Blog Post

Azure Network Security Blog
2 MIN READ

Detect traffic anomalies and auto-mitigate spikes with Azure WAF on Microsoft Azure Front Door

SushantSingh's avatar
SushantSingh
Icon for Microsoft rankMicrosoft
Feb 28, 2022

Introduction

Azure WAF on Microsoft Azure Front Door provides a centralized protection solution for your web applications. WAF includes built-in rules to defend against common exploits and vulnerabilities, and custom rules so you can tailor the protection to your specific needs.

Challenge
A popular use-case for custom rules is to rate limit Front Door traffic based on the Country or IP address range. However, configuring the rate limit threshold can sometimes be tricky due to varying traffic patterns based on the time of the day or the day of the week. For example, a rate limit rule created to protect against traffic spikes on a weekend (when the traffic volume is lower) may not fire on a weekday because what's a spike on a weekend might be the usual traffic volume for a weekday.

 

Solution

It involves two main steps:

  1. Detect anomalous spikes in traffic
  2. Automatically add Azure WAF rules to filter out the traffic causing the spike

 

In the deep-dive video that follows, we do a step-by-step walkthrough of how to perform these steps. The video is structured as follows:

 

- Introduction

  • What anomaly detection is.
  • What anomaly detection tools are available in Azure.

- Defining the problem statement

  • An overview of the challenge and issue we are trying to solve.

- Exploring the architecture diagram

  • An overview of the various components of the system and how they come together to solve the problem.

- Seeing it in action

  • Setup:
    1. Create a WAF policy
    2. Create a Microsoft Azure Front Door
    3. Link it to the WAF policy we created in Step (1)
    4. Define a dynamic threshold alert on the Azure Front Door endpoint
    5. Create an Azure Function that would run when the alert fires
  • Demo:
    • Simulate a DDOS (distributed denial of service) attack
    • Demonstrate that the attack has started
    • Wait for the alert to fire
    • Demonstrate that Azure WAF rules to mitigate the attack get auto-generated
    • Demonstrate the attack is mitigated after the Azure WAF rules are deployed to the edge

 

You can find the reference code here.

 

 

 

 

Updated Mar 02, 2022
Version 3.0
  • dazinator's avatar
    dazinator
    Copper Contributor

    Thanks.
    This may be good for simple cases.

    Not so good for serious attackers that use IP spoofing, but that's a harder problem.