A. Joseph Dupre III
Technical Product Manager
Blog

What will a simulated DDoS attack on Microsoft Azure DDoS Protection Standard Service reveal?

September 24, 2018 by A. Joseph Dupre III

Distributed denial-of-service (DDoS) attacks are ever-increasing in scope and severity. While the industry has responded to these threats, DDoS remains a leading cause of business service outage and represents a key financial risk. Companies are struggling to maintain compliance with current mitigation best practices and continuously verify their security preparedness

DDoS Protection as a Service

As enterprises move more and more of their mission-critical workloads to the Microsoft Azure Cloud, they must ensure these workloads are sufficiently protected from large-scale DDoS attacks around the clock. They also want to ensure that their teams are sufficiently trained in the configuration of DDoS protection services and their incident response procedures are battle-tested. And with cloud workloads that are dynamic in nature, documenting DDoS compliance becomes more challenging. 

Microsoft has always provided a free, basic DDoS protection service, which includes always-on monitoring and automatic DDoS mitigation for Layer 3 and 4 attacks. But this basic mitigation was tuned for Azure region traffic and lacks the appropriate visibility of what’s going on when under attack. With the introduction of the Azure DDoS Protection Service, Microsoft has closed this gap and enterprises can benefit from features such as policies tuned to customer’s traffic volume, logging, alerts, and most importantly, resource cost scale protection. 

While these new benefits provide great protection and visibility benefits, in the absence of a DDoS attack, many fail to really grasp the value of automatically tuned policies. 

1

Figure 1. Microsoft Azure Protection Service (source: Microsoft)

A Live Validation of Azure DDoS Protection

In this blog, we wanted to check how the DDoS Protection Standard service automatically tunes the policy when facing smaller-scale DDoS attacks that would be otherwise missed when relying on the DDoS Protection Basic service. At the same time, we wanted to see how fast the DDoS protection is triggered. 

To answer those questions, we used three Ixia products to provide deeper insights into how the Azure DDoS Protection Service works.

For our experiment, we used a Linux-based web server running Nginx over Docker that was deployed with a public IP address in the Azure US East region. Azure DDoS Protection Standard was enabled on the virtual network (VNet) to protect the target web server against attacks. 

As a baseline measurement, Ixia’s IxLoad Virtual Edition (VE) Layer7 application performance test tool was used to generate legitimate HTTP client traffic requests to the target web server. IxLoad latency statistics were recorded at this steady state where no service interruption event was in progress.

Ixia's BreakingPoint Cloud self-service tool was then configured to generate a TCP SYN flood attack at the public IP address of the target web server. As part of safety measures incorporated into the BreakingPoint Cloud test tool, the IP address was validated as belonging to the Azure subscription that owns the web server resource prior to initiating the attack. In collaboration with Microsoft, Ixia has pre-defined various DDoS test profiles of sufficient size to safely simulate a DDoS attack scenario without the need to notify Microsoft of the event.

2

Figure 2. Azure DDoS Protection deployment validated by Ixia network test tools 

To trigger the Azure DDoS mitigation service, the BreakingPoint DDoS profile was chosen with traffic higher than the current traffic generated by IxLoad and reported by Microsoft in the Azure portal metrics. BreakingPoint Cloud deployed DDoS bots and initiated an attack on the test web server in the US East region.

3

Figure 3. Execution test run results of Ixia BreakingPoint Cloud TCP SYN Flood simulation 

BreakingPoint Cloud generated 100,383 frames per second with 55 Mbps of traffic throughput from 4 source IPs. The test duration lasted 10:33 minutes and has generated a total of 4,027 MB of data and 59,221,257 frames sent. 

From IxLoad statistics, the steady-state latency prior to the TCP SYN flood simulation event was a Connect Time of approximately 73,800 µs. At the start of the DDoS attack, IxLoad recorded spikes in latency as high as approximately 4,000,000 µs and was quickly reduced to 74,000 µs range as the DDoS mitigation successfully dropped packets, allowing the client quality of experience to return to normal levels. 

4

Figure 4. IxLoad VE latency statistics indicating DDoS simulation was successfully mitigated by the Microsoft Azure DDoS Protection Standard service 

Takeaway

Using simulated DDoS and legitimate traffic, we’ve showcased how the Azure DDoS Protection Standard service leverages adaptive tuning policies to automatically adjust the mitigation triggers to protect even against small TCP SYN Flood. 

While Microsoft provides these effective tools to aid in DDoS mitigation, enterprise customers have a shared responsibility to ensure their Azure DDoS protection was properly activated and that they follow the defense in depth strategy. Validation must be repeated on a continuous basis to maintain security compliance, isolate configuration errors, and identify environments that do not conform to policies that require the use of Azure DDoS protection services. Safely modeling DDoS traffic simulations in a Microsoft-approved manner gives Azure customers deeper insight into the security posture of their cloud workloads.

Microsoft has partnered with Ixia to provide Azure cloud enterprise customers a software-as-a-service (SaaS) solution to easily generate traffic against DDoS-protection-enabled public IP addresses for simulations. The BreakingPoint Cloud Microsoft® Azure® DDoS Protection Validation allows customers to:

  • Validate how Microsoft® Azure® DDoS Protection Standard protects Azure resources from DDoS attacks
  • Optimize cloud incident response process while under DDoS attack
  • Document cloud DDoS compliance
  • Train cloud network security teams

For more details on the Microsoft® Azure® DDoS Protection Validation feature in the BreakingPoint Cloud solution, please consult the data sheet online.