Introducing L3-7 DDoS Protection for Microsoft Azure Tenants
DDoS attacks continue to grow in intensity, breadth and complexity as new threat vectors expand the options available to malicious attackers. Established solutions, which rely on ineffective, signature-based intrusion prevention or traffic rate-limiting, are no longer adequate. Moreover, the completely independent trend of enterprise workloads migrating to the cloud is also on the rise, exposing businesses to a wider attack surface. These two trends have amplified the need for advanced DDoS protection solutions to protect cloud workloads.
Cloud providers currently offer DDoS mitigation services directly to their tenants. However, while many tenants benefit from such services, others find they require additional DDoS protection options, particularly when they are targeted directly by complex attacks.
The reason for this is three-fold:
- Cloud provider DDoS mitigations aim to primarily protect their tenants against L3/L4 DDoS attacks, leaving them susceptible to L7 DDoS attacks.
- These L3/L4 countermeasures are generally deployed on a reactive, as-needed basis, which can typically delay the DDoS protection from kicking in by 1 – 2 minutes and are not inline.
- Cloud providers generally offer a one-size-fits-all DDoS mitigation option that applies to every business vertical, therefore lacking application-specific DDoS countermeasures.
As a result, various businesses (e.g., gaming, finance etc.) need additional customized DDoS mitigation solutions that provide more comprehensive and efficient coverage.
Microsoft Azure is closing this gap by providing customers with the option of adding inline DDoS protection through network virtual appliances (NVAs) available in the Azure marketplace. This is made possible by using Azure’s Gateway Load Balancer (LB) feature. The Gateway LB ensures that relevant NVAs are injected into the ingress path of the internet traffic as it heads towards Azure-hosted applications and services.
A10 Networks has collaborated with Microsoft Azure to ensure that its Thunder TPS VA in the Azure marketplace, a DDoS mitigation solution, supports Azure’s new gateway LB so that Azure customers can take advantage of A10’s advanced DDoS protection offerings, complementing Azure DDoS Protection Standard.
A10’s Thunder TPS scales to defend against the DDoS of Things and traditional zombie botnets. This Azure marketplace solution is focused on high-resolution, packet-based DDoS detection via inline deployment in front of your protected Azure Virtual Networks. This deployment also achieves the fastest time-to-mitigation against Layer 3 to 7 attacks with minimal latency.
Using A10’s Thunder TPS VA in your production network provides unique advantages, including:
- Unique L3 – L7 DDoS mitigation capabilitiesWhen combined with Azure DDoS Protection Standard (valuable against volumetric L3 – L4 DDoS attacks), the solution provides comprehensive protection against attacks ranging from L3 to L7.
- Inline or “always on” DDoS mitigation enabled by integration with Azure Gateway LBThe solution provides real-time mitigation against DDoS attacks. Additionally, due to A10’s industry-leading adaptive DDoS mitigation, legitimate users experience zero disruption even while the TPS actively mitigates attacks.
- Extensively customizable DDoS Mitigation policiesThrough A10’s Thunder TPS VA, Azure tenants can take advantage of customized DDoS mitigations that are best suited for their specific workloads. For example, gaming customers can benefit from A10’s unique packet watermarking mitigation (already used by some of the leading names in the gaming industry).
- Access to state-of-the-art DDoS mitigation capabilitiesCustomers can take advantage of other unique features that A10 offers with the Thunder TPS solution, including protection against modern zero-day DDoS attacks (like Mirai and its successors) using A10’s Zero-day Automated Protection (ZAP) artificial intelligence/machine-learning-powered DDoS mitigation algorithms.
Combined with Azure DDoS Protection Standard, A10’s Thunder TPS VA provides comprehensive L3-L7 protection against all DDoS attacks.
“With A10 Networks’ Thunder TPS VA, and its integration with the Azure Gateway LB, even short-burst L3-7 DDoS attacks can be mitigated instantaneously, without impacting the availability or performance of applications, complementing Azure DDoS Protection Standard. Moreover, latency sensitive customers (e.g., gaming, finance etc.) can protect their networks and users against complex attacks and disruptions using A10’s unique and purpose-built DDoS mitigation features like packet watermarking and Zero-day Automated Protection (ZAP).”
Anupam Vij, Principal PM Manager
Microsoft Azure Networking
Capabilities of the A10 Thunder TPS include:
- Comprehensive L3-7 protection against single/multi-vector DDoS attacks
- ZAP, A10’s industry-leading machine learning technology for identifying and mitigating DDoS attacks
- Automatic escalation/de-escalation of mitigation policies for higher operational efficiency
- Protocol-specific countermeasures to distinguish malicious traffic from legitimate traffic
- Surgical, per source/source-destination actions to maximize availability and reduce false negatives/positives even when under attack
- High-performance, customizable filters using industry-standard regular expressions (PCRE) or Berkeley Packet Filters (BPF)
- Granular rate-limiting for connections, connection rates, fragments, packets, bandwidth, and more
- Broad protocol coverage including protections for TCP, UDP, DNS, HTTP, TLS, SIP, and more
We understand that DDoS attacks can be challenging to mitigate. The A10 support team provides 24x7x365 services, which includes the A10 DDoS Security Incident Response Team (DSIRT), to help you understand and mitigate the most advanced DDoS attacks.