Introduction
`
Distributed Denial of Service (DDoS) attacks have become a frequent threat, wreaking havoc on businesses and their online services. These relentless assaults overwhelm network resources, rendering websites and applications inaccessible to genuine users. One such attack vector, the UDP flood, predominantly leverages reflected amplification techniques to magnify its impact, causing not only service interruptions but also significant consumption of network resources. In this blog post, we delve into how Azure DDoS Protection serves as a formidable defense mechanism against such DDoS attacks.
Azure DDoS Protection is a cloud-based service provided by Microsoft Azure that provides automatic detection and mitigation of DDoS attacks for Azure resources. Key features and benefits of Azure DDoS Protection include:
Understanding DDoS Attacks
Distributed Denial of Service (DDoS) is a type of malicious cyberattack that aims to disrupt the normal functioning of a server, application, network, or service by overwhelming it with a large amount of traffic. Most DDoS attacks send this large volume of traffic from multiple sources to amplify the attack, making the target overwhelmed and therefore slowing down, crashing or being unavailable to legitimate users.
There are three main categories of DDoS attacks:
UDP Flood Attacks
UDP flood attacks are a widespread type of volumetric DDoS attack, specifically leveraging the reflected amplification technique. In these attacks, an attacker sends a UDP packet to a vulnerable third-party server, which then sends an amplified response to the target. This reflected amplification significantly multiplies the volume of traffic directed at the victim. Such an approach not only floods the target's resources but also consumes a vast chunk of network resources, making it particularly effective.
Recent UDP Attack Trends
In the past few months (January to June 2023), Azure has witnessed and successfully mitigated a variety of UDP flood amplification attacks.
Below is a snapshot of the prevalent UDP amplification attack trends:
Attack Type |
Attack Subtype |
Count |
UDP amplification attack |
DNS amplification attack |
23445 |
UDP amplification attack |
NTP amplification attack |
22065 |
UDP amplification attack |
CLDAP amplification attack |
6991 |
UDP amplification attack |
SSDP amplification attack |
9314 |
UDP amplification attack |
Memcached amplification attack |
7210 |
UDP amplification attack |
CharGEN amplification attack |
5617 |
This data underscores the diverse range of amplification techniques employed by attackers. Such variability demands a robust and versatile defense mechanism, ensuring that systems are prepared to fend off any subtype of UDP flood attack. Azure's infrastructure is designed to detect and counteract such threats proactively, ensuring the full security of workloads.
UDP Flood Attack Process
Unlike TCP, UDP is a connectionless protocol, meaning it does not establish a connection before data transfer and does not ensure the data's integrity. This lack of connection and acknowledgment makes it easier for attackers to send high volumes of packets in a short span without any checks.
A typical UDP flood attack proceeds as follows:
How Azure DDoS Protection Stops UDP Flood Attacks
Azure DDoS Protection effectively mitigates against UDP Flood attacks. To demonstrate this capability, we have set up the following scenario in our Azure environment:
The above setup, with an external load balancer, is an example of one of the Azure DDoS Protection reference architectures. For more information you can refer to Azure DDoS Protection reference architectures | Microsoft Learn.
You can view the configuration steps for the VMSS and load balancer below:
Enabling Azure DDoS IP Protection
Both Azure DDoS Network Protection and Azure DDoS IP Protection provide the same level of protection against UDP Flood attacks and can be used to protect our load balancer public IP address.
To configure Azure DDoS IP Protection, we follow the steps below:
Simulating the UDP Flood Attack
We simulate the UDP Flood attack by using Breaking Point Cloud. Breaking Point Cloud is one of the approved Azure DDoS Protection simulation partners. To learn more about the simulation partners you can refer to - Azure DDoS Protection simulation testing | Microsoft Learn. To learn more on using Breaking Point and the prerequisites required, please refer to this comprehensive blog on simulation testing - Strengthening Your Defenses: Simulation Testing for Azure DDoS Protection - Microsoft Community Hub.
We login into our Breaking Point account and fill in the parameters below:
We click on “Start test” to begin the attack:
In the metrics section of the load balancer public IP address, we select the metric Under DDoS Attack or Not. We view that the DDoS attack is underway:
Analyzing the Azure DDoS Protection Logs
After carrying out the simulated UDP Flood attack, the next step is to view the Azure DDoS Protection logs in our Log Analytics workspace. In the logs section of the Log Analytics Workspace where we are sending our DDoS logs, we run the following queries to view the generated logs:
AzureDiagnostics
| where Category == "DDoSProtectionNotifications"
The above query allows us to view the DDoS Protection Notification Logs. The notifications logs inform us anytime a public IP resource is under attack, and when attack mitigation is over. In our query results, we see the sample below of the notification log details:
AzureDiagnostics
| where Category == "DDoSMitigationFlowLogs"
The above query displays DDoS Mitigation Flow Logs. These logs allow us to review in near-real time the dropped traffic, forwarded traffic and other attack insights during an active DDoS attack. In our query results we see below a sample of the mitigation flowlog details:
We view numerous UDP packets being dropped by Azure DDoS IP Protection due to exceeding the destination rate limit. We can also summarize the logs to view the specific number of packets dropped in our UDP flood attack by using the following query:
AzureDiagnostics
| where Category == "DDoSMitigationFlowLogs"
| where Message == "Rate limit exceeded - Dst limited"
| summarize count() by strcat(protocol_s, destPort_s)
AzureDiagnostics
| where Category == "DDoSMitigationReports"
The above query displays DDoS Mitigation Reports Logs. These logs allow you to view aggregated detailed information on the DDoS attack. There will be an incremental report generated every five mins and a post-mitigation report for the whole mitigation period. The information viewed includes the attack type/vector, protocols, ports, top source attack countries and the Autonomous System Numbers (ASNs).
Conclusion
Protecting digital assets from DDoS attacks has never been more crucial, especially with the current prevalence of these attacks. UDP flood attacks are particularly formidable, taking advantage of the User Datagram Protocol, which is a foundation of many internet applications and services. These attacks aim to saturate server resources or network infrastructure by sending a deluge of packets, making legitimate traffic impossible to process.
Azure DDoS Protection provides a formidable defense against volumetric DDoS attacks such as UDP Flood. By proactively detecting, mitigating, and adapting to evolving threats, Azure DDoS Protection ensures that your critical online services remain accessible to legitimate users even in the face of relentless attacks.
Resources
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.