Validating DDoS Resilience for a European Government Agency

Government agencies tend to be at a very high risk of DDoS attacks, as they constitute a high-profile target. The IT team of one European government office, therefore, decided to evaluate the effectiveness of its protection measures in relation to DDoS attacks.

The protection architecture used the Azure DDoS IP Protection Plan. The setup involves a DNS resolving user API requests and then routing them to the application gateway and WAF, where they are inspected and filtered. Requests that are not blocked are forwarded to the cloud environment, where an API Management system enforces a custom rate-limiting rule. Permitted requests then proceed to a firewall that blocks all traffic by default, with only explicitly defined ports open. Requests for the ECHO API are then resolved by the API service and requests for a specialized in-house API are routed to an on-premises data center through a VPN for handling by an associated API service.

The Solution

We designed and executed a comprehensive DDoS simulation to assess the efficiency and resilience of the agency’s protective measures. To rigorously challenge Azure’s Web Application Firewall (WAF) and DDoS IP Protection Plan, we launched seven distinct attack scenarios using a globally distributed botnet of 400 bots. These scenarios included both network layer and application layer vectors, ranging from common to advanced techniques.

The simulation was tailored to reflect the organization’s current infrastructure, known threat landscape, and risk profile. The goal was to validate protection controls, identify weak spots, and test incident response – namely, the ability to detect and mitigate real-world threats.

The Results

Of the seven attack scenarios, three were detected and mitigated. One was only partially mitigated and three were not mitigated at all, resulting in service disruptions that affected the agency’s internet-based services. While Azure’s protection services provided a baseline level of defense, our testing revealed several weak points, particularly in detection latency, configuration gaps, and the handling of complex application-layer attacks.

Azure rate limit rules did not work during the simulation, resulting in zero mitigation of attacks targeting the API services. In addition, the DDoS Protection Plan, which should respond to layer 3/4 attacks, did not detect or mitigate a TLS Reconnections attack.

Recommendations

The Red Button team recommended the following measures to improve the government agency’s resilience to DDoS attacks.

• Contact Azure: In the wake of the rate limit and DDoS IP Protection Plan failures, Azure should be called upon to remediate by analyzing the simulation logs and configuring mitigation policies accordingly.
• Add a Content Delivery Network (CDN): Implementing a CDN, such as in Azure Front Door, would provide an additional layer of protection at layer 3/4 and against application layer attacks. By leveraging global CDN points of presence (PoPs), the IT team can also enforce rate-limiting rules at the edge, further enhancing security.
• Fine-tune the rate-limit rules: Rate-limit thresholds should be set to the lowest possible value that maintains normal traffic flow and avoids false positives, based on a thorough review of typical traffic patterns. The thresholds in place during the DDoS simulation were set too high, potentially allowing attackers to launch high-rate attacks.
• Re-run the DDoS simulation: After applying the aforementioned recommendations, the agency should perform another DDoS simulation to verify that the implemented defenses are effective and working as intended. This follow-up test helps validate the system against the types of attacks previously identified and confirms that no new vulnerabilities were unintentionally introduced.