New Blog | Configuration of Size Enforcement and Inspection Limits in Application Gateway WAF
By Andrew Mathu Introduction In the constantly changing world of cybersecurity, both flexibility and effective security are essential for safeguarding applications. To meet these needs, Microsoft Azure recently released, in General Availability, the independent configuration of size enforcement limits and inspection limits in Web Application Firewall (WAF) integrated in Application Gateway v2. This update also allows users to disable size limits for both request body and file uploads without affecting request body inspections. This enhancement will enable users to fine-tune these settings - providing the ability to balance their application security needs against request size requirements. In this blog, we explore this innovative new feature, covering its key aspects and capabilities. Read the full post here: Independent Configuration of Size Enforcement and Inspection Limits in Application Gateway WAFNew Blog | Private IP DNAT Support and Scenarios with Azure Firewall
By Gustavo Modena Introduction Azure Firewall is a cloud native security service to protect your workloads running in Azure. It is a stateful firewall as a service with built-in high availability and auto scale. Azure Firewall supports three rule types: DNAT, Network and Application rules. In this blog, we will talk about enhancements to the DNAT rules. Up until recently, DNAT rules only was only supported on the Firewall Public IP addresses, mostly used for incoming traffic. In this release, we have enhanced DNAT scenario to support port translation on Azure Private IP (VIP). This capability helps with connectivity between overlapped IP networks, which is a common scenario for enterprises when onboarding new partners to their network or merging with new acquisitions. DNAT on Private IP is also relevant for hybrid scenarios (connecting on-premises datacenters to Azure), where DNAT bridges the gap, enabling communication between private resources over non-routable IP addresses. Read the full post here: Private IP DNAT Support and Scenarios with Azure FirewallNew Blog | Azure Firewall Protection Against Apache Struts Vulnerability - CVE-2023-50164
By Andrew Mathu Introduction Vulnerabilities and zero-day exploits continue to be a serious threat to systems worldwide. One such vulnerability is CVE-2023-50164, a critical issue in Apache Struts that can lead to critical security breaches if not properly mitigated. Protecting your systems from such vulnerabilities is paramount to prevent unauthorized access and data loss. Azure Firewall Premium provides a robust solution to safeguard your infrastructure against such threats. This blog post will explore the CVE-2023-50164 vulnerability and demonstrate how Azure Firewall Premium can effectively prevent this attack. Read the full post here: Azure Firewall Protection Against Apache Struts Vulnerability - CVE-2023-50164New Blog | Loop DDoS Attacks: Understanding the Threat and Azure's Defense
By Amir Dahan In the realm of cybersecurity, Distributed Denial-of-Service (DDoS) attacks are a significant concern. The recent holiday season has unveiled a complex and evolving threat landscape, marked by sophisticated tactics and diversification. From botnet delivery via misconfigured Docker API endpoints to the NKAbuse malware's exploitation of blockchain technology for DDoS attacks, the tactics and scale of these attacks have shown significant sophistication and diversification. Understanding and staying abreast of recent DDoS trends and attack vectors is crucial for maintaining robust network security and ensuring the availability of services. One such example is the recent HTTP/2 Rapid Reset Attack, where Microsoft promptly provided fixes and recommendations to safeguard web applications. This vulnerability exploits the HTTP/2 protocol, allowing attackers to disrupt server connections by rapidly opening and closing connection streams. This can lead to denial of service (DoS) conditions, severely impacting the availability of critical services and potentially leading to significant downtime and financial losses. Another example we wrote about were reflected TCP attack vectors that recently emerged in ways that were not believed possible before. By closely monitoring these emerging threats, security professionals can develop and implement timely and effective countermeasures to protect their networks. This proactive approach is essential for anticipating potential vulnerabilities and mitigating risks before they can be exploited by malicious actors. Furthermore, understanding the evolving landscape of DDoS attacks enables the development of more resilient security architectures and the