Blog Post

Azure Network Security Blog
6 MIN READ

Azure DDoS Solution for Microsoft Sentinel

SaleemBseeu's avatar
SaleemBseeu
Icon for Microsoft rankMicrosoft
Feb 02, 2023

Written in collaboration with Amir Dahan

 

Introduction

Cybercriminals demonstrate increasingly sophisticated tactics using DDoS attacks as multi-purpose tool. While DDoS attacks are commonly used to take down critical systems, applications, and infrastructure, they also serve adversaries for extortion and political or ideological motives. The crown jewel is using DDoS attacks as a smokescreen to conceal data breaches while the attention is directed to the attack. By overwhelming the targeted website or application with a large amount of traffic, the attackers can exploit vulnerabilities and steal sensitive information.

 

Customers use Azure DDoS Protection services to safeguard their applications hosted in Azure against DDoS attacks. Microsoft Sentinel and Azure DDoS Protection services offer rich integration to easily ingest DDoS Protection logs and view and analyze this data in Sentinel to create custom alerts and improve their security posture, investigation, and response processes. Specifically, customers can correlate DDoS smokescreen attacks with events from different sources to detect advanced attacks, such as data theft, and to automatically block them.

 

We always look for better ways for our customers to achieve more from Azure DDoS Protection and Microsoft Sentinel. In this announcement, we introduce the new Azure DDoS solution for Microsoft Sentinel. The new solution uses Azure DDoS Protection logs to pinpoint offending DDoS sources and to block them from launching other, sophisticated attacks, such as data theft.

We will provide an example use case covered by this solution. Then, we’ll describe the solution components, the new alert rules we’ve created to pinpoint adversaries, and how to leverage Azure Firewall as an example of remediation. Azure Firewall offers remediation by preventing bad actors from accessing and stealing sensitive data in the protected application. The solution also supports third party firewalls that offer a Sentinel Playbook for IP remediation. In future, we plan to extend the solution to remediate attackers in Azure WAF for organizations that wish to protect their web applications.

 

Remediation of adversaries in Azure Firewall

Below figure describes how the solution works and what steps are taken from attack detection to remediation.

  1.  An adversary uses a bad bot to launch a multi-vector attack campaign. He starts by flooding the customer application with a DDoS attack to create havoc, using DDoS as a smokescreen for the next attack vector. 
  2. Azure DDoS Protection always monitors attacks on the protected resources. When it detects the attack, it emits log signals to Microsoft Sentinel.
  3. Microsoft Sentinel derives the attacking source IP addresses from the logs, and triggers Azure Firewall Remediation-IP Playbook.
  4. Azure Firewall is ready to remediate next phases of adversary lifecycle.
  5. The adversary, who created a smokescreen with DDoS attack, tries to access resources in the virtual network to steal sensitive data. 
  6. Azure Firewall blocks the attacking source IP addresses from accessing the data.

 

 

 

Azure DDoS Protection solution

You can deploy the Azure DDoS Protection solution using the following Azure marketplace link:

https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-azureddosprotection?exp=ubp8&tab=Overview

The solution will install a data connector for ingesting Azure DDoS Protection diagnostics logs into Microsoft Sentinel, and two analytic rules which are the main part of this new solution:

DDoS Attack IP Addresses - Percent Threshold

Identifies IP addresses that generate over 5% of traffic during DDoS attack.

DDoS Attack IP Addresses - PPS Threshold

Identifies IP addresses that generates maximal traffic rate over 10k PPS during DDoS attack.

 

Configuring analytic rules

Provide the required information such as subscription, resource group and workspace. Review the deployment and click on create.

After successfully deploying the solution, navigate to your Microsoft Sentinel workspace and click on Analytics. Under Rule templates, search for DDoS Attack IP Addresses and you will find the 2 new analytic rules.

 

 

Note: The analytic rules analyze Azure diagnostic logs for public IPs. To ensure that the logs are being collected, make sure that diagnostic logging is enabled on your IP resource. For more information, please refer to the tutorial on Tutorial: View and configure Azure DDoS Protection diagnostic logging | Microsoft Learn

 

let’s create a rule using the rule template. After you click on “Create rule” navigate to Set rule logic and make sure the query scheduling is convenient for you. The default setting is to run the query every 2 hours and lookup data from the last 2 hours. You can change this setting as you see appropriate.

 

 

Next, we'll verify that the rule query is suitable for your environment. As we have two analytic rules, each one focuses on a different sample rate. You have the option to adjust the thresholds for both analytic rules, bearing in mind that one uses a percent threshold (default value: more than 5% of all source IPs) and the other uses a PPS (packet per second) threshold (default value: 10k PPS during DDoS attack mitigation).

 

If you click on “View query results” and get the following error:

 

 

Note: if you have not experienced a DDoS attack or performed a DDoS simulation attack, it is normal for the "DDoSMitigationFlowLogs" category to be absent from your workspace logs and the resulting error. This absence indicates that no DDoS attack has occurred. However, in order to create the analytic rule, you will need the "DDoSMitigationFlowLogs" category to be present in your workspace logs. To simulate a DDoS attack, you can use one of our trusted partners for DDoS attack simulation Azure DDoS Protection simulation testing | Microsoft Learn 

 

Next, ensure that you keep the "Create incidents from alerts triggered by this analytics rule" option enabled. Then, review the deployment and proceed with creation.

