Automating Enriched DDoS Alerts Using Logic Apps
In today’s digital world, Distributed Denial of Service (DDoS) attacks have become one of the most common and disruptive threats facing online applications and services. These attacks aim to overwhelm a target, typically a website, API, or server, by flooding it with massive volumes of traffic, rendering it slow or completely inaccessible. Azure DDoS Protection is Microsoft's cloud-native defense that helps safeguard public-facing endpoints hosted in Azure. It works by continuously monitoring traffic patterns at the network layer (L3 and L4) and applying mitigation techniques in real time when suspicious or anomalous activity is detected. Azure DDoS Protection is tightly integrated with the Azure platform and provides always-on traffic scrubbing without requiring any manual intervention. While Azure mitigates these attacks in the background, understanding who is attacking, which resources are targeted, and how often these events occur is helpful. This is where Azure Logic Apps shines. Azure Logic Apps is a powerful platform to simplify the integration and automation of multiple services that help you run your business workflows. You can run your custom code or use no code at all to get your workflows running. When combined with Log Analytics & KQL queries, Logic Apps can help you extract critical insights from DDoS logs, including: Attack starts and end times Affected public IPs Top attacking IPs, countries, and ASNs Volume of traffic and packets dropped Attack patterns and frequency Application availability The result of the process is an email alert with details about the resource associated with the Public IP as detailed above. The owner of the resource is added as a recipient of the email, along with the security team who get alerted when the Attack occurs. Whether you're a security engineer, a product owner, or part of a cloud operations team, this solution can help you improve visibility and enhance coordination during DDoS incidents. Let’s dive into how this automation works. Here is the link to this template. Note: This template is an updated version of the same template discussed in this Blog- Enriching DDoS Protection Alerts with Logic Apps What this template contains: Log Search Alert rule Action Group Logic App Office 365 API Connector Azure Monitor Logs API Connector Parameters to Input when deploying: Security team's Email Address Company Domain (In the form of abc@domain.com) Workspace name (Name of the Log Analytics workspace being used) Prerequisites: A Public IP Address with DDoS Protection enabled either via IP Protection or Network Protection A Log Analytics Workspace to which the above Public IP Address should be sending Diagnostic logs, specifically all of the below categories: DDoS protection notifications Flow logs of DDoS mitigation decisions Reports of DDoS mitigations Note: The Log Analytics Workspace must reside in the same Resource Group as the one where this template is being deployed. 🔐Authentication Prerequisites: Azure Resource Graph The Logic App uses a Managed Identity to authenticate with Azure Resource Graph and query metadata about Azure resources Required Role: Logic App's Managed Identity will need Reader or higher access on the subscription (or resource group) that contains the Public IP address under DDoS protection Log Analytics Workspace To run Kusto queries and retrieve DDoS mitigation logs, the Logic App connects to Azure Log Analytics Workspace using the same Managed Identity Required Role: Logic App's Managed Identity will need Log Analytics Reader on the target workspace Office 365 (Email Notifications) API Connection For sending enriched alert emails, the Logic App uses an API connection to Office 365. This connection must be authorized to send emails on behalf of the configured account, specifically Mail.Send & User.Read permissions You must sign in and authorize this connection once during setup using the outlook credentials that you need it to use to send the emails If your tenant has admin consent policies, a Global Admin might need to approve use of the connectors (especially Office 365) for the Logic App Azure Monitor Logs API Connection This script queries Flow logs of DDoS mitigation decisions & Reports of DDoS mitigations To do this it needs AzureMonitorLogs API Connection and therefore, authorizing this is necessary for it to work as expected You must sign in and authorize this connection once during setup Firewall & Network Rules Ensure that: No IP restrictions block access from Logic App to the target services or public test URL in the HTTP step. You can find the outgoing IP Addresses here: Go to your Logic App Select Properties Look for the "Runtime outgoing IP addresses" section—these are your runtime IPs Now, let’s look at what each of the items in the Template does and their workings below in detail: Log Search Alert rule Monitors log data: It continuously scans the Azure Diagnostics logs, specifically targeting entries where the Category is DDoSProtectionNotifications and the type_s field indicates a Mitigation started event Runs on a schedule: The rule runs every 5 minutes and looks back at the last 30 minutes of logs. This ensures near-real-time detection of mitigation activity. (This can be modified as needed to increase the look back time if needed) Triggers on first sign of mitigation: If even one matching log entry is found (i.e., one mitigation event has started), the alert fires. This makes it extremely responsive Alerts through an Action Group: Once triggered, the rule calls a