enhancement of existing defense mechanisms, ensuring that networks remain secure against both current and future threats. In this blog, we focus on the newly revealed Application Loop DDoS attack vector. Microsoft hasn’t witnessed this vulnerability translated to actual DDoS attacks yet. However, we believe it’s important to highlight the threat landscape we see in Azure for UDP reflected attacks, as they present a prevalent attack vector with similar base pattern as Loop attacks. We then discuss what protection strategies Microsoft employs to protect Azure platform, our online services, and customers from newly emerging threats. The Emergence of Loop DDoS Attacks The Loop attack vulnerability was disclosed last month by CISPA. The attack exploits application-layer protocols relying on User Datagram Protocol (UDP). CISPA researchers found ~300,000 application servers that may be vulnerable to this attack vector. The published advisory describes Loop attacks as a sophisticated DDoS vector, exploiting the interaction between application servers to create a never-ending (hence the term Loop) cycle of communication that can severely degrade or completely halt their functionality. This attack method uses spoofed attack sources to create a situation where two or more application servers get stuck in a continuous loop of messages, usually error responses, because each server is programmed to react to incoming error messages with an error message. Amongst the vulnerable applications, TFTP, DNS, NTP as well as legacy protocols, such as Echo, Chargen, QOTD, are at risk. The researchers provided a practical example of this, when two DNS resolvers automatically reply to error messages with their own errors. An attacker can start a loop by sending one fake spoofed DNS error to one resolver. This makes it send an error to the spoofed resolver, which does the same, creating an endless cycle of errors between them. This wastes the DNS servers' resources and fills up the network links between them, with the potential to cause serious problems in service and network quality. Depending on the exact attack topology, Loop attacks may generate excessive amounts of traffic like other volumetric DDoS floods (e.g. DNS reflected amplified attacks). How Loop DDoS differs from other volumetric DDoS attacks The Loop attack is a kind of DDoS attack vector that targets applications and may manifest as a large-scale flood at the network layer as well. The cause is that attackers can set up multiple attack loops among multiple servers in a network or across networks in the peering links, overwhelming the servers and networks with traffic floods. Like UDP reflected attacks, Loop attacks use a basic UDP weakness – the possibility to fake a source IP address to initiate the attack Loop. One of the most common attack vectors nowadays is the reflected UDP-based floods. It’s similar to Loop attack in that the malicious actor sends spoofed-source packets to an application server that replies to the spoofed IP, i.e. the victim. By generating many of these requests to an application server, the victim gets many of the responses they didn’t ask for. The impact of the reflected attack may be significantly more disastrous if the attacked application generates more traffic in response that it receives in the request. When this happens, it becomes a reflected amplified attack. Amplification is the secret sauce of why these attacks are dangerous. Loop attack is different than reflected amplified attacks in that the response may not necessarily be amplified. That is, for each spoofed packet sent to the application server, there may be a single response. However, Loop attacks are way more dangerous when the victim server who gets the response replies with its own response, which in turn is answered with another response in a loop that never ceases. For the malicious actor, it takes only a single well-crafted packet to create a Loop attack. If the attack is sent between multiple application servers, it is becoming a volumetric DDoS flood that may risk not only the application, but also the underline networks. Another interesting difference between reflected amplified UDP attacks and the Loop attack is that with Loop attack the malicious actor doesn’t control the attack lifecycle. Once the first packet is generated the Loop starts, and there’s no way for the attacker to stop it. Reflected Amplified Attack Landscape in Azure Since reflected amplified UDP attacks are similar to Loop attacks in their basic reflection pattern and their volumetric nature, we provide recent reflected attack landscape in Azure. As we see in the figure, UDP reflected amplification attacks account for 7% of all attacks in the first quarter of 2024. Figure 1 - distribution of main attack vectors in Azure, January-March 2024 Read the full post here: Loop DDoS Attacks: Understanding the Threat and Azure's Defense