 

Master Playbook Block IP Remediation

With the analytic rules configured, we can now act on any identified malicious source IPs. Microsoft Sentinel offers a Master Playbook for IP remediation, which can add these IPs to your firewall. In this example, we will use the IP group for Azure Firewall as the location to block these IPs. The Master playbook requires at least one of the playbooks mentioned here:

Azure-Sentinel/MasterPlaybooks/Remediation-IP at master · Azure/Azure-Sentinel · GitHub

 

Since we will use Azure Firewall in this example, refer to the AzureFirewall Block IP Nested Remediation Playbook:

Azure-Sentinel/MasterPlaybooks/Remediation-IP/AzureFirewall-BlockIP-Nested-Remediation at master · Azure/Azure-Sentinel (github.com)

 

Once completed, follow the instructions on the Master Playbook page (https://github.com/Azure/Azure-Sentinel/tree/master/MasterPlaybooks/Remediation-IP) to deploy the playbook

 

Note:  The Azure DDoS solution in Microsoft Sentinel can be utilized beyond just firewall protection and the specific IP remediation playbook. The output from the analytic rules is the source IPs, which can be used by other playbooks to proactively block cyber-attacks, regardless of the technology you choose to implement.

 

Create an automation rule

We've successfully deployed and configured both DDoS analytics rules and IP blocking remediation. The final step is to connect these two parts through an automation rule.

 

Navigate again to your Microsoft Sentinel workspace and click on “Automation”. Create a new automation rule and give it a name.

In the "Conditions" section, select "Contains" and choose the analytic rule we previously configured. Under "Actions", select "Run Playbook" and select the Master playbook for IP remediation. Finally, click "Apply" to create the automation rule.

 

 

Simulating a DDoS attack

With the setup configured and ready. Next step is testing the solution. You can simulate a DDoS attack using our approved testing partners. To find more information see Azure DDoS Protection simulation testing | Microsoft Learn

 

Make sure the public IP you’re using for this test is under Azure DDoS Protection before starting the simulation attack. Refer to this link for step-by-step DDoS Network Protection configuration Quickstart: Create and configure Azure DDoS Network Protection using the Azure portal | Microsoft Learn

 

Summary

The combination of Azure DDoS protection and Azure Firewall provides a comprehensive solution to protect against cyber-attacks. This integration enables you to quickly identify and respond to potential attacks, ensuring maximum protection against L3 and L4 types of threats. By using Azure DDoS protection, Azure Firewall and Microsoft Sentinel together, you get a unified and automated solution for defending against network and DDoS attacks, making it easier to manage and monitor your network security.

 

Additional resources

Azure DDoS Protection Overview | Microsoft Learn

What is Azure Firewall? | Microsoft Learn

What is Microsoft Sentinel? | Microsoft Learn

Updated Sep 01, 2023
Version 7.0
  • Anders-DL's avatar
    Anders-DL
    Copper Contributor

    This looks quite interesting. 

     

    For spoof attacks, how does Sentinel  prevent itself from disrupting valid or critical  traffic streams?  

     

    How does this prevent flow exhaustion attacks against Azure resources? 

  • Dean_Gross's avatar
    Dean_Gross
    Silver Contributor

    How does this differ from the existing Azure DDoS Protection solution in the Sentinel Content Hub? 

  • Hi Dean_Gross, I wouldn't expect significant cost from Microsoft Sentinel coming from this solution. The analytic rules will only run when there's a DDoS mitigation on the environment, and the price for Basic Logs search queries is $0.007 per GB of data scanned. You can find more details here Microsoft Sentinel Pricing | Microsoft AzureWhat I would be careful around is the DDoS flow logs category which depending on the amount of traffic going through your public IP could generate a big amount of data. 

  • Vignesh287's avatar
    Vignesh287
    Copper Contributor

    Good article!!! Will the playbook directly add the rules in firewall ?or the playbook only updates the IP group and we need to predefine the deny rule for the same IP group?

  • Hello Vignesh287, the logic app will only add those malicious IPs to the selected IP group so your second comment is correct. You will need to have a IP group created and then add it to specific rule with deny action to start blocking those IP addresses. Let me know if I can provide more clarity. Thanks!

  • Great question Anders-DL. This solution provides two new analytic rules, both rules have a threshold that can be adjusted to suit your specific environment.


    The first rule identifies public IPs that generate over 5% of all traffic during a DDoS attack. However, each environment is unique, and sometimes a valid single IP address can generate more than 5% of traffic during an attack. In such cases, it is important to understand the type of traffic coming to your public IP and increase the threshold accordingly, for example, to 10% or higher.


    The second rule is designed to identify high packet-per-second (PPS) traffic during an active DDoS attack, with a default threshold of 10,000 PPS. As with the first rule, this threshold can also be modified to best suit your environment and provide maximum security.


    Overall, these rules can help you detect and respond to post DDoS attacks effectively, but it is important to adjust the thresholds according to your specific environment to avoid false positives or missed detections.

  • Dean_Gross Thank you for the correction, typo should be fixed now.

    Regarding your second comment. With this new solution, customers can now leverage Azure's DDoS security signals to identify potential bad actors and block any new attack vectors in other security products. For example, the solution works seamlessly with Azure Firewall, Palo Alto Firewall, Checkpoint, and Azure WAF, giving customers more comprehensive protection against cyber-attacks.

  • Vignesh287's avatar
    Vignesh287
    Copper Contributor

    thanks for your update Saleem, am trying to simulate the scenario. hope it is safe to try breakingpoint.cloud to give Azure subscription details. The application is asking for consent from tenant admin. Does it affect the security and allow the simulators to read tenant's subscription information? Also only when DDoS attack is observed, will I be able to create analytical rule?