Microsoft Azure DDOS protection

 

I am running an enterprise scale application in Microsoft Azure. I wanted to know what the recommendations are for DDOS projection in Microsoft Azure. The documentation clearly states that the platform is protected from DDOS with not much more detail. My understanding of the Azure DDOS is

  • If another customer is being attacked by a DDOS attack, your application won't suffer
  • If your application is being attached by a DDOS attack, Microsoft will stop all connections to your end point and in effect taking down your service.

    • Based on this understanding, I would prefer if the connection from the particular IP/set of IPS was blocked rather than taking the entire application down.

    Would I be better placed to use a product like Incapsula to protect against DDOS?

    Azure doesn't protect your app against DDOS. Therefore, you should use dynamicIpSecurity if it's not enough, use CloudFlare

    In Web.config 

     <system.webServer>
  .
  .
   <security>
     <ipSecurity allowUnlisted="true">
        <!-- Add Here trusted Ips-->
        <add ipAddress="1.1.1.1.1" allowed="true" />
     </ipSecurity>

     <dynamicIpSecurity denyAction="Forbidden">
       <denyByConcurrentRequests enabled="true" maxConcurrentRequests="20" />
       <denyByRequestRate enabled="true" maxRequests="30" requestIntervalInMilliseconds="1000" />
     </dynamicIpSecurity>

   </security>

 </system.webServer>

    The <denyByRequestRate> element specifies that a remote client will be blocked if the number of requests received over a period of time exceeds a specific number.

    The <denyByConcurrentRequests> element specifies that a remote client will be blocked if the number of concurrent HTTP connection requests from that client exceeds a specific number.

    So In this example; If a client (ip) makes 20 concurrent requests or 30 requests in a second, the other requests which this client(ip) makes will get 403.

    You will have to configure the DDOS protection for your application. This msdn link provides the detailed guidelines on how this can be achieved.

    https://blogs.msdn.microsoft.com/friis/2014/12/30/security-guidelines-to-detect-and-prevent-dos-attacks-targeting-iisazure-web-role-paas/

    我知道当我们将一些服务迁移到AWS时,我们与VeriSign合作,他们有一个开放式混合DDoS平台,与我们在那里放置的东西配合良好。我知道我们在那里与Doug合作,他非常了解关于如何让所有东西都起来运转。

    链接地址: http://www.djcxy.com/p/31918.html

    上一篇: 波形文件的时间长度

    下一篇: Microsoft Azure DDOS保护