Is it possible to DDOS an Azure Blob ?

I'm currently doing a thread-model using Microsoft SDL tool. I'm wondering if its possible to :

1-DDOS an azure blob ? If, suddenly, there are a very large amount of access to a blob, can this sudden flood denies my role access to the blob transiently or permanently ?

2-Somehow do a MITM in between a role and an Azure Blob ?

Thanks

July 23rd, 2013 3:56pm

Hi Louis,

Please take a look at Security best practices for developing Windows Azure applications, it does not give internal details of "how" (for obvious reasons) but it talks about DDOS attack and its mitigated partially by infrastructure in Azure (load balancers)

/************************************/

Denial of Service

Windows Azures load balancing will partially mitigate Denial of Service attacks from the Internet and internal networks. This mitigation is done in conjunction with the developer defining an appropriate Service Definition VM instance count scale-out.  On the Internet, Windows Azure VMs are only accessible through public Virtual IP Addresses (VIPs).  VIP traffic is routed through Windows Azures load-balancing infrastructure.  Windows Azure monitors and detects internally initiated Denial of Service attacks and removes offending VMs/accounts from the network. As a further protection, the root host OS that controls guest VMs in the cloud is not directly addressable internally by other tenants on the Windows Azure network and the root host OS is not externally addressable.

Windows Azure is also reviewing additional Distributed Denial of Service (DDoS) solutions available from Microsoft Global Foundation Services to help further protect against Denial of Service attacks.

/************************************/

This guide also goes in detail of Spoofing, Eves dropping and Information Disclosure on a network level, and explains the Hypervisors role and network structure of the hosted solution.

Also look at this Microsoft case study of Ddanzi Group and how they could not handle increasing traffic and security using their regular network and how Azure helped, what was found as lessons learnt.

You could take advatage of SharedKeys and SAS to implement something that can be custom solution for MITM type attacks

http://social.msdn.microsoft.com/forums/windowsazure/zh-tw/8bf2c19b-f367-4d14-a833-0bc1fdfa29be/conflict-between-systemnetcachinghttprequestcachepolicy-and-cloudblobfetchattributes

Hope this helps

---------------------------------------------

Please mark as answered if it helped

Free Windows Admin Tool Kit Click here and download it now
July 23rd, 2013 4:53pm

In addition to @vishalishere's comment, it's certainly possible to DDoS blobs but the threshold to accomplish that is fairly high, and its offset by authz requirements.

MITM attacks are possible if your role isn't connecting over HTTPS or the role isn't actually validating the certificate used is trusted.

July 23rd, 2013 5:24pm

I'm not sure where that document came from but the Azure Load-balancers will not help in DDOS attacks here. There is a great deal of internal detail here how we mitigate DDOS attacks that cannot be shared.

We do handle the following threats from outside in and left to right (i.e. the guy running next to you could be attacking you):

1. TCP sync flood

2. SQL Injection

3. DDOS

Simon

Free Windows Admin Tool Kit Click here and download it now
July 23rd, 2013 9:31pm

hi Simon,

I think we are talking the same thing, I have posted the link to the document (if you want to download), I completely agree that "how" is something anyone would want to keep confidential, I still believe Load Balancers (and underlying hardware infrastructure of LB in Azure) would help mitigate DDOS attack quite a bit.

July 24th, 2013 2:11am

but that MITM would have to be initiated from another VM in the datacenter right ? don't you have dns or arp poisining detection ?
Free Windows Admin Tool Kit Click here and download it now
July 24th, 2013 8:46am

I sure do not know how blobs are implemented behind the scene, if its a massive DDOS, the blob load balancer (are they the same as the VM load balancer?) will be flooded unless you can scale them really fast (faster than the number of request increase). I remember reading a white paper about blob implementation and they were mentionning that a "hot" blob is replicated to increase performance after a while... I suppose that the opposite is also true : extremely bad performance (time out) while Azure replicate it.
July 24th, 2013 8:51am

The linked document is answering it somehow : "At the Hypervisor VM Switch, additional filters are in place to block broadcast and multicast traffic, with the exception of what is needed to maintain DHCP leases", I suppose this will filter poisonous dns or arp broadcast. Then how can a MITM be done between a role and a blob ? The Security Best Practices Windows Azure document does not talk about that topic.
Free Windows Admin Tool Kit Click here and download it now
July 24th, 2013 8:55am

Hi,

The load-balancer will not help mitigate DDOS attacks, why do you think it would?

Simon

July 24th, 2013 6:54pm

Basically the idea to mitigate DDOS attack is to route all traffic through LB infrastructure which cleans legitimate from attack (dirty) traffic (Modern LBs have the intelligence built in, and I am sure Azure does use some neat LBs). This is most of the time on demand, means you enable this routing only when being under attack. Your infrastructure only accepts traffic from legitimate source. This is how you would prepare for DDoS mitigation.

A really good blog post describes it all

http://blogs.blackmarble.co.uk/blogs/sspencer/post/2011/02/14/denial-of-service-and-windows-azure.as

July 24th, 2013 7:29pm

I'm marking you as the answer even though you didnot reply about the MITM because that link is pretty good
July 25th, 2013 8:17am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics