SlideShare una empresa de Scribd logo

Azure DDoS Protection Standard

A
arnaudlh

Azure DDoS Protection Standard

Internet
1 de 28
Descargar para leer sin conexión
Azure DDoS Protection Standard Arnaud Lheureux Cloud Chief Security Officer One Commercial Partner Microsoft APAC Twitter: @arnaudLheureux
Attack Frequency Attack Size Attack Vectors 58% Vs. 2017 1.7 Tbps Peak 4X > 50Gbps 56% Multi-vector • Continued growth in frequency, size, sophistication, and impact • Often utilized as ‘cyber smoke screen’ to mask infiltration attacks 400 Gbps (NTP amp) 650 Gbps (Mirai) 1.7 Tbps (Memcached) 2+ Tbps (???) Attackers Use UPnP to SidestepDDoS Defenses May 2018 Attack Downtime 35% Businesses impacted Major cyber attack disrupts internet service across Europe & US using Mirai botnet Oct 2016 Feb 2018
DDoS attack types Volumetric attacks Example attacks Protocol attacks Example attacks Resource attacks Example attacks
VM Firewall Azure Deployments LB/NAT DDoSNVA/WAF Internet NSG & UDR Azure Defense in Depth for Virtual Networks
DDoS Shared Responsibility Model
Azure DDoS System Overview Region AZ-2 AZ-3AZ-1 RN RN DC DC Edge DC DC DC DC Edge DDoS Protection Express Route Internet Peers DDoS Protection Continuous monitoring Edge mitigation protects datacenter bandwidth Global distribution of attack traffic Regional failover Global mitigation platform
Azure DDoS Protection Standard Overview Virtual Network
Azure DDoS Defense Designed into the global network Global distribution of attack traffic during large scale attacks 25+ Tbps global mitigation capacity Continuous monitoring, learning, and protection signature improvements Proven defense for Microsoft services Specifically tuned protection for your app Active traffic monitoring to proactively detect emerging threats and attack vectors Traffic Monitoring DDoS Protection DDoS Protection Azure Host SDN Emerging attack patterns Virtual Network Your applications
Simple to provision for all your virtual network resources Always on monitoring with near real time telemetry and alerting Automatic network layer attack DDoS Attack Analytics Attack data snapshots and full post attack summary DDoS Rapid Response Azure Security Center integration Cloud scale DDoS protection for your applications
Choose DDoS Protection Standard when • You have been a victim of targeted DDoS attacks in past • You’re running your business critical applications in Azure • You need visibility when your resources are under attack. • You want DDoS policies tuned to the traffic pattern of your application • You have to prove DDoS mitigation compliance assurance
Azure Marketplace WAF
Azure Security Center
Best Practices & Reference Architecture http://aka.ms/ddosbest Design for scalability Ensure that your VM architecture includes more than one VM and that each VM is included in an availability set. Recommend using Virtual machine Scale Sets for autoscaling capabilities ……. Defense in depth deploy Azure services in a virtual network Using service endpoints will switch service traffic to use virtual network private addresses ……. Design for security Focus on the 5 pillars of software quality. Security and privacy are built right into the Azure platform, beginning with the Security Development Lifecycle (SDL)………
Attack Mitigations Attack defense originates in the region where the application is hosted but we utilize global capacity depending on attack size Users (and attackers) connect to your applications via the closest Azure edge location Attack Type Description Ping Flood Server receives a lot of spoofed Ping packets from a very large set of source IP it is being targeted by a Ping Flood attack. Such an attack’s goal is to flood the target with ping packets until it goes offline IP Null Attack TCP packet with none of the SYN, FIN, ACK, or RST flags set has been sent to a specific host., these packets can bypass security measures. CharGEN Flood A CharGEN amplification attack is carried out by sending small packets carrying a spoofed IP of the target to internet enabled devices running CharGEN. These spoofed requests to such devices are then used to send UDP floods as responses from these devices to the target. SNMP Amplification SNMP amplification attack is carried out by sending small packets carrying a spoofed IP of the target to the internet enabled devices running SNMP.These spoofed requests to such devices are then used to send UDP floods as responses from these devices to the target. However, amplification effect in SNMP