Microsoft Adds New Tools to Azure DDoS Protection
27.9.2018 securityweek
Safety

Microsoft this week announced a new set of distributed denial of service (DDoS) mitigation tools for Azure, which the company says will provide customers with increased visibility and support when their computing resources are under attack.

Building on the capabilities of Azure DDoS Protection, new features such as DDoS Attack Analytics and DDoS Rapid Response can deliver attack insights that can be leveraged for compliance, security audits, and defense optimizations, and also help customers engage DDoS experts during an active attack for specialized support.

There are three new features that Azure DDoS Protection Standard customers can now take advantage of, namely Attack Mitigation Reports, Attack Mitigation Flow Logs and DDoS Rapid Response. Thus, organizations will get detailed visibility into attack traffic and mitigation actions in Azure Monitor, as well as custom mitigations and support for attack investigation, Microsoft notes.

Leveraging aggregated network flow data, the new Attack Mitigation Reports provide detailed information about attacks targeting an organization’s resources. Once enabled via the Diagnostic Settings in Azure Monitor, the Reports will be processed with Log Analytics, an Azure Storage account or Event Hub for downstream integration with SIEM systems like Splunk or Stream Analytics.

Attack data is generated every five minutes when a customer’s Public IP resource is the target of a DDoS siege, and a post-mitigation report is generated for the entire duration of the assault when it stops. The reports provide information on attack vectors, traffic statistics, involved protocols, attack sources, and reason for dropped packets.

Customers can use Attack Mitigation Flow Logs to review dropped traffic, forwarded traffic, and other attack data in near real-time during an assault. The data can be used in SIEM systems like Splunk or Stream Analytics for near-real-time monitoring, Microsoft claims.

Also enabled via Diagnostic Settings in Azure Monitor, the Logs can be integrated with log analytics, storage account or event hub. Information in generated Logs includes source and destination IPs, source and destination ports, protocol type, and actions taken during mitigation.

With DDoS Rapid Response (DRR), Microsoft provides customers with access to DDoS experts during an active attack, to help with attack investigation and the deployment of custom mitigations, and to engage in post-attack analysis.

To engage DRR during an active attack, customers need to create a new support request from Azure Portal, select Service as DDoS Protection, choose a resource in the resource drop down menu (a DDoS Plan linked to the virtual network being protected is required), then select the severity as A -Critical Impact and Problem Type as ‘Under attack’, and complete additional details before submitting the support request.

Planning and preparing for DDoS assaults can prove crucial for understanding the availability of an application during attack, Microsoft notes. To help organizations with planning, the tech giant published an end to end DDoS Protection - Best Practices and Reference Architecture guide and encourages all “customers to apply those practices while designing applications for resiliency against DDoS attacks in Azure.”

Microsoft also announced improved security features for Azure this week, with the addition of Microsoft Authenticator, Azure Firewall, and several other tools to the cloud computing platform.