This blog post was authored by Dave Burkhardt, Principal Product Manager, and co-authored by Harikrishnan M B, Program Manager, and Yun Zheng, Sr Program Manager.
Within the last few years, the complexity and size of distributed denial-of-service (DDoS) attacks have increased dramatically across the industry.
As we reported previously, TCP, UDP, and DNS-based attacks are still the most frequent, but layer 7/HTTP(S) based attacks have been breaking traffic records across the industry in 2022. As a recent example, we successfully mitigated an attack with over 60 billion malicious requests that were directed at a customer domain hosted on Azure Front Door (AFD).
Layer 7 attacks can affect any organization—from media and entertainment companies to financial institutions. Initially, attacks were unencrypted HTTP-based traffic (such as Slowloris, and HTTP Flood), but the industry is now seeing an increase in weaponized botnet HTTPS-based attacks (like Mēris, Mirai).
Mitigation techniques utilizing Azure Front Door
Fortunately, there are battle-tested frameworks, services, and tools for organizations to utilize so they can mitigate against a potential DDoS attack. Here are some initial steps to consider:
- Content Delivery Networks (CDNs) such as AFD are architected to redistribute HTTP(S) DDoS traffic away from your origin systems in the event of an attack. As such, utilizing AFD’s 185+ edge POPs around the globe that leverage our massive private WAN will not only allow you to deliver your web applications and services faster to your users, but you will also be taking advantage of the AFD’s distributed systems to mitigate against layer 7 DDoS attacks. Additionally, layer 3, 4, and 7 DDoS protection is included with AFD, and WAF services are included at no extra charge with AFD Premium.
- Front Door’s caching capabilities can be used to protect backends from large traffic volumes generated by an attack. Cached resources will be returned from the Front Door edge nodes so they don’t get forwarded to your origins. Even short cache expiry times (seconds or minutes) on dynamic responses can greatly reduce the load on your origin systems. You can also learn more about how AFD caching can protect you from DDoS attacks.
- Leverage Azure Web Application Firewall (Azure WAF) integration with Azure Front Door to mitigate malicious activities, and prevent DDoS and bot attacks. Here are the key Azure WAF areas to explore before (ideally) or during a DDoS attack:
- Enable rating limiting to block the number of malicious requests that can be made over a certain time period.
- Utilize Microsoft Managed Default Rule Set for an easy way to deploy protection against a common set of security threats. Since such rulesets are managed by Microsoft and backed by Microsoft Threat Intel team, the rules are updated as needed to protect against new attack signatures.
- Enable the Bot Protection Ruleset to block known bad bots responsible for launching DDoS attacks. This ruleset includes malicious IPs sourced from the Microsoft Threat Intelligence Feed and updated frequently to reflect the latest intel from the immense Microsoft Security and Research organization.
- Create Custom WAF rules to automatically block conditions that are specific to your organization.
- Utilize our machine learning-based anomaly detection to automatically block malicious traffic spikes using Azure WAF integrated with Azure Front Door.
- Enable Geo-filtering to block traffic from a defined geographic region, or block IP addresses and ranges that you identify as malicious.
- Determine all of your attack vectors. In this article, we mainly talked about layer 7 DDoS aspects and how Azure WAF and AFD caching capabilities can help prevent those attacks. The good news is AFD will protect your origins from layer 3 and 4 attacks if you have these origins configured to only receive traffic from AFD. This layer 3 and 4 protection is included with AFD and is a managed service provided by Microsoft—meaning, this service is turned on by default and is continuously optimized and updated by the Azure engineering team. That said, if you have internet-facing Azure resources that don’t utilize AFD, we strongly recommend you consider leveraging Microsoft’s Azure DDOS Protection product. Doing so will allow customers to receive additional benefits including cost protection, an SLA guarantee, and access to experts from the DDoS Rapid Response Team for immediate help during an attack.
- Fortify your origins hosted in Azure by only allowing them to connect to AFD via Private Link. When Private Link is utilized, traffic between Azure Front Door and your application servers is delivered through a private network connection. As such, exposing your origins to the public internet is no longer necessary. In the event you do not utilize Private Link, origins that are connected over the public IPs could be exposed to DDOS attacks and our recommendation is to enable Azure DDOS Protection (Network or IP SKUs).
- Monitor traffic patterns: Regularly monitoring traffic patterns can help identify unusual spikes in traffic, which could indicate a DDoS attack. As such, set up the following alerting to advise your organization of anomalies:
- Create playbooks to document how you will respond to a DDoS attack and other cybersecurity incidents.
- Run fire drills to determine potential gaps and fine-tune.