Sitecore Managed Cloud – DDoS attack mitigation steps


Overview

This article describes the actions that can be taken to mitigate a DDoS attack for Sitecore Managed Cloud Customers.

How to identify a DDoS attack

During a DDoS attack you might observe the following signs:

As a result, you will receive slow response alerts or availability test failure alerts as the application becomes overloaded and responds slowly.

Possible scenarios based on infrastructure

Depending on the deployment infrastructure there are the following most common scenarios:

Mitigation steps might differ depending on the deployed infrastructure, however there is a common flow:

  1. Analyze the incoming traffic for any anomalies.
  2. Block malicious traffic if possible.
  3. Limit requests rate for malicious traffic.
  4. Set up DDoS protection service.

Note: Vertically or horizontally scaling web apps or AKS resources that are under attack in most cases doesn’t help to bring the web site back online because the network layer is throttled.

Possible scenarios are described next in detail.

Managed Cloud customer running web apps only

How to identify attack:

  1. Review incoming requests rate in web app monitoring.
  2. Review a server request in application insights divided by region, check if any uncommon region has an unusually high requests rate.

Mitigation steps:

As a Managed Cloud customer running the website on an web app (without Application Gateway or Front Door) there is no efficient way to protect from DDoS attack. As a short-term solution, you may temporarily restrict web app access via networking rules:

You can find more information about web app network restriction rules here.

As a long-term solution consider purchasing App Gateway WAF, Front Door or DDoS protection. More details below.

Managed Cloud customer with Application Gateway

How to identify attack:

Review Sum of Total Requests in the Overview section of Application gateway resource.

 

Review Application gateway for Suspicious IPs in Monitoring -> Logs using the query bellow:

AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess"
| summarize AggregatedValue = count() by clientIP_s
| top 10 by AggregatedValue

Review the results for any suspicious IP addresses that generate most requests. Note that smart DDoS attack might use a huge range of IPs and it might be not possible to block it by IP.

Review suspicious regions in WAF Total Requests split by Country/Region in application gateway Monitoring -> Metrics:

Often DDoS attack focus on a few pages only, and you can review top visited pages in Monitoring -> Logs using the query bellow:

AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess"
| summarize AggregatedValue = count() by requestUri_s
| top 50 by AggregatedValue

Quite often an attacker will use a common agent, browser, or device during their attack, for example this query returns requests by user agents:

AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess"
| summarize AggregatedValue = count() by userAgent_s
| sort by AggregatedValue desc

More about Azure application gateway can be found here.

Mitigation steps:

As a short-term solution, based on investigation results, you can temporarily block traffic in Application Gateway via WAF policy rules. Navigate to Application Gateway -> Settings -> Web application firewall menu and select the existing or create a new policy (how to create WAF policy is described here).

In a policy, you can create a custom rule that can block or allow the traffic based on IP, region, visited page, agent, or any other property.

More about WAF custom rules can be found here.

You can also create a rate limiting policy that will block abnormally high levels of traffic. More details can be found here.

Note that Application Gateway might require additional instances in order to process the increased amount of traffic. How to scale instances is described here.

Once the DDoS attack is over do not forget to revert the applied blocking rules and scaled instances.

As a long-term solution, consider purchasing DDoS protection.

If you have any questions, contact Sitecore support.

Managed Cloud customer with Front Door

How to identify attack:

Similar to Application Gateway to identify a potential DDoS attack in Front Door navigate to Monitoring -> Requests Count:

 

You can also split traffic by country:

 

To view Front Door logs make sure you have diagnostics settings configured (more details here):

Similar to Application Gateway in Front Door logs you can extract information about incoming requests:

Client IPs:

AzureDiagnostics
| where Category == "FrontDoorAccessLog"
| summarize AggregatedValue = count() by clientIp_s
| sort by AggregatedValue desc

Visited URLs:

AzureDiagnostics
| where Category == "FrontDoorAccessLog"
| summarize AggregatedValue = count() by requestUri_s
| sort by AggregatedValue desc

User agents:

AzureDiagnostics
| where Category == "FrontDoorAccessLog"
| summarize AggregatedValue = count() by userAgent_s
| sort by AggregatedValue desc

Mitigation steps:

Azure Front Door benefits from the default Azure infrastructure DDoS protection. In addition, it’s a Content Delivery Network that distributes the traffic across its 192 edge POPs worldwide. More details here.

However, the default protection might not be enough, so you can create firewall rules to block the attacker based on investigation results.

To create a rule, select the existing or create a new WAF policy. See details here.

You can also configure a rate limit policy to block abnormally high traffic. See details here.

If the default infrastructure protection doesn’t prevent a DDoS attack, consider purchasing DDoS protection. Note that DDoS protection cannot be deployed on Azure front door. You must have a configured virtual network with a public IP address.

If you have any questions contact Sitecore support.

Managed Cloud customer with DDoS protection

Azure DDoS protection service is the best solution for protecting from DDoS attack.

If you have any questions feel free to reach out to Sitecore support.