How to thwart a Denial of Service Attack

Question

Recently, my website was taken down by a Distributed Denial of Service (DDOS) attack.  I was able to revive my site by moving to Azure.  I've written about what I did here: http://www.gregthatcher.com/Azure/

I'm wondering if anyone else with a website on Azure has had a similar experience, and if they used any other techniques (besides startup commands that configure the firewall, etc.)

In particular, I'd appreciate any advice on how anyone has fought off a more sophisticated attack (my hacker was just using a bunch of hacked machines running ApacheBench to bring my site down.)

Answer 1

My understanding is that Windows Azure handles throttling connections for you, so if they perceive a DoS or DDoS they will throttle traffic at the hardware level before it even hits your VM.

---

Developer Security MVP | www.syfuhs.net

Answer 2

The traffic certainly hit my two small instances.  My pages were slow (they took about 5 seconds to load during the attack), but the site stayed up (unlike DiscountASP.net, my former ISP, where the DDos attack killed my site.)  The hacker was able to pull 1 TB of data from my site in a 24 hour period; fortunately, Azure bandwidth is cheap, so it only cost me about $100.  After I setup the firewall on the instances to block the machines that were running ApacheWeb against my site, my traffic dropped to normal levels.

Perhaps Azure's DoS and DDos throttling is oriented towards more sophisticated attacks?  I have no idea what Azure offers for this, but Azure certainly let me fight off this attack myself. 

On a related note, if someone else needs to move to Azure during one of these DDos attacks, be sure to remove the credit card limit ($0.00) from your 3 month trial subscription.  I made this mistake when the hacker sent through the 1 TB of data, and Azure suspended my account when my trial bandwidth allocation ran out.  Fortunately, an awesome Azure support employee named Robert Dil re-activated my account (on a Saturday of a 3 day weekend - unbelievable!).

Answer 3

I don't think a connection is ever dropped, just throttled, which is why you had to manually block the attackers. You could probably talk to the support team and get them to put a block in at their level, but I'm not sure what kind of turnaround time there'd be.

---

Developer Security MVP | www.syfuhs.net

Answer 4

Hi,

Windows Azure has some basic anti DOS attack features. For example, if we make too many requests to the same storage partition, some of the requests will fail with a server is busy error. But it is up to us to protect our role instances. For example, if we use ASP.NET, configure the settings under httpRuntime to reasonable values. I would like to suggest you to check  http://msdn.microsoft.com/en-us/library/e1f13641.aspx for more information.

Best Regards,

Ming Xu.

---

Please mark the replies as answers if they help or unmark if not.
If you have any feedback about my replies, please contact msdnmg@microsoft.com.
Microsoft One Code Framework

Answer 5

Thanks Ming, that is a great link.

IMHO, these would be the best settings for a more sophisticated DDos attack: enableHeaderChecking, executionTimeout, maxQueryStringLength, maxRequestLength, maxUrlLength

Are there any others anyone would suggest?  Or, does anyone disagree with my list above?

Answer 6

Yes, your list is fine.