DDoS Protection

DDoS Protection

In this lab you will learn about DDoS attacks and how to do the following:

  • Tour the DDoS protection tiers Azure offers

  • Create a virtual network

  • Apply a DDoS protection to the virtual network

    Step 1 - Logging In

    Run this command to log in to the Azure account:

    az login -u $username -p $password

    After you log in, you should get a block of JSON with details about your sign-in.

    You can view the Azure account username with this command:

    echo $username

    You can view the Azure account password with this command:

    echo $password

    Step 2 - DDoS Overview

    Let's say a bad actor decides they want to take your web service down and choose direct denial of service (DDoS) as their best attack tool. The motives could be economic, political, or social, but regardless it is unauthorized and illegal in many countries. DDoS is illegal in the United States under the Federal Computer Fraud and Abuse Act, and can lead to up to 10 years in prison and a $500,000 fine. The crime penalty does not stop malicious hackers, so you have to rely on your own defenses. Thankfully Microsoft Azure provides these.

    Let's briefly discuss how DDoS works. An amateur hacker could overwhelm your website by running requests in a scripted loop. No big deal. You would see this IP address repeatedly hitting your service and just block it.

    But what if the hacker has colleagues to help them? Or have taken over many machines and IP addresses to repeatedly send requests? Your service would get so overwhelmed, not discerning malicious requests from legitimate ones, that your service may ultimately shut down. It would also drive up your cloud costs because the services unnecessarily burn energy and data processing.

    Microsoft Azure's Basic DDoS protection is enabled by default. It will discern between legitimate requests and malicious requests based on pattern recognition algorithms. You may choose to upgrade to Standard DDoS protection for further monitoring and mitigation, which will provide DDoS protection not just on a regional level, but on the application level. It will also prevent more sophisticated attacks that are layer-specific and provide DDoS monitoring tools. That's what we are going to use here.

    First we need a resource group with a name saved to the variable $resource, which was created with this command:

      az group create --name $resource --location eastus
    

    Step 3 - Creating DDoS Protection

    Let's create the DDoS protection service. We will call it MyDDoSProtection service:

      az network ddos-protection create \
          --resource-group $resource \
          --name MyDDoSProtection
    

    Apply a DDoS on the the virtual network l
    evel by setting the --ddos-protection argument to true and providing the DDoSProtection plan that we just created:

      az network vnet create \
          --name myVN \
          --location eastus \
          --resource-group $resource \
          --ddos-protection true \
          --ddos-protection-plan MyDDoSProtection
    

    Just for future reference, if you already have a virtual network, you can apply the DDoS service using the az network vnet update command. This block is not runnable because it is for reference only:

      az network vnet update \
          --resource-group $resource \
          --name myVN \
          --ddos-protection true \
          --ddos-protection-plan MyDDoSProtection
    

    Step 4 - Displaying the DDoS Protection

    You can see that the DDoS service is now up and running:

      az network ddos-protection show \
          --resource-group $resource \
          --name MyDDoSProtection
    

    Now we will learn how to perform a DDoS attack to test this…just kidding!