last sync: 2024-Jun-24 18:15:26 UTC

Microsoft Managed Control 1620 - Denial Of Service Protection | Regulatory Compliance - System and Communications Protection

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1620 - Denial Of Service Protection
Id d17c826b-1dec-43e1-a984-7b71c446649c
Version 1.0.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this System and Communications Protection control
Additional metadata Name/Id: ACF1620 / Microsoft Managed Control 1620
Category: System and Communications Protection
Title: Denial Of Service Protection
Ownership: Customer, Microsoft
Description: The information system protects against or limits the effects of the following types of denial of service attacks: attacks on bandwidth, transactional capacity, and storage by employing geo-replication, IP address blocking, network-based DDoS protections.
Requirements: Azure uses A10 distributed denial of service (DDoS) protection network devices that provide automated detection and mitigation. The DDoS protection solution utilizes Azure Network Monitoring (NetMon) to sample network flow packets and determine if there is an attack. Once the attack is detected, the A10s are used as scrubbers to mitigate attacks. After mitigation, further clean traffic is allowed into the Azure environment. This involves the NetMon and Geneva Monitoring features to detect attacks and use A10 technology to mitigate attacks. This solution is designed to withstand attacks from both outside and inside of Azure. For attacks initiated within Azure to another Azure tenant, trusted IP filters prevent spoofing of dynamic IP (DIP) address. Azure monitors and isolates or removes offending VMs from the network. Additional DoS protection solutions include: * UDP IPv4 and IPv6 flood protection * ICMP IPv4 and IPv6 flood protection * TCP IPv4 and IPv6 flood protection * TCP SYN attack protection for IPv4 and IPv6 * Fragmentation attack protection Azure Storage Azure has implemented protection mechanisms as defined below to protect from three kinds of DoS attacks on Azure Storage: attacks on bandwidth, attacks on transactional capacity (authentication overhead, IOPS, cache efficiency, etc.), and attacks on storage capacity. Attacks on bandwidth are handled by identifying the IP addresses of assets mounting simple attacks and blocking them as early in the communications stream as possible. The ability to throttle or disable abusive accounts is provided. Storage accounts that suddenly start growing out of proportion to past patterns may represent a DoS attack against a customer or more likely represent a bug in a customer program. This is tracked by actively monitoring bandwidth, transactions, and storage capacity usage and growth by storage account and IP address across the whole storage stamp. If the metrics start to change in an unexpected way, Azure analyzes storage accounts and IP addresses and performs a range of mitigations. This ranges from throttling the accounts or IPs, contacting the customers, or even disabling or putting the accounts or IPs into read-only mode. In addition to dealing with abusive storage accounts and IP address ranges in the above manner, Azure Storage monitors the (a) bandwidth, (b) transactions, and (c) storage capacity for each of the stamps. If any of these metrics reach seventy (70) percent of peak capacity provided by the storage stamp, then Azure Storage load-balances storage accounts via geo-replication migration across the storage stamps preferably within a given geo-location to keep the capacity below this threshold for each production storage stamp. Azure SQL DB Azure SQL DB gateway performs stateful TDS packet inspection while accepting connections from clients to validate the connection information and pass on the TDS packets to the appropriate server based on the database name specified in the connection string. In the back-end, Azure SQL databases are hosted in tenant rings that are deployed in Virtual Networks (VNets). The OneDDOS system protects traffic coming into these VNets. They define normal thresholds on each endpoint, and if the thresholds are exceeded, they route the traffic through A10 devices which scrub the traffic to prevent DOS attacks. Additionally, Azure SQL Database offers a variety of network access controls so customers can choose between public or private connectivity. Customers can use a combination of these network access controls to control how clients can connect to SQL Database and thus reduce the surface area for DoS attacks. Public connections are blocked by SQL DB firewall and traffic is allowed only when the client IP addresses is added in the form of a firewall rule. Access from resources inside Azure, such as an Azure VM or Web App, can be accomplished by using Service Endpoints and VNet firewall rules. Lastly customers can use private endpoint such that Azure SQL DB is associated with a specific private IP address within a specific VNet and subnet.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance Not a Compliance control
Initiatives usage none
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC