In this lab you will learn about DDoS attacks and how to do the following:
Tour the DDoS protection tiers Azure offers
Create a virtual network
Apply a DDoS protection to the virtual network
Step 1 - Logging In
Run this command to log in to the Azure account:
az login -u $username -p $password
After you log in, you should get a block of JSON with details about your sign-in.
You can view the Azure account username with this command:
echo $username
You can view the Azure account password with this command:
echo $password
Step 2 - DDoS Overview
Let's say a bad actor decides they want to take your web service down and choose direct denial of service (DDoS) as their best attack tool. The motives could be economic, political, or social, but regardless it is unauthorized and illegal in many countries. DDoS is illegal in the United States under the Federal Computer Fraud and Abuse Act, and can lead to up to 10 years in prison and a $500,000 fine. The crime penalty does not stop malicious hackers, so you have to rely on your own defenses. Thankfully Microsoft Azure provides these.
Let's briefly discuss how DDoS works. An amateur hacker could overwhelm your website by running requests in a scripted loop. No big deal. You would see this IP address repeatedly hitting your service and just block it.
But what if the hacker has colleagues to help them? Or have taken over many machines and IP addresses to repeatedly send requests? Your service would get so overwhelmed, not discerning malicious requests from legitimate ones, that your service may ultimately shut down. It would also drive up your cloud costs because the services unnecessarily burn energy and data processing.
Microsoft Azure's Basic DDoS protection is enabled by default. It will discern between legitimate requests and malicious requests based on pattern recognition algorithms. You may choose to upgrade to Standard DDoS protection for further monitoring and mitigation, which will provide DDoS protection not just on a regional level, but on the application level. It will also prevent more sophisticated attacks that are layer-specific and provide DDoS monitoring tools. That's what we are going to use here.
First we need a resource group with a name saved to the variable
$resource
, which was created with this command:az group create --name $resource --location eastus
Step 3 - Creating DDoS Protection
Let's create the DDoS protection service. We will call it
MyDDoSProtection
service:az network ddos-protection create \ --resource-group $resource \ --name MyDDoSProtection
Apply a DDoS on the the virtual network l
evel by setting the--ddos-protection
argument totrue
and providing theDDoSProtection
plan that we just created:az network vnet create \ --name myVN \ --location eastus \ --resource-group $resource \ --ddos-protection true \ --ddos-protection-plan MyDDoSProtection
Just for future reference, if you already have a virtual network, you can apply the DDoS service using the
az network vnet update
command. This block is not runnable because it is for reference only:az network vnet update \ --resource-group $resource \ --name myVN \ --ddos-protection true \ --ddos-protection-plan MyDDoSProtection
Step 4 - Displaying the DDoS Protection
You can see that the DDoS service is now up and running:
az network ddos-protection show \ --resource-group $resource \ --name MyDDoSProtection
Now we will learn how to perform a DDoS attack to test this…just kidding!