Does Windows Azure have anything readily available against denial of service attacks?

Asked 5/9, 2011 at 13:54 Answered 21/2, 2013 at 9:15

Solved windows security azure reliability denial-of-service

We're developing a web service hosted in Windows Azure. We expect that at some moments bad guys try to DDOS it. I Googled and didn't find anything new and definitive (this one is rather vague) about whether Windows Azure has some features against denial of service attacks.

Do we need any special measures? What does Windows Azure offer to protect against denial of service attacks?

Nf answered 5/9, 2011 at 13:54 Comment(1)

Having discussed with a few people from the Azure team, I confirm they have some DDOS counter-measure, however I doubt Microsoft will disclose much about them (to keep them more effective). Then, if your app is capable of scaling out by throwing more VMs to keep up with traffic surge, then I believe you're making it much more resilient against DDOS. – Sentence 6/9, 2011 at 7:3

The Azure load balancer provides some protection, but the details of this are not published.

Vying answered 6/9, 2011 at 11:19 Comment(0)

I reckon no one service provider could truly have a feature against denial of service attacks, because by saying that it means preventing DoS attacks. The only way is by migitating DoS attacks, which you can employ a number of techniques. I know that Windows Azure partially mitigates Denial of Service attacks, and this is due to the nature of the Load Balancer within the Azure environment. One technique that I know may work is to deploy an inexpensive role instance (Extra Small or Small)that acts as a reverse proxy to the actual web application which is sitting on the actual production role instance (Large or Extra Large instance)in Windows Azure. To implement the reverse proxy role instance, just enable ARR which is a feature within IIS. You can use startup tasks to enable ARR. This reverse proxy role instance may also have a rule in it that it checks for certain metrics, and if that metric has exceeded the preset threshold, it basically just stops accepting or forwarding the traffic onto the actual web app, or if automatic scaling is implemented, it just stops scaling beyond a maximum # of allowed instances. This minimized the economic impact from a DoS attack too. Then you just rely on how Windows Azure mitigates any Denial of Service attacks, which is when it detects any attack patterns from one Windows Azure role instance to another role instance. In that it will stop any attacks onto your actual web application.

Whitesell answered 6/9, 2011 at 7:3 Comment(0)

The Azure load balancer provides some protection, but the details of this are not published.

Vying answered 6/9, 2011 at 11:19 Comment(0)

A bit outdated blogpost about this but still relevant: http://blogs.blackmarble.co.uk/blogs/sspencer/post/2011/02/14/denial-of-service-and-windows-azure.aspx

Triclinic answered 21/2, 2013 at 9:15 Comment(0)

Recommended topics

Hot tags