can be greater when compared with CHARGEN and DNS attacks. NTP Reflection The NTP amplification attack is carried out by sending small packets carrying a spoofed IP of the target to internet enabled devices running NTP.These spoofed requests to such devices are then used to send UDP floods as responses from these devices to the target. DNS Reflection The attacker spoofs look-up requests to domain name system (DNS) servers to hide the source of the exploit and direct the response to the target. DNS Water Torture A randomized 12-character alphanumeric subdomain is prepended to the target domain and the attacking bots send their queries to their locally-configured DNS servers, which are typically DNS servers at local ISPs. SSDP Amplification SSDP enabled network devices that are also accessible to UPnP from the internet are an easy source for generating SSDP amplification floods. The SSDP amplification attack is also carried out by sending small packets carrying a spoofed IP of the target to devices. These spoofed requests to such devices are used to send UDP floods as responses from these devices to the target. QUIC Flood It uses UDP-80 to generate reflection attack. SYN Flood This attack exploits the design of the three-way TCP communication process between a client, host, and a server. In this process, a client initiates a new session by generating a SYN packet. The host assigns and checks these sessions until they are closed by the client. To carry out a SYN Flood attack, an attacker sends a lot of SYN packets to the target server from spoofed IP addresses. SYN-ACK Flood SYN-ACK packet is generated by the listening host to acknowledge an incoming SYN packet. A large amount of spoofed SYN- ACK packets is sent to a target server in a SYN-ACK Flood attack. ACK and PUSH ACK Flood During an active TCP-SYN session, ACK or PUSH ACK packets carry information to and from the host and client machines till the session lasts. During an ACK & PUSH ACK flood attack, a large amount of spoofed ACK packets is sent to the target server to deflate it.Since these packets are not linked with any session on the server’s connection list, the server spends more resources on processing these requests. ACK Flood This attack exploits the design of the three-way TCP communication process between a client, host, and a server. In this process, a client sent ACK packets to be part of existing session. ACK Fragmentation Fragmented ACK packets are used in this bandwidth consuming version of the ACK & PUSH ACK Flood attack. To execute this attack, fragmented packets of 1500 bytes are sent to the target server. RST/FIN Flood After a successful three or four-way TCP-SYN session, RST or FIN packets are exchanged by servers to close the TCP-SYN session between a host and a client machine. In an RST or FIN Flood attack, a target server receives a large number of spoofed RST or FIN packets that do not belong to any session on the target server. Synonymous TCP-SYN packets carrying the target server’s Source IP and Destination IP are sent to the target server. STOMP ( Session Flood Attack) Disguise of a valid TCP session by carrying a SYN, multiple ACK and one or more RST or FIN packets. UDP Flood In this type of DDoS attack a server is flooded with UDP packets. Unlike TCP, there isn’t an end to end process of communication between client and host. This makes it harder for defensive mechanisms to identify a UDP Flood attack. Random source IP/PORT.
DDoS Protection Planning Planning and preparing for a DDoS attack is crucial in understanding the availability and response of an application during an actual attack. We’ve partnered with BreakingPoint Cloud to offer tooling for Azure customers to generate traffic load against DDoS Standard enabled public endpoints via a safe environment. ü Various test profiles available ü Validate how Microsoft Azure DDoS Protection protects your Azure resources ü Optimize your incident response process ü Document DDoS compliance ü Train your network security teams
Deploying Azure DDoS Protection Standard Demo
Next steps Learn more about Azure DDoS Protection http://aka.ms/ddosprotectiondocs http://aka.ms/ddosbest http://aka.ms/ddosanalyticsblog http://aka.ms/ddosblog Connect with DDoS Protection specialists MSDN forums Stack overFlow Uservoice
Thanks for your attention! Arnaud Lheureux, CISSP https://aka.ms/arnaud Twitter : @arnaudLheureux
https://customers.microsoft.com
© 2019 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Recomendados

Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
Azure vnet
Azure vnetAzure vnet
Azure vnet
zekeLabs Technologies
 
Azure WAF
Azure WAFAzure WAF
Azure WAF
Cheah Eng Soon
 
TechnicalTerraformLandingZones121120229238.pdf
TechnicalTerraformLandingZones121120229238.pdfTechnicalTerraformLandingZones121120229238.pdf
TechnicalTerraformLandingZones121120229238.pdf
MIlton788007
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
Microsoft Azure Technical Overview
Microsoft Azure Technical OverviewMicrosoft Azure Technical Overview
Microsoft Azure Technical Overview
gjuljo
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
David J Rosenthal
 
Business Continuity & Disaster Recovery with Microsoft Azure
Business Continuity & Disaster Recovery with Microsoft AzureBusiness Continuity & Disaster Recovery with Microsoft Azure
Business Continuity & Disaster Recovery with Microsoft Azure
Aymen Mami
 

Recomendados

Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
Azure vnet
Azure vnetAzure vnet
Azure vnet
zekeLabs Technologies
 
Azure WAF
Azure WAFAzure WAF
Azure WAF
Cheah Eng Soon
 
TechnicalTerraformLandingZones121120229238.pdf
TechnicalTerraformLandingZones121120229238.pdfTechnicalTerraformLandingZones121120229238.pdf
TechnicalTerraformLandingZones121120229238.pdf
MIlton788007
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
Microsoft Azure Technical Overview
Microsoft Azure Technical OverviewMicrosoft Azure Technical Overview
Microsoft Azure Technical Overview
gjuljo
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
David J Rosenthal
 
Business Continuity & Disaster Recovery with Microsoft Azure
Business Continuity & Disaster Recovery with Microsoft AzureBusiness Continuity & Disaster Recovery with Microsoft Azure
Business Continuity & Disaster Recovery with Microsoft Azure
Aymen Mami
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
Allen Brokken
 
Azure Governance
Azure GovernanceAzure Governance
Azure Governance
Benjamin Hüpeden
 
Windows Azure Virtual Machines
Windows Azure Virtual MachinesWindows Azure Virtual Machines
Windows Azure Virtual Machines
Clint Edmonson
 
Azure security architecture
Azure security architectureAzure security architecture
Azure security architecture
Karl Ots
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
Microsoft Azure Active Directory
Microsoft Azure Active DirectoryMicrosoft Azure Active Directory
Microsoft Azure Active Directory
David J Rosenthal
 
48. Azure Active Directory - Part 1
48. Azure Active Directory - Part 148. Azure Active Directory - Part 1
48. Azure Active Directory - Part 1
Shawn Ismail
 
DDoS Protection
DDoS ProtectionDDoS Protection
DDoS Protection
Amazon Web Services
 
Azure fundamentals
Azure fundamentalsAzure fundamentals
Azure fundamentals
Raju Kumar
 
Azure active directory
Azure active directoryAzure active directory
Azure active directory
Raju Kumar
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access management
Dinusha Kumarasiri
 
Introduction to Microsoft Azure
Introduction to Microsoft AzureIntroduction to Microsoft Azure
Introduction to Microsoft Azure
Kasun Kodagoda
 
Monitoring in Azure
Monitoring in AzureMonitoring in Azure
Monitoring in Azure
Torben Knerr
 
Azure Sentinel.pptx
Azure Sentinel.pptxAzure Sentinel.pptx
Azure Sentinel.pptx
Mohit Chhabra
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
Lorenzo Barbieri
 
Part 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An OverviewPart 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An Overview
Neeraj Kumar
 
Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...
Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...
Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...
Edureka!
 
CAF presentation 09 16-2020
CAF presentation 09 16-2020CAF presentation 09 16-2020
CAF presentation 09 16-2020
Michael Nichols
 
Announcing AWS Shield - Protect Web Applications from DDoS Attacks
Announcing AWS Shield - Protect Web Applications from DDoS AttacksAnnouncing AWS Shield - Protect Web Applications from DDoS Attacks
Announcing AWS Shield - Protect Web Applications from DDoS Attacks
Amazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
Amazon Web Services
 
DDoS-bdNOG
DDoS-bdNOGDDoS-bdNOG
DDoS-bdNOG
Zobair Khan
 
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
ENHANCING THE IMPREGNABILITY OF LINUX SERVERSENHANCING THE IMPREGNABILITY OF LINUX SERVERS
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
IJNSA Journal
 

Más contenido relacionado

La actualidad más candente

Microsoft Azure Active Directory
Microsoft Azure Active DirectoryMicrosoft Azure Active Directory
Microsoft Azure Active Directory
David J Rosenthal
 
