Closed SorraTheOrc closed 6 years ago
I'm not sure if it's best to support DDoS protection at the template deployment time. According to this, an existing vnet can be updated to support DDoS protection. Adding that configurability to the templates might be at best marginally beneficial, and also it may be complicated with custom BYO-vnet.
It'd be still good to have this configurability at the deployment time in our templates, but if there are any urgent or pressing needs, this appears to be always configurable on the deployed/used vnet after the fact. So this is a good thing to have. Note that the DDoS protection described in the links above are different from AppGw WAF, and we might need some research on these options.
Azure DDoS protection Basic SKU is automatically enabled as soon as a resource has an IPv4 or IPv6 address. It protects the resource against common network-level attacks. Azure DDos protection Basic SKU has no costs and you have nothing to do to set it up.
Azure DDoS protection Standard SKU adds protections against volumetric attacks (UDP flooding...), protocol attacks on layer 3 and 4 and application layer attacks on layer 7 thanks to the WAF of the Application Gateway. To enable Azure DDoS protection Standard SKU, you must create an Azure DDoS protection plan. Then you associate it to the virtual network that you want to protect. Every resource with an public IP in the virtual network is protected. If you have deployed an Application Gateway WAF, Azure DDoS protection will use it to protect the layer 7.
So, Azure DDoS protection Basic SKU is already working with the actual template. I will work on adding the Azure DDoS protection plan in the template.
I suggest to add it as an option since it comes with costs : https://azure.microsoft.com/en-us/pricing/details/ddos-protection/
In addition to my previous comment, here can be found Azure DDoS reference architecture.
The Moodle DDOS (or DOS) is relatively specific. https://moodle.org/mod/forum/discuss.php?d=321976
Case: One user can hold F5/refresh and consume all the DB connections in a very short timeframe.
It's basically a GET or recursive GET flood.
In a situation like this the traffic signature is different from that of say a quiz. With the DOS scenario, a large number of HTTP requests will originate from a single IP, and it will be a good feature if some sort of protection is factored in.
With a quiz, DB connections are consumed, but from a range of traffic sources.
Azure provides DDoS protection. We should add support to this to our templates.
At the time of writing one can choose WAF for AppGw at deployment time, and can also be changed after the fact. We need to investigate how effective WAF is and whether it could be for DDoS prevention.
One of the complexities for this workload is that some normal behavior of a Moodle cluster can look like the early stages of a DDoS attack. For example, when an exam is due to start there will be a significant surge in traffic.