This article is contributed. See the original author and article here.

Welcome back to the Security Controls in Azure Security Center series! This time we are here to talk about “Protect applications against DDoS attacks”. 


 


Distributed denial-of-service (DDoS) attacks overwhelm resources and render applications unusable. 


Use Azure DDoS Protection Standard to defend your organization from the three main types of DDoS attacks: 



  • Volumetric attacks flood the network with legitimate traffic. DDoS Protection Standard mitigates these attacks by absorbing or scrubbing them automatically. 

  • Protocol attacks render a target inaccessible, by exploiting weaknesses in the layer 3 and layer 4 protocol stack. DDoS Protection Standard mitigates these attacks by blocking malicious traffic. 

  • Resource (application) layer attacks target web application packets. Defend against this type with a web application firewall and DDoS Protection Standard. 


The “Protect applications against DDoS attacks” Security Control is worth two points and includes the recommendations below.  


 


protectddos.JPG


 


 


Azure DDoS Protection Standard should be enabled 


DDoS attacks are often designed to make an application resource or online service unavailable by overwhelming the resource or service with more traffic than it can handle. Once the resource is no longer able to handle legitimate requests, it might also become vulnerable for code injection. The unavailability of the resource or service presents a significant issue considering legitimate parties also lose access to these resources or servicesDaily business offerings may be halted as a result of the denial of service. Any endpoint that can be publicly reached through the internet is vulnerable to a DDoS attack. DDoS attacks can often be used to divert attention from larger targets such as injecting malware into company resources or data exfiltration.  


 


Like most cyber threats, repairing a DDoS attack will take time and money. Aside from diverting resources to repair the attack, your organization could also be losing money due to the time it takes to get your resources and services back up and running. The best way to be prepared is to have precautions in place that will prevent these attacks from being successful. Azure resources are deployed with Azure Basic DDoS protection enabled, allowing for integrated defense against common network layer threats. Azure DDoS Protection Standard provides enhanced features that are designed specifically for your Azure resources including attack analytics and metrics.  


 


Security Center works with Application Gateway, a web traffic load balancer, that enables users to manage traffic to their web applicationsApplication Gateway also utilizes Web Application Firewall (WAF) to respond, detect and prevent threats from web applications. APG/WAF is best combined with DDoS Protection to ensure Layer 4 – 7 protection.  


 


Container CPU and memory limits should be enforced


Different types of DDoS attacks including Application Level Attacks focus on exhausting a server’s resources, including the CPU, in order to make the server unable to process legitimate requests. Enforcing container CPU and memory limits protect your container workloads from DDoS attacks by preventing the container from using more than the configured resource limit. 


 


Azure Policy add-on for Kubernetes should be installed and enabled on your clusters 


As discussed in our overview of the  Remediate Security Configurations Control and Manage Access and Permissions, this recommendation is geared towards helping users safeguard their Kubernetes clusters by managing and reporting their compliance state.  


 


Next Steps 


Thanks for tuning back in to learn about the “Protect applications against DDoS attacks” Security Control within Azure Security Center. To gain credit for taking steps to protect your resources from DDoS attacks, you must remediate all the recommendations within this Security Control. As a reminder recommendations in Preview are not included in your Secure Score calculation until they are GA. Make sure to also check out our previous blogs and documentation to help you on your Secure Score journey! 



  • The main blog post to this series (found here) 

  • The DOCs article about secure score (which is this one) 


 


Reviewers 


@Tobi Otolorin, Program Manager 2, CxE Network Security 


@Tom Janetscheck , Senior Program ManagerCxE ASC 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.