Building a DDoS Response Plan

In today's digital age, enterprises face significant threats from Distributed Denial of Service (DDoS) attacks, which target networks and applications to disrupt their availability and performance. Public IP addresses that are accessible via the internet are particularly susceptible to these attacks, which are classified into three main categories: Volumetric Attacks (saturating network links), Protocol Attacks (targeting server resources), and Resource Attacks (overwhelming application layers). Implementing effective mitigation strategies is crucial for maintaining network integrity. Azure DDoS Protection provides advanced, adaptive features designed for automatic protection against both Volumetric and Protocol Attacks. These features include traffic monitoring, real-time tuning, and detailed analytics. For Resource Attacks, pairing Azure DDoS Protection with Azure Web Application Firewall (WAF) ensures comprehensive Layer 7 (L7) protection.

To thoroughly safeguard against DDoS attacks, it is essential to establish a comprehensive DDoS response plan. This blog will explore the development of a robust DDoS response plan by leveraging the capabilities offered by Azure DDoS Protection.

 

Building a Robust DDoS Response Plan:

Creating a thorough DDoS response plan is critical for protecting your online services and ensuring they remain accessible. The following steps are fundamental to developing a robust DDoS response strategy.

• Incident Detection: Utilize advanced monitoring tools and establish baseline traffic patterns to quickly identify abnormal activity indicative of a DDoS attack.
• Communication Protocols: Inform all relevant stakeholders through predefined channels and clarify roles and responsibilities to avoid confusion during the crisis.
• Mitigation and Recovery: Implement countermeasures such as traffic filtering, rate limiting, and leveraging cloud-based DDoS protection services to ensure service availability for legitimate users.
• Post-Incident Steps: Assess the attack's impact, identify vulnerabilities, and enhance the response plan through a thorough post-mortem analysis to fortify defences against future attacks.

 

 

 

 

By following these four steps, you can build a solid DDoS response plan that minimizes disruption and enhances your organization's resilience. Let’s explore these four steps using Azure DDoS Protection in detail.

 

Incident Detection

Identifying the signs of a DDoS attack is essential. This includes monitoring network traffic, reviewing logs, and analysing alerts. Key indicators to monitor for potential attacks are unusual traffic patterns, spikes in network traffic, service degradation, latency metrics, CPU, memory, and bandwidth usage. Azure DDoS protection metrics can be utilized for this purpose.

• DDoS Protection Metrics: Azure DDoS Protection Metrics can be accessed through the Azure Portal: 

• • Go to Azure Portal > Monitor > Metrics.
  • In the Metrics scope pane:
    • Select the resource group.
    • Select a resource type of Public IP Address.
    • Select your Azure public IP address.
    • Choose from various DDoS metrics in the “Available metrics” pane.

 

 

• Alerts: Alerts can be configured for any of the available DDoS Protection metrics. When conditions are met, the specified email address receives an alert. 

• • Works for any of the available DDoS Protection metrics.
  • Alerts when there’s an active mitigation during an attack (using Azure Monitor alert configuration).
  • When the conditions are met, the specified email address receives an alert email.

 

 

 

 

• Impact to the Applications: We can also evaluate the health of our application using the metrics furnished by the Application Gateway. These metrics offer detailed insights during the attack time, including but not limited to the metrics listed below:  

• • Failed Requests – Count of Failed Requests that the App Gateway has served. 
  • Throughput – Number of Bytes per second the App Gateway has served. 
  • Backend First Byte Response Time – Approximating Processing time of backend server. 

 

 

 

 

 

 

 

 

 

 

• Logging: Along with metrics, Azure DDoS Protection offers solid logging capabilities. For example, AzureDiagnostics | where Category == “DDoSProtectionNotifications”: This log category furnishes details about the initiation and cessation of DDoS mitigation. These logs serve as a basis for configuring alerts to notify the Security Operations Center (SOC) Analyst as necessary.

 

 

 

The integration of Azure DDoS Protection with Microsoft Defender for Cloud (MDC) provides recommendations for unprotected public IP addresses and consolidates alerts into a unified dashboard, while also offering regulatory compliance guidance based on established standards. Additionally, the integration of Azure DDoS Protection with Microsoft Sentinel facilitates the ingestion of DDoS logs into Sentinel, where prebuilt queries can generate incidents and alerts. Automated remediation options are available as specified here.

For comprehensive guidance on researching a DDoS attack, please refer to this blog: Azure DDoS Protection – SecOps Deep Dive

 

Communication

Effective communication is crucial during a DDoS attack. It is essential to establish a robust communication strategy to prevent panic-induced miscommunication or the failure to relay information through appropriate channels. The following image illustrates the critical components of a solid communication plan

 

 

• Azure DDoS Rapid Response: Azure DDoS Protection's Rapid Response Support team aids with attack investigations during incidents and post-attack analysis. Engage the DRR team if your protected resource's performance is significantly degraded or unavailable during an attack, if you suspect a DDoS attack but the DDoS Protection service isn't effectively mitigating it, if you're planning an event that will drastically increase network traffic, or if the attack has a critical business impact. You can contact the DRR team during an active attack via Help + Support in the Azure Portal using the below steps.

 

• • Create a new support request and choose “Issue Type” as Technical.
  • Choose the “Service” as DDOS Protection.
  • Select a DDoS Plan that is being protected by DDoS Network Protection in the “Resource” dropdown.
  • Select "Under attack" in the “Problem Type” dropdown.
  • On the “Details” page, select the severity as A-Critical Impact.
  • Complete additional technical details and submit the support request.

 

Azure DDoS Rapid Response: https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-rapid-response

 

Mitigation and Recovery

Mitigation and recovery efforts encompass the implementation of countermeasures to absorb or redirect malicious traffic, thereby ensuring uninterrupted access for legitimate users to services.

• Mitigation: Below are key mitigation techniques provided by Azure DDoS Protection 

• • Azure DDoS Protection Adaptive Tuning 

• • • No user configuration required.
    • Continuously profiles normal Public IP traffic.
    • Utilizes machine learning algorithms to set mitigation thresholds.

 

 

 

 

 

 

 

 

 

 

 

 

• • Azure DDoS Protection Thresholds:
    • Azure DDoS Protection applies three auto-tuned mitigation policies (TCP SYN, TCP, and UDP) for each public IP of the protected resource.
    • Thresholds are auto-configured via machine learning-based network traffic profiling.
    • DDoS mitigation occurs for an IP address under attack only when the policy threshold is exceeded.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

• Recovery: To ensure an effective recovery from a Distributed Denial-of-Service (DDoS) attack, the following critical steps must be meticulously executed: 

• • Isolate Affected Resources: It is imperative to identify and isolate the compromised resources promptly. This isolation helps in containing the attack and prevents further damage to the network and associated systems.

• • Business Continuity Plans: 

• • • Disaster Recovery: Develop comprehensive disaster recovery protocols to restore normal operations swiftly. This includes predefined strategies to address the attack's impact and ensure a seamless transition back to standard operations.
    • Backups: Regularly maintain secure and up-to-date backups of critical data and systems. These backups should be readily accessible to facilitate rapid restoration in case of data loss or corruption caused by the attack.
    • Failover Mechanisms: Establish efficient failover mechanisms to shift critical services and applications to alternative servers or locations. This redundancy ensures minimal downtime and continuous service availability during recovery efforts.

• • Patching Vulnerabilities: Conduct a thorough assessment to identify and remediate any vulnerabilities that the attack may have exploited. Implementing patches and updates promptly is essential to fortify the system against future incidents and enhance overall security posture.

 

Post Incident Steps:

After an attack, conducting a post-attack investigation and analysis, implementing best practices, and performing simulation testing is important.

• DDoS Protection Workbook: Utilizing the Azure DDoS Protection Workbook is highly recommended to triage and understand the DDoS Threat landscape.
• Best Practices: Here are some of the best practices to follow 

• • Design for Security​
    • Prioritize security throughout the application lifecycle.​
    • Understand your architecture and focus on software quality.​
    • Prepare for direct application-level attacks.

• • Design for Scalability​
    • Use horizontal scalability to handle increased load.​
    • Avoid single points of failure.​
    • Provision multiple instances for resilience.

• • Defense in Depth​
    • Implement multi-layered security.​
    • Reduce attack surface using approval lists and NSGs.

• DDoS Attack Simulation: Test your assumptions about how your services will respond to an attack by generating traffic against your applications to simulate DDoS attack. Don’t wait for an actual attack to happen!​ 

• • Approved Simulation Partners include Breaking Point Cloud, Red Button, Red Wolf and MazeBolt

 

 

 

 

 

 

 

 

 

 

 

 

 

Conclusion:

DDoS attacks are a serious threat, and having an effective response plan is critical. Utilize effective communication, safeguards, and best practices, and ensure regular testing and updates to stay protected.

 

References:

Azure DDoS Protection Overview | Microsoft Learn

Microsoft DDoS protection response guide | Blog Azure | Microsoft Azure