pre-defined Action Group, which will Invoke a webhook to notify a Logic App Why It’s Useful: While Azure DDoS Protection automatically mitigates volumetric and protocol attacks at the network edge, getting alerted when an event occurs requires user configuration. This is done by: Notifying your team the moment mitigation begins Adding observability, so you can correlate mitigation with service behavior or performance dips Action Group: Enrich-DDoSAlert — Connecting detection to automation When a DDoS attack is detected through an Azure Monitor alert, the response needs to be fast and efficient. That’s where Action Groups come in. In this case, the Enrich-DDoSAlert action group acts as the automation trigger for our DDoS response pipeline This action group is configured to call a webhook tied to an Azure Logic App using a secure HTTP POST request instantly when the alert fires. Then the Logic App carries out a series of enrichment and response steps based on the DDoS alert Why This Matters: The action group acts as a real-time bridge between detection and automation, triggering the Logic App instantly when an alert fires. The Action Group ensures that: The alert is captured Automation is triggered The investigation process starts without delay Logic App: Enrich-DDoSAlert Step-by-Step Breakdown Triggered via HTTP request Accepts a payload containing alert metadata such as: o Target resource ID o DDoS alert details o Search links and interval data Extracts impacted public IP and performs enrichment Using Azure Resource Graph, it queries the target IP to determine: o Associated Azure resource (VM, App Gateway, etc.) o DNS name, tags, region, resource group, and owner (from tags) Connectivity Check (Optional Validation) It performs an HTTP GET request to the DNS/IP of the attacked resource — checking if it’s still up or responding Generates an HTML-formatted email Using all this context, it builds a clean, readable email body that includes: o Top source IPs o IP under attack o Resource name/type o DNS name o Region o Tag info (owner, environment, etc.) o Link to Log Analytics search results o Status of connectivity test (code, headers, body) Queries Azure Monitor logs again (This time allows it to build a thorough DDoS Post Mitigation Report) After a 50-minute delay, it runs a query on the DDoS mitigation logs to extract: o Top source IPs o Top countries, ASNs, and continents o Time of mitigation o Traffic overview Note: This Delay is required but can be changed subtly. During this time, the post mitigation reports will be accumulated so it can be sent as an email in the next steps. Without this delay the reports will not populate correctly. Send a second email, titled "Post Mitigation DDoS Report", containing the above data. Post Mitigation Report plays a vital role in strengthening your defense strategy. By reviewing patterns in traffic origin, volume, and behavior, teams can: o Identify recurring attack sources or suspicious geographies o Correlate DDoS activity with other system anomalies o Fine-tune firewall and WAF rules based on attacker fingerprints In short, this enriched reporting not only enhances visibility but also enables teams to proactively adapt their security posture and reduce the impact of future attacks. Who gets notified? Office 365 API connector Both emails are sent using an authenticated Office 365 connector, delivered to the security team and tagged owner (which will be inputted during deployment). The high-priority email ensures visibility, while the second report gives retrospective clarity. Why this is useful: Reduces manual effort: No more pivoting across multiple tools to gather context Speeds up response: Teams get instant details Bridges Alert to Action: Combines signal (alert) with enrichment (resource graph + logs) and delivery (email) Customizable: You can adjust queries, recipients, or even trigger conditions Azure Monitor Logs API Connector The Azure Monitor Logs API Connector allows Logic Apps to query data from Log Analytics using Kusto Query Language (KQL). In this solution, it's essential for extracting DDoS-specific insights—such as top attacking IPs, countries, ASNs, and traffic volume—from diagnostic logs. What It Does in This Template: Executes KQL queries against your Log Analytics Workspace Retrieves: Flow logs from DDoSMitigationFlowLogs Mitigation reports from DDoSMitigationReports Delivers summarized data such as: Top attacker IPs Source ASNs and countries Mitigation start/end time Traffic patterns Here are some examples of the Automated & Enriched DDoS E-Mails: Potential Attack, First Email, as soon as an attack event is identified: Post Mitigation Summary Email: Conclusion: This Logic App doesn’t just automate alerting—it empowers your team with actionable context. By stitching together signals from Azure Monitor and Resource Graph, and packaging them into enriched, structured emails, it transforms raw alerts into informed decisions. Whether you're triaging incidents or conducting post-attack analysis, this setup ensures you're not starting from scratch each time. As attacks grow more complex, automation like this isn’t just nice to have—it’s essential. Start simple, adapt to your needs, and let your defenses work smarter.Optimizing DDoS Protection Costs: Adding IPs to Existing DDoS Protection Plans
