Azure VM DDOS attack via RDP

azureazure-networkingddosdenial-of-service

Yesterday my VM on Azure was under a DOS attack.
Symptom was I wasn't able to connect via RDP, unless the server was freshly rebooted, and only for a small fraction of time after the reboot.
Once I successfully connected, with netstat I noticed that there were like 50 RDP connection trials from an IP address from Taiwan (people using the server are from Italy).
Thus, I blocked that specific IP address in the Azure portal (incoming security rules) and my server was back on track.

Question is: is Azure including a DDOS attack prevention system by default, isn't it?
Are there any extra element I can configure in Azure to prevent those problems? Because at the moment, I only forbid one IP address (the one of yesterday's attacker).

Thank you very much,
Fabio

Best Answer

Microsoft Azure Network Security Whitepaper tells most you need to know about securing your Azure VM. Chapter 2.2 Security Management and Threat Defense a has Protecting against DDoS (page 11). While Microsoft provides a DDoS defense system, there are threats that automation can't handle:

Application-layer attacks. These attacks can be launched against a customer VM. Azure does not provide mitigation or actively block network traffic affecting individual customer deployments, because the infrastructure does not interpret the expected behavior of customer applications. In this case, similar to on-premises deployments, mitigations include:

  • Running multiple VM instances behind a load-balanced Public IP address.
  • Using firewall proxy devices such as Web Application Firewalls (WAFs) that terminate and forward traffic to endpoints running in a VM. This provides some protection against a broad range of DoS and other attacks, such as low-rate, HTTP, and other application-layer threats. Some virtualized solutions, such as Barracuda Networks, are available that perform both intrusion detection and prevention.
  • Web Server add-ons that protect against certain DoS attacks.
  • Network ACLs, which can prevent packets from certain IP addresses from reaching VMs.

If a customer determines that their application is under attack, they should contact Azure Customer Support immediately to receive assistance. Azure Customer Support personnel prioritizes these types of requests.

Probably the attack against your RDP is actually an intense brute force password attack that looks like a DDoS. The fact that blocking only one IP address was sufficient actually makes this a Denial of Service attack, without the leading Distributed, making this the most likely scenario. While strong passwords and account lockout policies prevents gaining access to the system, they doesn't work agaist DDoS. (See Brute force RDP attacks depend on your mistakes.)

The easiest solution would be to disable direct RDP to the server. Unless you are actually providing some SaaS application over RemoteApp or similar i.e. you only use RDP for management, blocking direct RDP access and using RDP only inside a VPN connection would prevent this kind of attacks; the purpose of the attack being intrusion instead of the denial of service, your VPN is unlikely to get the next target. Even if it was, it's much easier to detect and block by Azure DDoS defense system.

Related Topic