Yesterday my VM on Azure was under a DOS attack.
Symptom was I wasn't able to connect via RDP, unless the server was freshly rebooted, and only for a small fraction of time after the reboot.
Once I successfully connected, with netstat I noticed that there were like 50 RDP connection trials from an IP address from Taiwan (people using the server are from Italy).
Thus, I blocked that specific IP address in the Azure portal (incoming security rules) and my server was back on track.
Question is: is Azure including a DDOS attack prevention system by default, isn't it?
Are there any extra element I can configure in Azure to prevent those problems? Because at the moment, I only forbid one IP address (the one of yesterday's attacker).
Thank you very much,
Fabio
Best Answer
Microsoft Azure Network Security Whitepaper tells most you need to know about securing your Azure VM. Chapter 2.2 Security Management and Threat Defense a has Protecting against DDoS (page 11). While Microsoft provides a DDoS defense system, there are threats that automation can't handle:
Probably the attack against your RDP is actually an intense brute force password attack that looks like a DDoS. The fact that blocking only one IP address was sufficient actually makes this a Denial of Service attack, without the leading Distributed, making this the most likely scenario. While strong passwords and account lockout policies prevents gaining access to the system, they doesn't work agaist DDoS. (See Brute force RDP attacks depend on your mistakes.)
The easiest solution would be to disable direct RDP to the server. Unless you are actually providing some SaaS application over RemoteApp or similar i.e. you only use RDP for management, blocking direct RDP access and using RDP only inside a VPN connection would prevent this kind of attacks; the purpose of the attack being intrusion instead of the denial of service, your VPN is unlikely to get the next target. Even if it was, it's much easier to detect and block by Azure DDoS defense system.