Azure DDoS Protection has been a key part of securing internet-facing applications in the cloud. The DDoS Network Protection SKU already provides robust capabilities for protecting resources at scale. However, in certain architectures, additional flexibility is beneficial. This allows organizations to align protection more closely with their security and cost management strategies. We're introducing a new enhancement “Add to existing DDoS Protection Plan” that provides more flexibility. This feature allows you to link individual Public IPs (configured with the IP Protection SKU) to a DDoS Network Protection plan. Once linked, the Public IP is no longer billed at the standalone IP Protection SKU rate of 199 USD/month. Instead, it is covered under the DDoS Network Protection plan billing. The DDoS Network Protection plan itself is priced at 2,944 USD/month and includes coverage for up to 100 Public IPs. If the number of linked IPs exceeds 100, each additional IP incurs an overage fee of 29,5 USD/month. This provides a more scalable and cost-effective way to manage DDoS protection across large environments. How to Link Public IPs to a DDoS Protection Plan Below is how you can configure this feature using the Azure Portal and PowerShell: In the Azure Portal Go to Public IP addresses in the Azure portal. Select the Public IP you want to protect. Under Protect IP Address, click Protect. Set Protection Type to IP. Enable Add to existing DDoS Protection Plan. Choose your existing DDoS Network Protection plan from the dropdown. Click Save. This links the Public IP to your network-level DDoS plan and eliminates the separate charge for the IP Protection SKU, avoiding duplicate billing. Using PowerShell # Get the DDoS protection plan $ddosPlan = Get-AzDdosProtectionPlan -Name "YourPlanName" -ResourceGroupName "YourPlanRG" # Get and update the Public IP $publicIp = Get-AzPublicIpAddress -Name "YourPublicIPName" -ResourceGroupName "YourIPRG" $publicIp.DdosSettings = @{ ProtectionMode = "Enabled" DdosProtectionPlan = @{ Id = $ddosPlan.Id } } Set-AzPublicIpAddress -PublicIpAddress $publicIp Use Case 1: Selective Protection Within a VNET In many environments, a single VNET may host multiple Public IPs across development, staging, and production workloads. Previously, enabling DDoS Network Protection at the VNET level would automatically include all Public IPs, potentially securing more resources than intended and increasing cost. With this new feature, you can: Assign the DDoS IP Protection SKU only to the Public IPs you want to protect Link them individually to a DDoS Network Protection plan Gain granular control and optimize costs without restructuring your network This is ideal for organizations that want to apply protection only where it's needed, such as critical production endpoints, while excluding development and test environments. Use Case 2: Enabling DDoS Protection on Azure Firewall in Virtual WAN Hubs While it has always been possible to enable DDoS IP Protection on Azure Firewalls deployed in Virtual WAN (VWAN) hubs using the IP Protection SKU, customers using the DDoS Network Protection SKU could not previously extend their existing plan to cover these firewall Public IPs. This meant they would incur additional costs for IP Protection even if they were already paying for Network Protection. With the Add to existing DDoS Protection Plan feature, this limitation is removed. Customers can now: Assign the DDoS IP Protection SKU to the Azure Firewall’s Public IP in a VWAN hub Link that Public IP to their existing DDoS Network Protection plan Once linked, the standalone IP Protection SKU charge is waived, allowing customers to consolidate billing under their Network Protection plan. This improves cost efficiency and enables unified protection across both VNET and non-VNET resources. Script to Link Public IPs to DDoS Protection Plan To streamline the process, here is a PowerShell script that enables the DDoS IP Protection SKU on selected Public IPs and links them to an existing DDoS Network Protection plan. Update the variables below with your environment details: # Variables $resourceGroupName = "YourResourceGroupName" $ddosProtectionPlanName = "YourDdosProtectionPlanName" $publicIpNames = @("PublicIP1", "PublicIP2", "PublicIP3") # Add your public IP names here # Get the DDoS protection plan $ddosProtectionPlan = Get-AzDdosProtectionPlan -ResourceGroupName $resourceGroupName -Name $ddosProtectionPlanName # Loop through each public IP and enable DDoS protection foreach ($publicIpName in $publicIpNames) { # Get the public IP address $publicIp = Get-AzPublicIpAddress -Name $publicIpName -ResourceGroupName $resourceGroupName # Check if the public IP is Standard SKU if ($publicIp.Sku.Name -ne "Standard") { Write-Output "Skipping ${publicIpName}: DDoS protection is only supported on Standard SKU public IPs." continue } # Enable DDoS protection and associate with the DDoS protection plan $publicIp.DdosSettings = @{ ProtectionMode = "Enabled" DdosProtectionPlan = @{ Id = $ddosProtectionPlan.Id } } # Update the public IP address Set-AzPublicIpAddress -PublicIpAddress $publicIp Write-Output "DDoS protection enabled for ${publicIpName} and associated with DDoS protection plan ${ddosProtectionPlanName}." This script is also available in our GitHub repository for easy access and more details on how to run it. Note: DDoS protection is supported only on Standard SKU Public IPs. The script checks and skips unsupported ones automatically. Conclusion The Add to existing DDoS Protection Plan feature gives Azure customers more control and flexibility in applying DDoS protection to their resources. Whether you are looking to protect specific workloads within a VNET or extend coverage to non-VNET resources like Azure Firewall in Virtual WAN, this capability helps you: Apply protection exactly where it is needed Avoid unnecessary billing Automate DDoS configuration at scale To learn more Azure DDoS Protection, visit the official Azure documentation Azure DDoS Protection Overview | Microsoft LearnProtecting the Public IPs of Secured Virtual Hub Azure Firewalls against DDoS Attacks