New Blog | Part 2 - Managing Azure Firewall Network Rules with Illumination
Written in collaboration between @andrewmathu and @gusmodena Introduction The second tutorial in this 2-part blog series about Illumio for Microsoft Azure Firewall is going to explore how to use Illumination to visualize and manage the network traffic and security policies of your environment. Illumination provides a unique new way to reveal the traffic flows in your network and to help you configure policies to secure your applications. Before you deep dive into this blog post, it is recommended that you read part 1 of the blog series: Part 1 - Managing Network Rules by using Azure Tags with Illumio for Microsoft Azure Firewall - Micr... Read the full blog here: Part 2 - Managing Azure Firewall Network Rules with Illumination - Microsoft Community HubSEP 26, 2023 | Ask-Me-Anything | Azure Firewall, Azure WAF and Azure DDoS
UPDATED, post-AMA: Here is the AMA recording in case you missed the live session. ************************************************************* Please join us in this Ask Me Anything session with the Azure Network Security CxE PM team. During this session, the Azure Network Security SME (Subject Matter Experts), will answer your questions on Azure Firewall, Azure Firewall Manager, Azure Web Application Firewall and Azure DDoS. This will be a great forum for our Public Community members to learn, interact and have their feedback listened to by the Azure Network Security team. Feel free to post your questions about Azure Network Security solution areas anytime in the comments before the event starts. The team will be answering questions during the live session, with priority given to the pre-submitted questions from the comments below. If you are new to Microsoft Tech-Community, please follow the sign-in instructions. To register for the upcoming live AMA Sep 26, 2023, visit aka.ms/SecurityCommunity. Mohit_Kumar andrewmathu SaleemBseeu davidfrazee ShabazShaik tobiotolorin gusmodenaNew Blog | Intrusion Detection and Prevention System (IDPS) Based on Signatures
An Intrusion Detection and Prevention System (IDPS) is a vital component of modern cybersecurity strategy, designed to safeguard networks by actively monitoring and responding to potential security threats. Among the types of IDPS currently available such as signature-based and anomaly-based, signature based IDPS stands out as a reliable and efficient method for identifying known security risks. This blog delves into signature-based IDPS, with a specific focus on the Azure Firewall Premium IDPS. Read the full blog post here: Intrusion Detection and Prevention System (IDPS) Based on Signatures - Microsoft Community HubNew Blog | Azure Firewall: New Features and Region Availability
With the increasing demand for cloud capabilities, we are continuing to observe new firewall use cases and deployment scenarios, and we are incredibly thankful for all the feedback that we have received. With today’s announcement, our goal is to continue to help IT administrators achieve their firewall goals efficiently and effectively. We are thrilled to announce a new set of releases that allows you to cater to your application needs, learn your network routes for determining SNAT behavior, migrate between SKUs with a single click, and introduce a new region. Read the full update here: Azure Firewall: New Features and Region Availability - Microsoft Community HubNew Blog | Enhancing Your Azure Security: Azure DDoS Sentinel Solution and WAF Playbook Integration
In today's digital landscape, the rise of complex cyber threats poses a significant challenge for businesses relying on cloud-based services. Specifically, Distributed Denial of Service (DDoS) attacks are now often being used as a diversion in multi-layer attacks. To safeguard their applications and ensure uninterrupted service availability, organizations must deploy robust security solutions. Microsoft Azure offers powerful security solutions - Azure DDoS Protection, Azure Web Application Firewall (WAF) and Microsoft Sentinel - to help you proactively defend your assets against such attacks. In this blog, we will explore how to integrate the Azure DDoS Sentinel Solution with the Azure WAF Playbook to enable a powerful automated detection and response system. By combining these two solutions, you can ensure a secure and uninterrupted experience for users, protect your services, and minimize the risk of DDoS attacks. Read the full blog: Enhancing Your Azure Security: Azure DDoS Sentinel Solution and WAF Playbook Integration - Microsoft Community Hub
