Denial of Service and Windows Azure

A question I regularly get asked is whether there is any support in Azure for preventing Denial of Service (DOS) attacks or at least reducing the impact of the DOS attack. In a white paper written by Microsoft called “Security Best Practices For Developing Windows Azure Applications“ in June 2010 the following statement was made:

“Windows Azure’s load balancing will partially mitigate Denial of Service attacks from the Internet and internal networks. This mitigation is done in conjunction with the developer defining an appropriate Service Definition VM instance count scale-out. On the Internet, Windows Azure VMs are only accessible through public Virtual IP Addresses (VIPs). VIP traffic is routed through Windows Azure’s load-balancing infrastructure. Windows Azure monitors and detects internally initiated Denial of Service attacks and removes offending VMs/accounts from the network. As a further protection, the root host OS that controls guest VMs in the cloud is not directly addressable internally by other tenants on the Windows Azure network and the root host OS is not externally addressable.”

The following table shows the types of protection that are available (or planned)

Threat

Layer where mitigation is implemented

Nature of mitigation provided

(if specific to Windows Azure)

Application/Service-layer mitigation required

Is this issue higher risk or more complex in cloud deployments?

Denial of Service

       

Denial of Service attacks via network bandwidth saturation (packet flooding)

Platform

Load balancing & throttling in network infrastructure

None Required

No

Identification of botnets and malicious network traffic

Infrastructure

Windows Azure Live Services monitors and investigates

None Required

Yes

Deep packet inspection for network attacks with known signatures

Platform (Not yet implemented)

 

None Required

Yes

Flooding of Web Role local storage or blob/table storage

Platform

Quotas, ACLs, Reduced privilege execution and flood monitoring protection

None Required

Yes

Request flooding at the customer code/app level

Web Role (Needs coding)

 

Implement application-level request throttling if necessary

No

My understanding is that there is support within Azure to stop someone from launching DOS attacks within Azure itself. It is difficult to stop a DOS attack on your site but there are things that can be done to minimise their impact. Bandwidth throttling and Load balancing are built in to the platform, but the developer has to code around issues at an application level for example implementing a back off policy when trying to access resources that are affected by DOS.

15 Replies to “Denial of Service and Windows Azure”

  1. Awesome website you have here but I was curious about if you knew of any community forums that cover the same topics discussed in this article? I'd really like to be a part of online community where I can get suggestions from other knowledgeable individuals that share the same interest. If you have any suggestions, please let me know. Thanks! My web page natural cure yeast infection home remedy – http://www.bcnnakhon.ac.th/home/modules.php?name=Your_Account&op=userinfo&username=ARSCrysta

  2. May I simply say what a comfort to find someone who genuinely knows what they are talking about on the web. You certainly understand how to bring an issue to light and make it important. More and more people should look at this and understand this side of your story. I was surprised you're not more popular given that you definitely possess the gift. My blog post Exchange perfectmoney – https://exchangesimple.com/frequently-asked-questions

Leave a Reply

Your email address will not be published. Required fields are marked *