As discussed previously in the blog post “Fortify Your Azure Firewall: Custom Public IP Configuration on Secured Virtual Hub Deployments”, in the current cloud-focused environment, the management of network security has become increasingly important. Azure Firewall has long been an effective solution for securing virtual networks and virtual hubs, but recent updates have further enhanced its capabilities. The ability to specify your own Azure public IP to be used by your Azure Firewall within an Azure Virtual WAN Secured Virtual Hub, rather than relying on Azure to automatically assign one is a great feature that provides enhanced control over your network's public-facing IPs, enabling alignment with organizational security policies and compliance standards. In this blog, we'll discuss enhancing your secured virtual hub Azure firewall security by configuring Azure DDoS IP Protection for a comprehensive solution. Recap of the key benefits of using specific Public IPs for your Secured Virtual Hub Azure Firewalls Full Control: Gain complete ownership and management over the lifecycle of your firewall's public IP address. This means you can assign, reassign, and retire IP addresses as needed, ensuring that your network infrastructure remains agile and responsive to changing demands. By having full control, you can also implement custom configurations and policies that align with your specific security and operational requirements. Enhanced Security: Strengthen your network's defenses by enabling Distributed Denial of Service (DDoS) mitigation. This advanced security feature helps protect your infrastructure from malicious attacks that aim to overwhelm your network with excessive traffic. By proactively identifying and neutralizing potential threats, DDoS mitigation ensures that your services remain available and secure, providing peace of mind and uninterrupted access for your users. IP Address Flexibility: Enjoy the flexibility of allocating public IP addresses from a predefined IP prefix pool. This allows you to efficiently manage your IP resources, ensuring that you have the right number of addresses available for your current and future needs. With this flexibility, you can easily scale your network, accommodate new devices, and optimize IP address usage, all while maintaining a streamlined and organized IP address management system. How-to enable Azure DDoS IP Protection In this section we’ll configure Azure DDoS Protection to prevent DDoS attacks against the deployment. This is a key benefit that comes with the ability to configure your own public IPs on the Azure Firewall with Secured Virtual Hub. Select any of the public IPs you have associated with the firewall, this should bring you to the Overview blade of that resource. From the Overview blade, select the Protect button under Get Started. This will be how we enable the protection level for the public IP today, since the SKU that can be used for the protection will be Azure DDoS IP Protection, not Azure DDoS Network Protection. Since the virtual network used for the Virtual Hub is a managed virtual network, we cannot use the DDoS Network Protection SKU. You do have the option to enable this level of protection via Azure PowerShell or Azure CLI. From this view, we can see the various ways to configure DDoS protection for a public IP in Azure. As mentioned before, public IPs associated with an Azure Firewall in Secured Virtual Hub must use IP protection. In case you already have a DDoS Protection Plan, you will have the option to link it to the DDoS IP SKU when enabling the IP protection. When a DDoS IP SKU is linked to a plan, you will only be charged by your DDoS Protection Plan, instead of being charged for both. Once DDoS IP Protection is enabled, you can check the following 3 metrics, under the public IP resource, to validate the threshold levels applied to the public IP. Inbound SYN packet to trigger DDoS mitigation Inbound UDP packets to trigger DDoS mitigation Inbound TCP packet to trigger DDoS mitigation This indicates that the Azure DDoS IP Protection is on and protecting the workload behind the public endpoint. Conclusion Configuring specific public IP addresses for your Azure Firewall within a secured virtual hub represents a major leap forward in network security management. This feature not only offers enhanced control over your firewall's public-facing IPs but also significantly bolsters your security posture by incorporating Azure DDoS IP Protection. By utilizing this capability, you can safeguard your firewall against potential DDoS attacks, ensuring a more resilient and secure environment for your applications and services.Fortify Your Azure Firewall: Custom Public IP Configuration on Secured Virtual Hub Deployments
