1

Based on my testing, the Azure Network Security Group (NSG) stateful firewall blocks all (UDP and TCP) reflection DDoS Attacks? I did my test by programmatically just creating an NSG incoming tcp port 80,443 allow rule. Is that all I need to do? (I think the answer is yes).

BTW, here is an example of a reflection DDoS Attack. Client 1, part of a botnet, spoofs it's source IP address, to be that of the victim. Client 1 then sends to an innocent 3rd party, which is for example running a UDP port 53 DNS server, this crafted malicious packet. The 3rd party server replies, but the reply goes to the victim server (since the source IP address was spoofed).

Todd Booth
  • 267
  • 1
  • 3
  • 12

1 Answers1

0

You don't even need Azure Firewall to block reflection attacks, provided you have the Standard level of DDoS protection enabled on the VNet your resources are connected to, in your example the DNS server.

https://learn.microsoft.com/en-us/azure/virtual-network/ddos-protection-overview

Architect Jamie
  • 1,621
  • 4
  • 18
  • You mentioned "Azure Firewall". Azure has both an "Azure Firewall" and Azure Network Security Groups (NSG). I realize by "Firewall" you were referring to NSG. You are correct that the Azure Standard DDoS defense will stop all DDoS reflection attacks, but that costs about $3,000 USD/month. My question is to try and program-matically prevent 100% of all DDoS reflection attacks with just the NSG filter rules. – Todd Booth Oct 23 '19 at 20:57