Announcing AWS Shield - Protect Web Applications from DDoS Attacks
Announcing AWS Shield - Protect Web Applications from DDoS AttacksAnnouncing AWS Shield - Protect Web Applications from DDoS Attacks
Announcing AWS Shield - Protect Web Applications from DDoS Attacks
Amazon Web Services
 

La actualidad más candente (20)

Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 
Azure Governance
Azure GovernanceAzure Governance
Azure Governance
 
Windows Azure Virtual Machines
Windows Azure Virtual MachinesWindows Azure Virtual Machines
Windows Azure Virtual Machines
 
Azure security architecture
Azure security architectureAzure security architecture
Azure security architecture
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Microsoft Azure Active Directory
Microsoft Azure Active DirectoryMicrosoft Azure Active Directory
Microsoft Azure Active Directory
 
48. Azure Active Directory - Part 1
48. Azure Active Directory - Part 148. Azure Active Directory - Part 1
48. Azure Active Directory - Part 1
 
DDoS Protection
DDoS ProtectionDDoS Protection
DDoS Protection
 
Azure fundamentals
Azure fundamentalsAzure fundamentals
Azure fundamentals
 
Azure active directory
Azure active directoryAzure active directory
Azure active directory
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access management
 
Introduction to Microsoft Azure
Introduction to Microsoft AzureIntroduction to Microsoft Azure
Introduction to Microsoft Azure
 
Monitoring in Azure
Monitoring in AzureMonitoring in Azure
Monitoring in Azure
 
Azure Sentinel.pptx
Azure Sentinel.pptxAzure Sentinel.pptx
Azure Sentinel.pptx
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
 
Part 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An OverviewPart 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An Overview
 
Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...
Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...
Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...
 
CAF presentation 09 16-2020
CAF presentation 09 16-2020CAF presentation 09 16-2020
CAF presentation 09 16-2020
 
Announcing AWS Shield - Protect Web Applications from DDoS Attacks
Announcing AWS Shield - Protect Web Applications from DDoS AttacksAnnouncing AWS Shield - Protect Web Applications from DDoS Attacks
Announcing AWS Shield - Protect Web Applications from DDoS Attacks
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
 

Similar a Azure DDoS Protection Standard

ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
ENHANCING THE IMPREGNABILITY OF LINUX SERVERSENHANCING THE IMPREGNABILITY OF LINUX SERVERS
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
IJNSA Journal
 
Enhancing the impregnability of linux servers
Enhancing the impregnability of linux serversEnhancing the impregnability of linux servers
Enhancing the impregnability of linux servers
IJNSA Journal
 
透视消费者.ppt
透视消费者.ppt透视消费者.ppt
透视消费者.ppt
wei mingyang
 
A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...
A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...
A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...
IJNSA Journal
 

Similar a Azure DDoS Protection Standard (20)

DDoS-bdNOG
DDoS-bdNOGDDoS-bdNOG
DDoS-bdNOG
 
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
ENHANCING THE IMPREGNABILITY OF LINUX SERVERSENHANCING THE IMPREGNABILITY OF LINUX SERVERS
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
 
Enhancing the impregnability of linux servers
Enhancing the impregnability of linux serversEnhancing the impregnability of linux servers
Enhancing the impregnability of linux servers
 
Ntp in Amplification Inferno
Ntp in Amplification InfernoNtp in Amplification Inferno
Ntp in Amplification Inferno
 
12 types of DDoS attacks
12 types of DDoS attacks12 types of DDoS attacks
12 types of DDoS attacks
 
透视消费者.ppt
透视消费者.ppt透视消费者.ppt
透视消费者.ppt
 
DDoS.ppt
DDoS.pptDDoS.ppt
DDoS.ppt
 
Internets Manage Communication Procedure and Protection that Crash on Servers
Internets Manage Communication Procedure and Protection that Crash on ServersInternets Manage Communication Procedure and Protection that Crash on Servers
Internets Manage Communication Procedure and Protection that Crash on Servers
 
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSDrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoS
 
D do s_white_paper
D do s_white_paperD do s_white_paper
D do s_white_paper
 
Common Dos and DDoS
Common Dos and DDoSCommon Dos and DDoS
Common Dos and DDoS
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
Denial of Service Attack Project
Denial of Service Attack ProjectDenial of Service Attack Project
Denial of Service Attack Project
 
DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16
 
D do s
D do sD do s
D do s
 
A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...
A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...
A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
Ix3615551559
Ix3615551559Ix3615551559
Ix3615551559
 
DoS.ppt
DoS.pptDoS.ppt
DoS.ppt
 
DoS.ppt
DoS.pptDoS.ppt
DoS.ppt
 

Último

一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
F
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Monica Sydney
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
kumargunjan9515
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 

Último (20)

best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 

Azure DDoS Protection Standard

  • 1. Azure DDoS Protection Standard Arnaud Lheureux Cloud Chief Security Officer One Commercial Partner Microsoft APAC Twitter: @arnaudLheureux
  • 2. Attack Frequency Attack Size Attack Vectors 58% Vs. 2017 1.7 Tbps Peak 4X > 50Gbps 56% Multi-vector • Continued growth in frequency, size, sophistication, and impact • Often utilized as ‘cyber smoke screen’ to mask infiltration attacks 400 Gbps (NTP amp) 650 Gbps (Mirai) 1.7 Tbps (Memcached) 2+ Tbps (???) Attackers Use UPnP to SidestepDDoS Defenses May 2018 Attack Downtime 35% Businesses impacted Major cyber attack disrupts internet service across Europe & US using Mirai botnet Oct 2016 Feb 2018
  • 3. DDoS attack types Volumetric attacks Example attacks Protocol attacks Example attacks Resource attacks Example attacks
  • 6.
  • 7. Azure DDoS System Overview Region AZ-2 AZ-3AZ-1 RN RN DC DC Edge DC DC DC DC Edge DDoS Protection Express Route Internet Peers DDoS Protection Continuous monitoring Edge mitigation protects datacenter bandwidth Global distribution of attack traffic Regional failover Global mitigation platform
  • 8. Azure DDoS Protection Standard Overview Virtual Network
  • 9.
  • 10. Azure DDoS Defense Designed into the global network Global distribution of attack traffic during large scale attacks 25+ Tbps global mitigation capacity Continuous monitoring, learning, and protection signature improvements Proven defense for Microsoft services Specifically tuned protection for your app Active traffic monitoring to proactively detect emerging threats and attack vectors Traffic Monitoring DDoS Protection DDoS Protection Azure Host SDN Emerging attack patterns Virtual Network Your applications
  • 11.
  • 12.
  • 13. Simple to provision for all your virtual network resources Always on monitoring with near real time telemetry and alerting Automatic network layer attack DDoS Attack Analytics Attack data snapshots and full post attack summary DDoS Rapid Response Azure Security Center integration Cloud scale DDoS protection for your applications
  • 14. Choose DDoS Protection Standard when • You have been a victim of targeted DDoS attacks in past • You’re running your business critical applications in Azure • You need visibility when your resources are under attack. • You want DDoS policies tuned to the traffic pattern of your application • You have to prove DDoS mitigation compliance assurance
  • 15.
  • 16.
  • 17.
  • 20.
  • 21. Best Practices & Reference Architecture http://aka.ms/ddosbest Design for scalability Ensure that your VM architecture includes more than one VM and that each VM is included in an availability set. Recommend using Virtual machine Scale Sets for autoscaling capabilities ……. Defense in depth deploy Azure services in a virtual network Using service endpoints will switch service traffic to use virtual network private addresses ……. Design for security Focus on the 5 pillars of software quality. Security and privacy are built right into the Azure platform, beginning with the Security Development Lifecycle (SDL)………
  • 22. Attack Mitigations Attack defense originates in the region where the application is hosted but we utilize global capacity depending on attack size Users (and attackers) connect to your applications via the closest Azure edge location Attack Type Description Ping Flood Server receives a lot of spoofed Ping packets from a very large set of source IP it is being targeted by a Ping Flood attack. Such an attack’s goal is to flood the target with ping packets until it goes offline IP Null Attack TCP packet with none of the SYN, FIN, ACK, or RST flags set has been sent to a specific host., these packets can bypass security measures. CharGEN Flood A CharGEN amplification attack is carried out by sending small packets carrying a spoofed IP of the target to internet enabled devices running CharGEN. These spoofed requests to such devices are then used to send UDP floods as responses from these devices to the target. SNMP Amplification SNMP amplification attack is carried out