Written in collaboration with davidfrazee and gusmodena. In today's cloud-centric world, managing network security is more critical than ever. Azure Firewall has always been a robust solution for protecting your virtual networks, but recent updates have made it even more powerful. One of the latest enhancements allows you to configure which public IP addresses are used on your Azure Firewall in an Azure Virtual WAN Secured Virtual Hub, rather than having Azure automatically assign one for you. This new feature provides greater control over your network's public-facing IPs, enabling you to align them with your organization's security policies and compliance requirements. Moreover, this capability opens the door to leveraging Azure DDoS IP Protection. By selecting specific public IPs for your firewall, you can ensure that these addresses are shielded from distributed denial-of-service (DDoS) attacks, enhancing the overall security posture of your Azure environment. This integration not only fortifies your defenses but also simplifies the management of your network security infrastructure. In this blog, we will discuss our newly announced feature for Azure Firewall, detailing how to configure public IP addresses from your own subscription and highlighting the benefits of this enhancement. Key Benefits Full control – Own and manage the lifecycle of your firewall’s public IP. Enhanced security – Enable DDoS mitigation for better protection. IP address flexibility – Allocate public IPs from an IP prefix pool. How-To To get started with configuring public IP addresses on your Azure Firewall, you'll need to follow a few straightforward steps. This guide will walk you through the process, ensuring that you can take full advantage of this new feature. By the end of this section, you'll have a clear understanding of how to assign specific public IPs to your firewall, enhancing your control over network security and enabling the integration of Azure DDoS IP Protection. You’ve created an Azure Virtual WAN and now need to deploy secured virtual hubs. A great place to start with building out the environment in the Azure Portal will be in the Azure Firewall Manager. Here you’ll be able to have a centralized management portal to view your Azure Firewalls, firewall policies, Azure DDoS Protection plans, and more. Once you’re in Azure Firewall Manager, select Virtual Hubs to build a new secured virtual hub. Once you’ve configured the basic configurations for the secured virtual hub, you’ll have the option to start creating the Azure Firewall. You’ll notice a new option called Select source of public IP. Here we will select Customer provided (Preview) to define which public IPs will be used for the new secured virtual hub. You’ll have the option to choose a pre-created public IP or to create new from the firewall manager blade. With the secured virtual hub created, we can navigate back to Azure Firewall Manager and manage the new deployment from there. Under Virtual Hubs, select on the Firewall name to manage the public IP addresses. To add more public IPs to your Azure Firewall, you can either create new public IP resources or select from pre-created ones. This feature ensures that Azure won't just assign an IP for you; instead, you have the flexibility to choose or create the specific public IPs that align with your network requirements. This approach provides greater control and customization for your firewall's public-facing IP addresses. Now that we’ve added public IPs to the Azure Firewall, we can configure Azure DDoS Protection to prevent DDoS attacks against the deployment. This is a key benefit that comes with the ability to configure your own public IPs on the Azure Firewall with Secured Virtual Hub. Stay tuned for our next blog post where we’ll go through the steps needed to protect the Public IP associated to your secured virtual hub Azure Firewall. Conclusion The ability to configure specific public IP addresses for your Azure Firewall in a secured virtual hub marks a significant advancement in network security management. This feature not only grants you greater control over your firewall's public-facing IPs but also enhances your security posture by enabling the integration of Azure DDoS IP Protection. As we continue to navigate the complexities of cloud security, features like these empower organizations to tailor their security strategies to meet their unique needs and compliance requirements. Stay tuned for more updates and best practices on optimizing your Azure Firewall and protecting your network infrastructure.Building a DDoS Response Plan
In today's digital age, enterprises face significant threats from Distributed Denial of Service (DDoS) attacks, which target networks and applications to disrupt their availability and performance. Public IP addresses that are accessible via the internet are particularly susceptible to these attacks, which are classified into three main categories: Volumetric Attacks (saturating network links), Protocol Attacks (targeting server resources), and Resource Attacks (overwhelming application layers). Implementing effective mitigation strategies is crucial for maintaining network integrity. Azure DDoS Protection provides advanced, adaptive features designed for automatic protection against both Volumetric and Protocol Attacks. These features include traffic monitoring, real-time tuning, and detailed analytics. For Resource Attacks, pairing Azure DDoS Protection with Azure Web Application Firewall (WAF) ensures comprehensive Layer 7 (L7) protection. To thoroughly safeguard against DDoS attacks, it is essential to establish a comprehensive DDoS response plan. This blog will explore the development of a robust DDoS response plan by leveraging the capabilities offered by Azure DDoS Protection. Building a Robust DDoS Response Plan: Creating a thorough DDoS response plan is critical for protecting your online services and ensuring they remain accessible. The following steps are fundamental to developing a robust DDoS response strategy. Incident Detection: Utilize advanced monitoring tools and establish baseline