Distributed denial-of-service (DDoS) attacks overwhelm resources and render applications unusable.
Use Azure DDoS Protection Standard to defend your organization from the three main types of DDoS attacks:
The "Protect applications against DDoS attacks" Security Control is worth two points and includes the recommendations below.
DDoS attacks are often designed to make an application resource or online service unavailable by overwhelming the resource or service with more traffic than it can handle. Once the resource is no longer able to handle legitimate requests, it might also become vulnerable for code injection. The unavailability of the resource or service presents a significant issue considering legitimate parties also lose access to these resources or services. Daily business offerings may be halted as a result of the denial of service. Any endpoint that can be publicly reached through the internet is vulnerable to a DDoS attack. DDoS attacks can often be used to divert attention from larger targets such as injecting malware into company resources or data exfiltration.
Like most cyber threats, repairing a DDoS attack will take time and money. Aside from diverting resources to repair the attack, your organization could also be losing money due to the time it takes to get your resources and services back up and running. The best way to be prepared is to have precautions in place that will prevent these attacks from being successful. Azure resources are deployed with Azure Basic DDoS protection enabled, allowing for integrated defense against common network layer threats. Azure DDoS Protection Standard provides enhanced features that are designed specifically for your Azure resources including attack analytics and metrics.
Security Center works with Application Gateway, a web traffic load balancer, that enables users to manage traffic to their web applications. Application Gateway also utilizes Web Application Firewall (WAF) to respond, detect and prevent threats from web applications. APG/WAF is best combined with DDoS Protection to ensure Layer 4 – 7 protection.
Different types of DDoS attacks including Application Level Attacks focus on exhausting a server’s resources, including the CPU, in order to make the server unable to process legitimate requests. Enforcing container CPU and memory limits protect your container workloads from DDoS attacks by preventing the container from using more than the configured resource limit.
As discussed in our overview of the Remediate Security Configurations Control and Manage Access and Permissions, this recommendation is geared towards helping users safeguard their Kubernetes clusters by managing and reporting their compliance state.
Thanks for tuning back in to learn about the “Protect applications against DDoS attacks” Security Control within Azure Security Center. To gain credit for taking steps to protect your resources from DDoS attacks, you must remediate all the recommendations within this Security Control. As a reminder recommendations in Preview are not included in your Secure Score calculation until they are GA. Make sure to also check out our previous blogs and documentation to help you on your Secure Score journey!
P.S. Consider joining our Tech Community where you can be one of the first to hear the latest Azure Security Center news, announcements and get your questions answered by Azure Security experts.
@Tobi Otolorin, Program Manager 2, CxE Network Security
@Tom Janetscheck , Senior Program Manager, CxE ASC
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.