none
Is it possible to DDOS an Azure Blob ?

    Question

  • I'm currently doing a thread-model using Microsoft SDL tool. I'm wondering if its possible to :

    1-DDOS an azure blob ? If, suddenly, there are a very large amount of access to a blob, can this sudden flood denies my role access to the blob transiently or permanently ?

    2-Somehow do a MITM in between a role and an Azure Blob ?

    Thanks

    Tuesday, July 23, 2013 7:50 PM

Answers

  • Basically the idea to mitigate DDOS attack is to route all traffic through LB infrastructure which cleans legitimate from attack (dirty) traffic (Modern LBs have the intelligence built in, and I am sure Azure does use some neat LBs). This is most of the time on demand, means you enable this routing only when being under attack. Your infrastructure only accepts traffic from legitimate source. This is how you would prepare for DDoS mitigation.

    A really good blog post describes it all

    http://blogs.blackmarble.co.uk/blogs/sspencer/post/2011/02/14/denial-of-service-and-windows-azure.aspx


    Please mark as answered if it helped Vishal Narayan Saxena http://twitter.com/vishalishere http://www.ogleogle.com/vishal/


    Wednesday, July 24, 2013 11:28 PM

All replies

  • Hi Louis,

    Please take a look at Security best practices for developing Windows Azure applications, it does not give internal details of "how" (for obvious reasons) but it talks about DDOS attack and its mitigated partially by infrastructure in Azure (load balancers)

    /************************************/

    Denial of Service

    Windows Azure’s load balancing will partially mitigate Denial of Service attacks from the Internet and internal networks. This mitigation is done in conjunction with the developer defining an appropriate Service Definition VM instance count scale-out.  On the Internet, Windows Azure VMs are only accessible through public Virtual IP Addresses (VIPs).  VIP traffic is routed through Windows Azure’s load-balancing infrastructure.  Windows Azure monitors and detects internally initiated Denial of Service attacks and removes offending VMs/accounts from the network. As a further protection, the root host OS that controls guest VMs in the cloud is not directly addressable internally by other tenants on the Windows Azure network and the root host OS is not externally addressable.

    Windows Azure is also reviewing additional Distributed Denial of Service (DDoS) solutions available from Microsoft Global Foundation Services to help further protect against Denial of Service attacks.

    /************************************/

    This guide also goes in detail of Spoofing, Eves dropping and Information Disclosure on a network level, and explains the Hypervisor’s role and network structure of the hosted solution.

    Also look at this Microsoft case study of Ddanzi Group and how they could not handle increasing traffic and security using their regular network and how Azure helped, what was found as lessons learnt.

    You could take advatage of SharedKeys and SAS to implement something that can be custom solution for MITM type attacks

    http://social.msdn.microsoft.com/forums/windowsazure/zh-tw/8bf2c19b-f367-4d14-a833-0bc1fdfa29be/conflict-between-systemnetcachinghttprequestcachepolicy-and-cloudblobfetchattributes

    Hope this helps

    ---------------------------------------------

    Please mark as answered if it helped


    Please mark as answered if it helped Vishal Narayan Saxena http://twitter.com/vishalishere http://www.ogleogle.com/vishal/

    Tuesday, July 23, 2013 8:47 PM
  • In addition to @vishalishere's comment, it's certainly possible to DDoS blobs but the threshold to accomplish that is fairly high, and its offset by authz requirements.

    MITM attacks are possible if your role isn't connecting over HTTPS or the role isn't actually validating the certificate used is trusted.


    Developer Security MVP | www.syfuhs.net

    Tuesday, July 23, 2013 9:19 PM
  • I'm not sure where that document came from but the Azure Load-balancers will not help in DDOS attacks here. There is a great deal of internal detail here how we mitigate DDOS attacks that cannot be shared.

    We do handle the following threats from outside in and left to right (i.e. the guy running next to you could be attacking you):

    1. TCP sync flood

    2. SQL Injection

    3. DDOS

    Simon


    Simon Hart

    Wednesday, July 24, 2013 1:25 AM
  • hi Simon,

    I think we are talking the same thing, I have posted the link to the document (if you want to download), I completely agree that "how" is something anyone would want to keep confidential, I still believe Load Balancers (and underlying hardware infrastructure of LB in Azure) would help mitigate DDOS attack quite a bit.


    Please mark as answered if it helped Vishal Narayan Saxena http://twitter.com/vishalishere http://www.ogleogle.com/vishal/


    Wednesday, July 24, 2013 6:05 AM
  • but that MITM would have to be initiated from another VM in the datacenter right ? don't you have dns or arp poisining detection ?
    Wednesday, July 24, 2013 12:45 PM
  • I sure do not know how blobs are implemented behind the scene, if its a massive DDOS, the blob load balancer (are they the same as the VM load balancer?) will be flooded unless you can scale them really fast (faster than the number of request increase). I remember reading a white paper about blob implementation and they were mentionning that a "hot" blob is replicated to increase performance after a while... I suppose that the opposite is also true : extremely bad performance (time out) while Azure replicate it.
    Wednesday, July 24, 2013 12:50 PM
  • The linked document is answering it somehow : "At the Hypervisor VM Switch, additional filters are in place to block broadcast and multicast traffic, with the exception of what is needed to maintain DHCP leases", I suppose this will filter poisonous dns or arp broadcast. Then how can a MITM be done between a role and a blob ? The Security Best Practices Windows Azure document does not talk about that topic.
    Wednesday, July 24, 2013 12:54 PM
  • Hi,

    The load-balancer will not help mitigate DDOS attacks, why do you think it would?

    Simon


    Simon Hart

    Wednesday, July 24, 2013 10:52 PM
  • Basically the idea to mitigate DDOS attack is to route all traffic through LB infrastructure which cleans legitimate from attack (dirty) traffic (Modern LBs have the intelligence built in, and I am sure Azure does use some neat LBs). This is most of the time on demand, means you enable this routing only when being under attack. Your infrastructure only accepts traffic from legitimate source. This is how you would prepare for DDoS mitigation.

    A really good blog post describes it all

    http://blogs.blackmarble.co.uk/blogs/sspencer/post/2011/02/14/denial-of-service-and-windows-azure.aspx


    Please mark as answered if it helped Vishal Narayan Saxena http://twitter.com/vishalishere http://www.ogleogle.com/vishal/


    Wednesday, July 24, 2013 11:28 PM
  • I'm marking you as the answer even though you didnot reply about the MITM because that link is pretty good
    Thursday, July 25, 2013 12:15 PM