by sending small packets carrying a spoofed IP of the target to the internet enabled devices running SNMP.These spoofed requests to such devices are then used to send UDP floods as responses from these devices to the target. However, amplification effect in SNMP can be greater when compared with CHARGEN and DNS attacks. NTP Reflection The NTP amplification attack is carried out by sending small packets carrying a spoofed IP of the target to internet enabled devices running NTP.These spoofed requests to such devices are then used to send UDP floods as responses from these devices to the target. DNS Reflection The attacker spoofs look-up requests to domain name system (DNS) servers to hide the source of the exploit and direct the response to the target. DNS Water Torture A randomized 12-character alphanumeric subdomain is prepended to the target domain and the attacking bots send their queries to their locally-configured DNS servers, which are typically DNS servers at local ISPs. SSDP Amplification SSDP enabled network devices that are also accessible to UPnP from the internet are an easy source for generating SSDP amplification floods. The SSDP amplification attack is also carried out by sending small packets carrying a spoofed IP of the target to devices. These spoofed requests to such devices are used to send UDP floods as responses from these devices to the target. QUIC Flood It uses UDP-80 to generate reflection attack. SYN Flood This attack exploits the design of the three-way TCP communication process between a client, host, and a server. In this process, a client initiates a new session by generating a SYN packet. The host assigns and checks these sessions until they are closed by the client. To carry out a SYN Flood attack, an attacker sends a lot of SYN packets to the target server from spoofed IP addresses. SYN-ACK Flood SYN-ACK packet is generated by the listening host to acknowledge an incoming SYN packet. A large amount of spoofed SYN- ACK packets is sent to a target server in a SYN-ACK Flood attack. ACK and PUSH ACK Flood During an active TCP-SYN session, ACK or PUSH ACK packets carry information to and from the host and client machines till the session lasts. During an ACK & PUSH ACK flood attack, a large amount of spoofed ACK packets is sent to the target server to deflate it.Since these packets are not linked with any session on the server’s connection list, the server spends more resources on processing these requests. ACK Flood This attack exploits the design of the three-way TCP communication process between a client, host, and a server. In this process, a client sent ACK packets to be part of existing session. ACK Fragmentation Fragmented ACK packets are used in this bandwidth consuming version of the ACK & PUSH ACK Flood attack. To execute this attack, fragmented packets of 1500 bytes are sent to the target server. RST/FIN Flood After a successful three or four-way TCP-SYN session, RST or FIN packets are exchanged by servers to close the TCP-SYN session between a host and a client machine. In an RST or FIN Flood attack, a target server receives a large number of spoofed RST or FIN packets that do not belong to any session on the target server. Synonymous TCP-SYN packets carrying the target server’s Source IP and Destination IP are sent to the target server. STOMP ( Session Flood Attack) Disguise of a valid TCP session by carrying a SYN, multiple ACK and one or more RST or FIN packets. UDP Flood In this type of DDoS attack a server is flooded with UDP packets. Unlike TCP, there isn’t an end to end process of communication between client and host. This makes it harder for defensive mechanisms to identify a UDP Flood attack. Random source IP/PORT.
  • 23. DDoS Protection Planning Planning and preparing for a DDoS attack is crucial in understanding the availability and response of an application during an actual attack. We’ve partnered with BreakingPoint Cloud to offer tooling for Azure customers to generate traffic load against DDoS Standard enabled public endpoints via a safe environment. ü Various test profiles available ü Validate how Microsoft Azure DDoS Protection protects your Azure resources ü Optimize your incident response process ü Document DDoS compliance ü Train your network security teams
  • 24. Deploying Azure DDoS Protection Standard Demo
  • 25. Next steps Learn more about Azure DDoS Protection http://aka.ms/ddosprotectiondocs http://aka.ms/ddosbest http://aka.ms/ddosanalyticsblog http://aka.ms/ddosblog Connect with DDoS Protection specialists MSDN forums Stack overFlow Uservoice
  • 26. Thanks for your attention! Arnaud Lheureux, CISSP https://aka.ms/arnaud Twitter : @arnaudLheureux
  • 28. © 2019 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.