none
How to thwart a Denial of Service Attack

    Question

  • Recently, my website was taken down by a Distributed Denial of Service (DDOS) attack.  I was able to revive my site by moving to Azure.  I've written about what I did here: http://www.gregthatcher.com/Azure/

    I'm wondering if anyone else with a website on Azure has had a similar experience, and if they used any other techniques (besides startup commands that configure the firewall, etc.)

    In particular, I'd appreciate any advice on how anyone has fought off a more sophisticated attack (my hacker was just using a bunch of hacked machines running ApacheBench to bring my site down.)

    Wednesday, March 28, 2012 5:50 AM

Answers

  • Hi,

    Windows Azure has some basic anti DOS attack features. For example, if we make too many requests to the same storage partition, some of the requests will fail with a server is busy error. But it is up to us to protect our role instances. For example, if we use ASP.NET, configure the settings under httpRuntime to reasonable values. I would like to suggest you to check  http://msdn.microsoft.com/en-us/library/e1f13641.aspx for more information.

    Best Regards,

    Ming Xu.


    Please mark the replies as answers if they help or unmark if not.
    If you have any feedback about my replies, please contact msdnmg@microsoft.com.
    Microsoft One Code Framework

    • Marked as answer by gregthatcher Monday, April 02, 2012 5:43 PM
    Thursday, March 29, 2012 4:56 PM
    Moderator

All replies

  • My understanding is that Windows Azure handles throttling connections for you, so if they perceive a DoS or DDoS they will throttle traffic at the hardware level before it even hits your VM.

    Developer Security MVP | www.syfuhs.net

    Wednesday, March 28, 2012 5:54 PM
  • The traffic certainly hit my two small instances.  My pages were slow (they took about 5 seconds to load during the attack), but the site stayed up (unlike DiscountASP.net, my former ISP, where the DDos attack killed my site.)  The hacker was able to pull 1 TB of data from my site in a 24 hour period; fortunately, Azure bandwidth is cheap, so it only cost me about $100.  After I setup the firewall on the instances to block the machines that were running ApacheWeb against my site, my traffic dropped to normal levels.

    Perhaps Azure's DoS and DDos throttling is oriented towards more sophisticated attacks?  I have no idea what Azure offers for this, but Azure certainly let me fight off this attack myself. 

    On a related note, if someone else needs to move to Azure during one of these DDos attacks, be sure to remove the credit card limit ($0.00) from your 3 month trial subscription.  I made this mistake when the hacker sent through the 1 TB of data, and Azure suspended my account when my trial bandwidth allocation ran out.  Fortunately, an awesome Azure support employee named Robert Dil re-activated my account (on a Saturday of a 3 day weekend - unbelievable!).

    Wednesday, March 28, 2012 7:41 PM
  • I don't think a connection is ever dropped, just throttled, which is why you had to manually block the attackers. You could probably talk to the support team and get them to put a block in at their level, but I'm not sure what kind of turnaround time there'd be.

    Developer Security MVP | www.syfuhs.net

    Wednesday, March 28, 2012 9:31 PM
  • Hi,

    Windows Azure has some basic anti DOS attack features. For example, if we make too many requests to the same storage partition, some of the requests will fail with a server is busy error. But it is up to us to protect our role instances. For example, if we use ASP.NET, configure the settings under httpRuntime to reasonable values. I would like to suggest you to check  http://msdn.microsoft.com/en-us/library/e1f13641.aspx for more information.

    Best Regards,

    Ming Xu.


    Please mark the replies as answers if they help or unmark if not.
    If you have any feedback about my replies, please contact msdnmg@microsoft.com.
    Microsoft One Code Framework

    • Marked as answer by gregthatcher Monday, April 02, 2012 5:43 PM
    Thursday, March 29, 2012 4:56 PM
    Moderator
  • Thanks Ming, that is a great link.

    IMHO, these would be the best settings for a more sophisticated DDos attack: enableHeaderChecking, executionTimeout, maxQueryStringLength, maxRequestLength, maxUrlLength

    Are there any others anyone would suggest?  Or, does anyone disagree with my list above?

    Thursday, March 29, 2012 5:59 PM
  • Yes, your list is fine.
    Monday, April 02, 2012 10:57 AM