Menu
We're developing a web service hosted in Windows Azure. We expect that at some moments bad guys try to DDOS it. I Googled and didn't find anything new and definitive (this one is rather vague) about whether Windows Azure has some features against denial of service attacks.
Do we need any special measures? What does Windows Azure offer to protect against denial of service attacks?
611
Azure DDoS Protection, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks. It's automatically tuned to help protect your specific Azure resources in a virtual network.
Azure DDoS Protection enables you to protect your Azure resources from distributed denial of service (DDoS) attacks with always-on monitoring and automatic network attack mitigation. There is no upfront commitment, and your total cost scales with your cloud deployment.
Azure uses standard detection and mitigation techniques such as SYN cookies, rate limiting, and connection limits to protect against DDoS attacks.
Sign in to the Azure portal and select your DDoS protection plan. On the Azure portal menu, select or search for and select DDoS protection plans then select your DDoS protection plan. Under Monitoring, select Metrics. Select Add metric then select Scope.
The Azure load balancer provides some protection, but the details of this are not published.
52
I reckon no one service provider could truly have a feature against denial of service attacks, because by saying that it means preventing DoS attacks. The only way is by migitating DoS attacks, which you can employ a number of techniques. I know that Windows Azure partially mitigates Denial of Service attacks, and this is due to the nature of the Load Balancer within the Azure environment. One technique that I know may work is to deploy an inexpensive role instance (Extra Small or Small)that acts as a reverse proxy to the actual web application which is sitting on the actual production role instance (Large or Extra Large instance)in Windows Azure. To implement the reverse proxy role instance, just enable ARR which is a feature within IIS. You can use startup tasks to enable ARR. This reverse proxy role instance may also have a rule in it that it checks for certain metrics, and if that metric has exceeded the preset threshold, it basically just stops accepting or forwarding the traffic onto the actual web app, or if automatic scaling is implemented, it just stops scaling beyond a maximum # of allowed instances. This minimized the economic impact from a DoS attack too. Then you just rely on how Windows Azure mitigates any Denial of Service attacks, which is when it detects any attack patterns from one Windows Azure role instance to another role instance. In that it will stop any attacks onto your actual web application.
42
A bit outdated blogpost about this but still relevant: http://blogs.blackmarble.co.uk/blogs/sspencer/post/2011/02/14/denial-of-service-and-windows-azure.aspx
32
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