traffic patterns to quickly identify abnormal activity indicative of a DDoS attack. Communication Protocols: Inform all relevant stakeholders through predefined channels and clarify roles and responsibilities to avoid confusion during the crisis. Mitigation and Recovery: Implement countermeasures such as traffic filtering, rate limiting, and leveraging cloud-based DDoS protection services to ensure service availability for legitimate users. Post-Incident Steps: Assess the attack's impact, identify vulnerabilities, and enhance the response plan through a thorough post-mortem analysis to fortify defences against future attacks. By following these four steps, you can build a solid DDoS response plan that minimizes disruption and enhances your organization's resilience. Let’s explore these four steps using Azure DDoS Protection in detail. Incident Detection Identifying the signs of a DDoS attack is essential. This includes monitoring network traffic, reviewing logs, and analysing alerts. Key indicators to monitor for potential attacks are unusual traffic patterns, spikes in network traffic, service degradation, latency metrics, CPU, memory, and bandwidth usage. Azure DDoS protection metrics can be utilized for this purpose. DDoS Protection Metrics: Azure DDoS Protection Metrics can be accessed through the Azure Portal: Go to Azure Portal > Monitor > Metrics. In the Metrics scope pane: Select the resource group. Select a resource type of Public IP Address. Select your Azure public IP address. Choose from various DDoS metrics in the “Available metrics” pane. Alerts: Alerts can be configured for any of the available DDoS Protection metrics. When conditions are met, the specified email address receives an alert. Works for any of the available DDoS Protection metrics. Alerts when there’s an active mitigation during an attack (using Azure Monitor alert configuration). When the conditions are met, the specified email address receives an alert email. Impact to the Applications: We can also evaluate the health of our application using the metrics furnished by the Application Gateway. These metrics offer detailed insights during the attack time, including but not limited to the metrics listed below: Failed Requests – Count of Failed Requests that the App Gateway has served. Throughput – Number of Bytes per second the App Gateway has served. Backend First Byte Response Time – Approximating Processing time of backend server. Logging: Along with metrics, Azure DDoS Protection offers solid logging capabilities. For example, AzureDiagnostics | where Category == “DDoSProtectionNotifications”: This log category furnishes details about the initiation and cessation of DDoS mitigation. These logs serve as a basis for configuring alerts to notify the Security Operations Center (SOC) Analyst as necessary. The integration of Azure DDoS Protection with Microsoft Defender for Cloud (MDC) provides recommendations for unprotected public IP addresses and consolidates alerts into a unified dashboard, while also offering regulatory compliance guidance based on established standards. Additionally, the integration of Azure DDoS Protection with Microsoft Sentinel facilitates the ingestion of DDoS logs into Sentinel, where prebuilt queries can generate incidents and alerts. Automated remediation options are available as specified here. For comprehensive guidance on researching a DDoS attack, please refer to this blog: Azure DDoS Protection – SecOps Deep Dive Communication Effective communication is crucial during a DDoS attack. It is essential to establish a robust communication strategy to prevent panic-induced miscommunication or the failure to relay information through appropriate channels. The following image illustrates the critical components of a solid communication plan Azure DDoS Rapid Response: Azure DDoS Protection's Rapid Response Support team aids with attack investigations during incidents and post-attack analysis. Engage the DRR team if your protected resource's performance is significantly degraded or unavailable during an attack, if you suspect a DDoS attack but the DDoS Protection service isn't effectively mitigating it, if you're planning an event that will drastically increase network traffic, or if the attack has a critical business impact. You can contact the DRR team during an active attack via Help + Support in the Azure Portal using the below steps. Create a new support request and choose “Issue Type” as Technical. Choose the “Service” as DDOS Protection. Select a DDoS Plan that is being protected by DDoS Network Protection in the “Resource” dropdown. Select "Under attack" in the “Problem Type” dropdown. On the “Details” page, select the severity as A-Critical Impact. Complete additional technical details and submit the support request. Azure DDoS Rapid Response: https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-rapid-response Mitigation and Recovery Mitigation and recovery efforts encompass the implementation of countermeasures to absorb or redirect malicious traffic, thereby ensuring uninterrupted access for legitimate users to services. Mitigation: Below are key mitigation techniques provided by Azure DDoS Protection Azure DDoS Protection Adaptive Tuning No user configuration required. Continuously profiles normal Public IP traffic. Utilizes machine learning algorithms to set mitigation thresholds. Azure DDoS Protection Thresholds: Azure DDoS Protection applies three auto-tuned mitigation policies (TCP SYN, TCP, and UDP) for each public IP of the protected resource. Thresholds are auto-configured via machine