28 conducted a distributed denial of service (DDoS) attack against the World Anti-Doping Agency.|
|S0532||Lucifer||Lucifer can execute TCP, UDP, and HTTP denial of service (DoS) attacks.|
• Based on the rapid iteration and constant changes of the malware, it appears the authors continue test and deploy new versions of Lucifer.
• The newly discovered SHELL, MIMIKATZ, and HELP PE resources further extending the capabilities of the malware.
• The Linux version of Lucifer includes the ability to launch TCP, UCP, ICMP, and HTTP based DDoS attack.
• Analysis of the Lucifer bot code revealed precise details of the supported attack types, including attack-time options and whether innovations in DDoS attack capabilities are incorporated into its portfolio.
How Lucifer reaches your machine?
One option could be that you will get Lucifer from LokiBot infection.
What is LokiBot?
LokiBot is trojan-type malware designed to infiltrate systems and collect a wide range of information. Note that this virus targets the Windows and Android operating systems. LokiBot typically infiltrates systems without users’ consent – it is distributed via spam emails (Windows OS), various private messages (SMS, Skype, etc.), and malicious websites.
|Threat Type||Trojan, password-stealing virus, banking malware, spyware.|
|Detection Names||Avast (Win32:Trojan-gen), BitDefender (Trojan.GenericKD.41149271), ESET-NOD32 (A Variant Of Win32/Injector.EEMP), Kaspersky (Backdoor.Win32.Androm.rlsi), Full List (VirusTotal)|
|Malicious Process Name(s)||objectindvarsle.exe (the process name may vary).|
|Symptoms||Trojans are designed to stealthily infiltrate the victim’s computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine.|
|Distribution methods||Infected email attachments, malicious online advertisements, social engineering, software ‘cracks’.|
|Damage||Stolen passwords and banking information, identity theft, the victim’s computer added to a botnet.|
Botnets and war against them
Emotet was one of the big ones and even Department of Justice made an statement.
And how it was shutdown.
But it wasn’t the first. This war against botnets have been here for a long time.
Discovering what happens in the threat space?
Here is an excellent site to see the live attacks happening around the world.
And Microsoft Digital Defense Report is an excellent read to understand what happens with cybersecurity
And now when we came to Microsoft, will start the Azure capabilities for preventing attacks.
Azure DDoS Protection
DDoS Protection leverages the scale and elasticity of Microsoft’s global network to bring massive DDoS mitigation capacity in every Azure region. Microsoft’s DDoS Protection service protects your Azure applications by scrubbing traffic at the Azure network edge before it can impact your service’s availability.
Azure DDoS protection does not store customer data.
- Native platform integration: Natively integrated into Azure. Includes configuration through the Azure portal. DDoS Protection Standard understands your resources and resource configuration.
- Turnkey protection: Simplified configuration immediately protects all resources on a virtual network as soon as DDoS Protection Standard is enabled. No intervention or user definition is required.
- Always-on traffic monitoring: Your application traffic patterns are monitored 24 hours a day, 7 days a week, looking for indicators of DDoS attacks. DDoS Protection Standard instantly and automatically mitigates the attack, once it is detected.
- Adaptive tuning: Intelligent traffic profiling learns your application’s traffic over time, and selects and updates the profile that is the most suitable for your service. The profile adjusts as traffic changes over time.
- Multi-Layered protection: When deployed with a web application firewall (WAF), DDoS Protection Standard protects both at the network layer (Layer 3 and 4, offered by Azure DDoS Protection Standard) and at the application layer (Layer 7, offered by a WAF). WAF offerings include Azure Application Gateway WAF SKU as well as third-party web application firewall offerings available in the Azure Marketplace.
- Extensive mitigation scale: Over 60 different attack types can be mitigated, with global capacity, to protect against the largest known DDoS attacks.
- Attack analytics: Get detailed reports in five-minute increments during an attack, and a complete summary after the attack ends. Stream mitigation flow logs to Microsoft Sentinel or an offline security information and event management (SIEM) system for near real-time monitoring during an attack.
- Attack metrics: Summarized metrics from each attack are accessible through Azure Monitor.
- Attack alerting: Alerts can be configured at the start and stop of an attack, and over the attack’s duration, using built-in attack metrics. Alerts integrate into your operational software like Microsoft Azure Monitor logs, Splunk, Azure Storage, Email, and the Azure portal.
- DDoS Rapid Response: Engage the DDoS Protection Rapid Response (DRR) team for help with attack investigation and analysis. To learn more, see DDoS Rapid Response.
- Cost guarantee: Receive data-transfer and application scale-out service credit for resource costs incurred as a result of documented DDoS attacks.
Microsoft released Azure security baseline for Azure DDoS Protection Standard that will comply to Azure Security Benchmark.
DDoS Protection Standard is designed for services that are deployed in a virtual network. For other services, the default DDoS Protection Basic service applies. The following reference architectures are arranged by scenarios, with architecture patterns grouped together.
Application running on load-balanced VMs
Application running on Windows N-tier
PaaS web application
Protecting on-premises resources
How to enforce?
Azure policies is the way and here is the policy.
And the policy itself, if you want to put it to our Azure pipeline.
"displayName": "Virtual networks should be protected by Azure DDoS Protection Standard",
"description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.",
"description": "Enable or disable the execution of the policy"
"displayName": "DDoS Protection Plan",
"description": "DDoS Protection Plan resource to be associated to the virtual networks",
And the pricing?
A single Azure DDoS Protection Plan in a tenant can be used across multiple subscriptions. The DDoS Protection service will have a fixed monthly charge. The fixed monthly charge includes protection for 100 resources. Protection for additional resources will be charged on a monthly per-resource basis.
|Monthly price for DDoS Protection (includes protection for 100 resources)||€2,539/month|
|Overage charges (more than 100 resources)||€25.4 per resource per month|
That’s it folks! Until next time!