%kb_name - %short_descr - Knowledge Portal

Description

A distributed denial of service (DDoS) attack is a malicious attempt to make an online service unavailable to users, usually by temporarily interrupting or suspending the services of its hosting server. DDoS attacks can be targeted at any publicly reachable endpoint through the Internet. Our mission is to provide a managed solution to protect your business from losing money due to the downtime of your production environment.

Ensure that security is a priority throughout the entire lifecycle of an application, from design and implementation to deployment and operations. Applications can have bugs that allow a relatively low volume of requests to use an excessive resources, resulting in a service outage.

This article provides descriptions on:

Prerequisites
Features
Limitations
DDoS Protection on Azure Front Door
How it works
Cost
Scope of support
SLA for Azure DDoS Protection

Prerequisites

Once the Service Request has been made to the Managed Cloud support, the following items must be provided. These can be included in the Service Request form or the engineer completing the setup will request them from the customer and create if needed [1]:

You must have an Application Gateway WAFv2 with an associated public IP address.
DDoS protection cannot be installed on Azure Front Door.

Features

Always-on traffic monitoring: Your application traffic patterns are monitored 24 hours a day, 7 days a week, looking for indicators of DDoS attacks. Azure DDoS Protection instantly and automatically mitigates the attack, once it has been detected.
Adaptive real time tuning: Intelligent traffic profiling learns your application's traffic over time and selects and updates the profile that is the most suitable for your service. The profile adjusts as traffic changes over time.
DDoS Protection analytics, metrics, and alerting: Azure DDoS Protection applies three auto-tuned mitigation policies (TCP SYN, TCP, and UDP) for each public IP of the protected resource, in the virtual network that has DDoS enabled. The policy thresholds are auto-configured via machine learning-based network traffic profiling. DDoS mitigation occurs for an IP address under attack only when the policy threshold is exceeded.
Native platform integration: Natively integrated into Azure. Includes configuration through the Azure portal. Azure DDoS Protection understands your resources and resource configuration.
Multi-Layered protection: When deployed with a web application firewall (WAF), Azure DDoS Protection protects both at the network layer (Layer 3 and 4, offered by Azure DDoS Protection) and at the application layer (Layer 7, offered by a WAF). WAF offerings include Azure Application Gateway WAF SKU and third-party web application firewall offerings.
Extensive mitigation scale: All L3/L4 attack vectors can be mitigated, with global capacity, to protect against the largest known DDoS attacks.
Cost guarantee: Receive data-transfer and application scale-out service credit for resource costs incurred as a result of documented DDoS attacks.

Limitations

Public IP Basic tier protection is not supported.

DDoS Protection on Azure Front Door

Azure Front Door is a Content Delivery Network (CDN) that helps protect your origins from HTTP(S) DDoS attacks by distributing traffic across its 192 edge Points of Presence (POPs) worldwide. These POPs use Azure's large private WAN to deliver your web applications and services faster and more securely to your end users. Azure Front Door includes layer 3, 4, and 7 DDoS protection and a Web Application Firewall (WAF) to safeguard your applications from common exploits and vulnerabilities.

Refer to the official documentation for getting more information about DDoS protection on Azure Front Door.

How does it work?

The following image shows how DDoS Protection works:

Types of DDoS attacks that DDoS Protection can mitigate:

Volumetric attacks: These attacks flood the network layer with a substantial amount of seemingly legitimate traffic. They include UDP floods, amplification floods, and other spoofed packet floods. DDoS Protection mitigates these potential multi-gigabyte attacks by absorbing and scrubbing them, with Azure's global network scale, automatically.
Protocol attacks: These attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack. They include SYN flood attacks, reflection attacks, and other protocol attacks. DDoS Protection mitigates these attacks, differentiating between malicious and legitimate traffic, by interacting with the client, and blocking malicious traffic.
Resource (application) layer attacks: These attacks target web application packets, to disrupt the transmission of data between hosts. They include HTTP protocol violations, SQL injection, cross-site scripting, and other layer 7 attacks. Use a Web Application Firewall, such as the Azure Application Gateway web application firewall, as well as DDoS Protection to provide defense against these attacks.

Azure DDoS IP Protection protects public IP-addresses associated with application gateways. When combined with an Application Gateway web application firewall or a third-party web application firewall deployed in a virtual network with a public IP address, Azure DDoS Protection can provide full mitigation capabilities from Level 3 to Level 7.

Note: WAF policy for Application Gateway must be set up in Protection Mode.

Cost

The cost of your Managed Cloud solution will increase. Contact your account executive for exact calculations for your contract.

Scope of support

DDoS RACI

The charts on the following pages use the coding system outlined below:

R = Responsible: Those who do the work to achieve the task.
A = Accountable: The one ultimately answerable for the correct and thorough completion of the deliverable or task and the one who delegates the work to those responsible.
C = Consulted: Those whose opinions are sought (i.e. subject matter experts) and with whom there is two-way communication.
I = Informed: Those kept up-to-date on progress, often only on completing the task or deliverable.

Activity	Sitecore	Customer/Partner
Request for Azure DDoS IP Protection	C, I	R, A
Initial DDoS IP Protection setup and integration with Sitecore CD role in standard Sitecore topologies.	R, A	C, I
Configure the DDoS IP protection plan	R, A	C, I
Enable DDoS IP protection for a public IP address	R, A	C, I
Configure DDoS diagnostic logs	R, A	C, I
Troubleshooting Sitecore application challenges related to DDoS Protection [3]	C, I	R, A
Assistance with production incidents related to DDoS Protection [3]	C, I	R, A

[1] We have a Service Request - Setup WAF that contains all the resources you need if you do not have them.
[2] In Sitecore Managed Cloud Standard, the customer is responsible for how the Sitecore application functions and adding a DDoS Protection can impact the customer's implementation. It is the customer's responsibility to troubleshoot such challenges. The Sitecore Managed Cloud support is available to assist and might be able to help identify problem areas, but ultimately this lies with customers who have full access to their implementation source code and full context on how their Sitecore CD role operates.
[3] The monitoring and evaluation of potential DDoS Protection security incidents are the responsibility of the customer. Sitecore recommends that the customer engage with security professionals with the understanding of their business and security protocols to interpret such events. The Sitecore Managed Cloud support is available to assist and might, by leveraging our relationship with Microsoft, be in a position to contribute to resolutions. The primary responsibility, however, lies with the customer.
[4] Azure DDoS IP protection does not store customer data.

Sitecore Managed Cloud Standard (MCS) PaaS 1.0 — DDoS IP Protection