Ixia Principal Product Manager

Six Simple Steps to Understand How Microsoft Azure DDoS Protection Works

April 18, 2018 by George Zecheru

For anyone who’s experienced a distributed denial of service (DDoS) attack, it is now clear that successful mitigations require the right mitigation technology, excellent processes and procedures, and well-trained security personnel.

While cloud providers enable a variety of options to build cost-effective, secure, scalable, and high-available applications, enterprises have their shared responsibility to ensure DDoS protection controls are in place and properly configured. 

This blog post steps you through a scenario to show how organizations can use DDoS testing to realize the full benefits of the Microsoft Azure DDoS Protection Standard service, without the risks of unnecessary costs and effects of poor user experience.

The goal of this DDoS exercise is to use Ixia’s BreakingPoint Cloud test solution to understand how the Microsoft Azure DDoS Protection Standard service defends your Azure resources by analyzing the telemetry provided by Azure Monitor Service. 

Scenario Overview

Use BreakingPoint Cloud to simulate a DDoS targeting a public IP address on your Azure infrastructure – 400 Mbps TCP SYN Flood, 10-minute duration. The DDoS target (, port 80) is an Azure Load Balancer resource providing outbound connections for virtual machines (web servers) inside your Azure virtual network.

We will analyze the following Azure metrics provided by Microsoft Azure Monitor service:

  • Under DDoS Attack
  • Inbound TCP Packets DDoS
  • Inbound TCP Packets Dropped DDoS
  • Inbound TCP Packets Forwarded DDoS


Before Starting

Prepare a sandbox deployment to match the above scenario. Ensure your Microsoft Azure DDoS Protection Standard service is enabled in the Microsoft Azure Portal.

Step 1 – Configure DDoS Target (IP address and port number)

Login to the BreakingPoint Cloud DDoS simulation self-service portal and set the target IP and port number to match yours.


Figure 1: BreakingPoint Cloud Test Configuration

Step 2 – Choose TCP SYN Flood as DDoS Profile

Select the TCP SYN Flood from the DDoS Profile drop-down list.

Step 3 – Adjust Test Size and Test Duration Settings

Select the test size profile “800K pps, 400 Mbps and 32 source IPs (bots)” and set the test duration to 10 minutes. For meaningful test results, we recommend at least 10 minutes of DDoS simulation. Based on this configuration, BreakingPoint Cloud estimates the test will generate 15 gigabytes of outbound data.

The resulting configuration is shown in figure 1.

Step 4 – Validate IP target ownership by providing BreakingPoint Cloud read access to your Azure subscription

Select the Start Test button.

Upon attempting your first test execution, BreakingPoint Cloud validates that the target IP address resides on your Azure subscription. It does so by prompting you to provide the ID of the Azure subscription where the target IP address is located.


Figure 2: Validate access to target Azure subscription

Use the Azure portal to locate your subscription ID, copy/paste it to “Your Azure Subscription”, then select “Add Subscription” button to complete the step. As a result, you will be redirected to the Microsoft Azure portal login page for authentication and for authorizing BreakingPoint Cloud to read the list of public IPs allocated to that subscription. 


Figure 3: Accept BreakingPoint Cloud's request to read your Azure subscription profile

This step will not be needed for your subsequent tests. You can add multiple target subscriptions if you plan to test DDoS protection of resources across multiple Azure subscriptions.

Upon successfully authorizing access to your subscription, close the Azure Subscriptions popup window and restart your test.


Figure 4: Target Azure Subscription has been successfully authorized

Step 5 – Use BreakingPoint Cloud to monitor the attempted DDoS rates

BreakingPoint Cloud’s dashboard provides quick insights into the volume of attempted DDoS simulation using frames/sec, throughput (Mbps), and total frames sent. Additionally, the outbound data transmitted during the test is also provided in MB (megabytes).


Figure 5: BreakingPoint Cloud DDoS test results dashboard

Step 6 – Use the Microsoft Azure Portal to analyze how the Azure DDoS Protection Standard service defended your network

During a DDoS attack, Microsoft’s Azure Monitor service provides several key metrics to help you understand when you are under attack and how effective the DDoS mitigation is. Those metrics can be further used to create custom alerting rules. Logging can be aggregated to a security information and event management (SIEM) or archived on Azure Storage for advanced analysis via the Azure Monitor Diagnostics interface.

Use the Azure Monitor service to display the DDoS metrics specific to your protected Azure resource(s). Within a few minutes of attack detection, the “Under DDoS Attack” Azure Monitor metric switches to “1,” confirming a DDoS is in progress. 


Figure 6: Azure Monitor's “Under DDoS attack or not” metric confirms the DDoS attacks by switching from 0 to 1

Use the Azure Monitor to review metrics that confirm the inbound DDoS packet rate and dropped DDoS TCP packet rate. In our example, Azure Monitor reports 797K inbound DDoS packets per second, 797K DDoS dropped packets per second and 0 forwarded DDoS packets per second.


Figure 7: Azure Metrics confirms all inbound TCP packets are dropped

Within a few minutes of stopping the DDoS simulation, the “Under DDoS Attack” Azure Monitor metric switches back to “0”, confirming there is no ongoing DDoS. 


Figure 8: BreakingPoint Cloud - Summary of the DDoS simulation


With always-on monitoring and automatic network attack mitigation, adaptive DDoS policy tuning and, most importantly, protection against unplanned costs due to resource charges that are incurred as a result of a documented DDoS attack, Microsoft Azure DDoS Protection Standard service is a must-have for any organization migrating to Azure. 

While Microsoft simplifies the continuous protection against DDoS attacks, organizations using their service have a shared responsibility to ensure their applications and workloads are secure. Organizations that actively participate in their cybersecurity and network resilience implement in-depth defense strategies that include:

  • Understanding how their DDoS protection service works and validating its proper configuration
  • Ensuring security throughout the application lifecycle, from design to deployment and operations
  • Building scalable and high-available architectures by scaling horizontally and elastically to meet the demand of unexpected computational load expected when under DDoS attack 
  • Using DDoS Tabletop Exercises to train their security teams
  • Implementing effective DDoS response strategies
  • Testing security and scalability assumptions

Microsoft’s Azure DDoS Protection Best Practices & Reference Architecture document summarizes defense-in-depth strategies to build secure services with global capacity, globally distributed, and diverse applications that are designed for resilience and tested for failure.

With BreakingPoint Cloud DDoS simulations, Azure customers can better analyze and interpret their Azure DDoS Protection service telemetry to be certain that applications can scale, DDoS compliance is documented, and their security team knows how to quickly respond.

Developed in partnership with and approved by Microsoft, BreakingPoint Cloud enables self-service DDoS validation in a safe, controlled environment.

More Information

Check out the BreakingPoint Cloud Web Portal

Watch the video