Utilizing Azure DDoS Protection Workbook for DDoS attack traffic Analysis

In today's digital age, the security of applications, servers, and networks is paramount. One of the most significant threats to this security is Distributed Denial of Service (DDoS) attacks. These attacks can cripple your infrastructure, leading to downtime, loss of revenue, and damage to your reputation. Therefore, it is crucial to implement robust protection mechanisms to safeguard your digital assets.

Azure DDoS Protection offers a comprehensive solution to defend against these malicious attacks. It provides automatic attack detection and mitigation, ensuring that your applications and services remain available even during an attack. Azure DDoS Protection is seamlessly integrated with Azure's native services, making it an ideal choice for businesses already leveraging the Azure ecosystem. Some of the salient features of Azure DDoS Protection include Adaptive Tuning, Attack Analytics and Metrics, DDoS Rapid Response etc. By leveraging Azure DDoS Protection, businesses can ensure the resilience and availability of their digital infrastructure, providing peace of mind in an increasingly hostile cyber environment.

In this blog we will be focusing on how to understand the current DDoS attacks landscape within our environment using Azure DDoS Workbook.

Investigating DDoS Attacks Landscape with Azure DDoS Workbook

When a DDoS attack occurs, it's crucial to have the right tools to investigate and understand the attack's impact. The Azure DDoS Workbook is an invaluable resource for this purpose. It provides detailed insights into DDoS attack traffic over a given period of time in a single dashboard. For more information on a deep dive investigation of a DDoS Attack, check the detailed steps mentioned here.

Setting up the DDoS Workbook: Outlined below are the necessary steps to set up and effectively utilize the DDoS workbook.

• Configure Diagnostic Logging and Metrics: Ensure that diagnostic settings are enabled for the public IP addresses you want to monitor. This will allow you to collect the required DDoS mitigation flow logs, reports and Metrics as shown below.

• Access the Azure DDoS Workbook: The Azure DDoS Workbook can be deployed from either installing the Sentinel Solution for Azure DDoS Protection or using the deployment template in the Azure Network Security GitHub repository as shown below. It provides a comprehensive view of DDoS attack metrics and logs in a single dashboard.

1. Sentinel Solution: Navigate to the Sentinel Blade’s Content Hub tab and install the Azure DDoS Protection Solution.

2. Net Sec GitHub Repository: Navigate to the Net Sec GitHub Repository and deploy the workbook using Azure Deploy button as shown below:

• Configuring the Azure DDoS Workbook: The Azure DDoS Workbook needs to be provided with the Log Analytic Workspace, TimeRange and Public IP resource details as shown below:

Analyzing the Workbook Details:

• Traffic Overview: This section offers comprehensive details on the total number of packets and the various categories of dropped packets during the DDoS attacks for the timeline defined in the above step.

• Last Ten DDoS Attack Reports: This section provides the details of Attack reports, resources affected, attack vectors and packet information as we can see below.

• Location and Protocol details: This section provides categorized details on the protocols involved in the DDoS attacks, the origins of these attacks, and the protocol violations that occurred during past DDoS incidents.

• Raw DDoS Mitigation and Flow Logs: Furthermore, if we would like to take a look at the Raw DDoS Logs those are also available as part of the workbook so that we do not have to separately look for them in the log analytic workspace. DDoS mitigation flow logs listed here are based on the sampled data.

• DDoS Metrics Tab: The DDoS Metrics Tab provides graphical representation of all the important metrics like Packet count, Syn packets threshold to trigger DDoS mitigation, inbound DDoS TCP/UDP packets and Under DDoS attack or not as shown below. For detailed information on these metrics, check the blog referenced here. Most of the metrics here are based on number of Packets Per Second and Packets/Byte Counts.

• Investigation Tab: The Investigation Tab in the workbook offers specific details on the number of packets that were dropped or allowed during past DDoS attacks, including the ports involved. Additionally, this tab provides information on the top attacking IPs and the timeline of the mitigation activities, as illustrated below.

Conclusion:

Azure DDoS Protection is a powerful service that helps protect your Azure resources from DDoS attacks. By leveraging the Azure DDoS Workbook, you can gain valuable insights into attack traffic and mitigation actions, enabling you to respond effectively and maintain the availability of your applications. Stay vigilant and proactive in defending against DDoS attacks to ensure the resilience of your online services.