Welcome back to the Security Controls in Microsoft Defender for Cloud series! This time we are here to talk about "Protect applications against DDoS attacks".
Distributed denial-of-service (DDoS) attacks overwhelm resources and render applications unusable.
Use Azure DDoS Protection Standard to defend your organization from the three main types of DDoS attacks:
- Volumetric attacks flood the network with legitimate traffic. DDoS Protection Standard mitigates these attacks by absorbing or scrubbing them automatically.
- Protocol attacks render a target inaccessible, by exploiting weaknesses in the layer 3 and layer 4 protocol stack. DDoS Protection Standard mitigates these attacks by blocking malicious traffic.
- Resource (application) layer attacks target web application packets. Defend against this type with a web application firewall and DDoS Protection Standard.
The "Protect applications against DDoS attacks" Security Control is worth two points and includes the recommendations below.
Azure DDoS Protection Standard should be enabled
DDoS attacks are often designed to make an application resource or online service unavailable by overwhelming the resource or service with more traffic than it can handle. Once the resource is no longer able to handle legitimate requests, it might also become vulnerable for code injection. The unavailability of the resource or service presents a significant issue considering legitimate parties also lose access to these resources or services. Daily business offerings may be halted as a result of the denial of service. Any endpoint that can be publicly reached through the internet is vulnerable to a DDoS attack. DDoS attacks can often be used to divert attention from larger targets such as injecting malware into company resources or data exfiltration.
Like most cyber threats, repairing a DDoS attack will take time and money. Aside from diverting resources to repair the attack, your organization could also be losing money due to the time it takes to get your resources and services back up and running. The best way to be prepared is to have precautions in place that will prevent these attacks from being successful.
Besides protecting your resources against DDoS attacks, enabling DDoS Protection Standard provides additional benefits such as:
- Cost protection for protected resources that scale out due to a DDoS attack
- A discount for Web Application Firewall (WAF) on Application Gateways
- Access to DDoS Rapid Response (DRR) support team of expert engineers
Defender for Cloud works with Application Gateway, a web traffic load balancer, that enables users to manage traffic to their web applications. Application Gateway also utilizes Web Application Firewall (WAF) to respond, detect and prevent threats from web applications. APG/WAF is best combined with DDoS Protection to ensure Layer 4 – 7 protection.
Container CPU and memory limits should be enforced
Different types of DDoS attacks including Application Level Attacks focus on exhausting a server’s resources, including the CPU, in order to make the server unable to process legitimate requests. Enforcing container CPU and memory limits protect your container workloads from DDoS attacks by preventing the container from using more than the configured resource limit.
Azure Policy add-on for Kubernetes should be installed and enabled on your clusters
As discussed in our overview of the Remediate Security Configurations Control and Manage Access and Permissions, this recommendation is geared towards helping users safeguard their Kubernetes clusters by managing and reporting their compliance state.
Next Steps
Thanks for tuning back in to learn about the “Protect applications against DDoS attacks” Security Control within Microsoft Defender for Cloud. To gain credit for taking steps to protect your resources from DDoS attacks, you must remediate all the recommendations within this Security Control. As a reminder recommendations in Preview are not included in your Secure Score calculation until they are GA. Make sure to also check out our previous blogs and documentation to help you on your Secure Score journey!
- The main blog post to this series (found here)
- The DOCs article about secure score (which is this one)
P.S. Consider joining our Tech Community where you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by Azure Security experts.
Reviewers
Tobi Otolorin, CxE Network Security
@Tom Janetscheck , Senior Program Manager, CxE ASC
Microsoft