learning-based network traffic profiling. DDoS mitigation occurs for an IP address under attack only when the policy threshold is exceeded. Recovery: To ensure an effective recovery from a Distributed Denial-of-Service (DDoS) attack, the following critical steps must be meticulously executed: Isolate Affected Resources: It is imperative to identify and isolate the compromised resources promptly. This isolation helps in containing the attack and prevents further damage to the network and associated systems. Business Continuity Plans: Disaster Recovery: Develop comprehensive disaster recovery protocols to restore normal operations swiftly. This includes predefined strategies to address the attack's impact and ensure a seamless transition back to standard operations. Backups: Regularly maintain secure and up-to-date backups of critical data and systems. These backups should be readily accessible to facilitate rapid restoration in case of data loss or corruption caused by the attack. Failover Mechanisms: Establish efficient failover mechanisms to shift critical services and applications to alternative servers or locations. This redundancy ensures minimal downtime and continuous service availability during recovery efforts. Patching Vulnerabilities: Conduct a thorough assessment to identify and remediate any vulnerabilities that the attack may have exploited. Implementing patches and updates promptly is essential to fortify the system against future incidents and enhance overall security posture. Post Incident Steps: After an attack, conducting a post-attack investigation and analysis, implementing best practices, and performing simulation testing is important. DDoS Protection Workbook: Utilizing the Azure DDoS Protection Workbook is highly recommended to triage and understand the DDoS Threat landscape. Best Practices: Here are some of the best practices to follow Design for Security Prioritize security throughout the application lifecycle. Understand your architecture and focus on software quality. Prepare for direct application-level attacks. Design for Scalability Use horizontal scalability to handle increased load. Avoid single points of failure. Provision multiple instances for resilience. Defense in Depth Implement multi-layered security. Reduce attack surface using approval lists and NSGs. DDoS Attack Simulation: Test your assumptions about how your services will respond to an attack by generating traffic against your applications to simulate DDoS attack. Don’t wait for an actual attack to happen! Approved Simulation Partners include Breaking Point Cloud, Red Button, Red Wolf and MazeBolt Conclusion: DDoS attacks are a serious threat, and having an effective response plan is critical. Utilize effective communication, safeguards, and best practices, and ensure regular testing and updates to stay protected. References: Azure DDoS Protection Overview | Microsoft Learn Microsoft DDoS protection response guide | Blog Azure | Microsoft AzureUnderstanding the Evolving Threat of DDoS Attacks in 2024
You can access the full report here Microsoft Digital Defense Report 2024 The Rise of Network and Application Layer Attacks Beginning in mid-March 2024, there was a noticeable rise in network DDoS attacks, peaking at approximately 4,500 attacks per day by June. These attacks primarily targeted medium-sized applications, with a significant shift towards application layer attacks. Unlike traditional network-level attacks, application layer attacks are more stealthy, sophisticated, and difficult to mitigate. These attacks, which range from 100,000 to 1 million packets-per-second, are aimed directly at specific web applications, revealing the relentless nature of attackers trying to evade volumetric DDoS protection tactics. Without adequate protection, these applications would experience significant availability issues. The increased focus of DDoS attacks on the application layer rather than the more traditional network layers has created a greater risk of impact on business availability. This shift has affected critical services such as online banking and airline check-ins, highlighting the need for robust application layer protection The Emergence of Application Loop Attacks A new type of cyberattack, known as the "loop attack," is targeting the protocols that are essential for internet communication. This vulnerability affects application-layer protocols that rely on the User Datagram Protocol (UDP), such as TFTP, DNS, and NTP, as well as legacy protocols like Echo, Chargen, and QOTD. The loop attack triggers an endless loop of error messages between servers, leading to severe degradation of service and network quality. Unlike traditional UDP-based floods, loop attacks do not amplify traffic volume with each spoofed packet but can still cause significant disruption by trapping multiple servers in a never-ending communication loop. This attack highlights the vulnerabilities within our network protocols and underscores the need for continuous vigilance and robust security measures to protect against such sophisticated threats. Mitigation Efforts and Actionable Insights To combat the increasing threat of DDoS attacks, it is crucial to minimize the exposure of your applications over the public internet. This reduces the attack surface area and helps protect against potential threats. For applications that must be exposed, adopting a defense-in-depth strategy is essential. Ensure that network layer DDoS protection is in place to protect these applications. Specifically for web applications, deploying a web application firewall is vital to provide comprehensive application layer protection. Integrating DDoS simulations into the software development lifecycle and making them a regular part of security operations is also recommended. This ensures that applications and workloads have the appropriate level of protection and can scale effectively to handle potential attacks. The Impact of DDoS Attacks in India In 2024, India continued to be heavily impacted by DDoS attacks, particularly in the gaming sector. The number of DDoS attacks per customer in India has more than doubled since 2020, with mid-size throughput attacks reaching around 1,000 attacks per day on the gaming sector alone. This accounted for approximately 20% of all attacks in the APAC region during that period. The finance, technology, and government sectors were also major targets. The attack volume per customer increased from 1.4 Gbps to 2.4 Gbps. Layer 4 (L4) attacks were the most prevalent type of DDoS attack in the APAC region and globally. DNS query floods were the most common type of application-level DDoS attacks in India. Hacktivists, who use cyberattacks to express their political, social, or ideological views, were a major source of these attacks. There was a notable spike in DDoS activity in June 2024, coinciding with India's national elections. To mitigate these threats, it is essential to implement robust DDoS protection solutions, secure the network and application infrastructure, harden the DNS infrastructure, and prepare an incident response plan. Here are some actionable insights: Implement a DDoS Protection Solution: Secure the network and application infrastructure, harden the DNS infrastructure, and prepare an incident response plan. Security Measures: Implement security measures such as firewalls, load balancers, and routers to secure the network and application infrastructure. DNS Hardening: Implement security measures such as DNSSEC and DNS filtering to harden the DNS infrastructure. By following these actionable insights, organizations can better protect themselves against the increasing threat of DDoS attacks and ensure the availability and security of their critical services. Leveraging Azure DDoS Protection To effectively combat DDoS attacks, customers can leverage Azure DDoS Protection. This service provides comprehensive protection against DDoS attacks by continuously monitoring traffic and automatically mitigating threats. Azure DDoS Protection integrates seamlessly with Azure services, offering enhanced security for your applications and ensuring business continuity even during an attack. Azure DDoS Protection provides several key features: Always-on Monitoring: Monitors traffic 24/7 and automatically mitigates attacks once detected. Adaptive Tuning: Learns your application's traffic patterns and adjusts profiles in real-time. Attack Analytics: Provides detailed reports during and after attacks, with logs for real-time monitoring. Attack Alerts: Configurable alerts for attack start, stop, and duration, integrating with operational software. Rapid Response: Access to the DDoS Rapid Response team for attack investigation and post-attack analysis. Platform Integration: Integrated into Azure with easy configuration through the Azure portal. Turnkey Protection: Simplified setup that protects all resources on a virtual network immediately. Multi-Layered Defense: Works with Azure WAF to protect both network (Layer 3 and 4) and application layers (Layer 7). It is important to note that Azure DDoS Protection primarily provides protection against layer 3 and 4 DDoS attacks. To achieve comprehensive application layer protection, customers can supplement Azure DDoS Protection with Azure Web Application Firewall (WAF). Azure WAF offers robust security features to protect web applications from common threats and vulnerabilities at the application layer. By utilizing Azure DDoS Protection and Azure WAF, organizations can protect their digital assets and maintain high availability of their services. For more detailed insights and to learn how to implement Azure DDoS Protection, visit Azure DDoS Protection Overview | Microsoft Learn Conclusion The Microsoft 2024 Security Report underscores the evolving nature of DDoS attacks and the need for continuous vigilance and robust security measures. As attackers become more sophisticated, it is essential for organizations to stay ahead of the curve by implementing comprehensive DDoS protection strategies and regularly testing their defenses through simulations and security operations. For more detailed insights, you can access the full Microsoft 2024 Security Report Microsoft Digital Defense Report 2024
Getting Started with Azure DDoS Protection REST API: A Step-by-Step Guide
Learn how to create, update, and delete Azure DDoS Protection for your internet facing applications. We'll cover how to create an Azure DDoS Network Protection plan to safeguard entire virtual networks from DDoS attacks, and how to enable DDoS protection to single IP resources for targeted defense that cater to SMB customers.Monitoring Azure DDoS Protection Mitigation Triggers
In today’s digital landscape, Distributed Denial of Service (DDoS) attacks pose a significant threat to the availability and performance of online services. Azure DDoS Protection provides robust mechanisms to protect your applications and services against such attacks. In this blog post, we’ll explore how to monitor Azure DDoS Protection metrics for public IPs and demonstrate how to fully utilize the available metrics to monitor your public IPs for DDoS attacks.
