Azure DDos Protection
An Azure service that provides defense against distributed denial-of-service (DDoS) attacks.
71 questions
Does Azure block the requests from the URL contains GA's cross domain parameter?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 81%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Seungbin Pang
0
Reputation points
I (Corporate) Use the web payment system providing page/links to users by Azure services, Suddenly, more than hours of 504 error / page not loading incident was occrured, the response of the payment system company was : the URL's parameter contains the GA(Google Analytics)'s cross domain setting info as below (starts with '_ga=2.XX' ), the Azure cloud recognized this request as a DDos Attack to a server and automatically blocked. This explanation of the system company is far from my understanding because, industry uses this GA's cross domain settings for their sales/marketing performance, other inquired entity (CRM) company replied they see this Cross Domain parameter is commonly used in IT. (below attaching the links the Azure sensed as a DDos and blocked consequently (based on the payment system company reply) l Original SG ODP URL; https://donate.rescue.or.kr/ODP/Donate/DonateNow/f0795a6f-4271-42d5-8795-3b6a7a71d69c l Applied SG ODP URL by IRC(with additional parameter padding); https://donate.rescue.or.kr/ODP/Donate/DonateNow/f0795a6f-4271-42d5-8795-3b6a7a71d69c?_ga=2.80950800.683378326.1676084521-1597149275.1676084521&_gl=11i4a2na_gaMTU5NzE0OTI3NS4xNjc2MDg0NTIx_ga_DDZCWB8N2Y*MTY3NjA4NDUyMi4xLjEuMTY3NjA4NDYzOC40LjAuMA
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 26,101 Reputation points Microsoft Employee2023-04-19T21:36:53.42+00:00 @Seungbin Pang Can you please elaborate more on your set-up and provide information on which all Azure Services you are using? Have you set-up a Web Application Firewall or Azure DDOS protection?
-
Seungbin Pang 0 Reputation points
2023-04-20T00:10:38.1433333+00:00 ChaitanyaNaykodi-MSFT thank you, it is sooo much grateful, since I'm a marketer (here's no IT manager...) I post below picture of the incident, have no informations on firewall and protection, but my other IT partner replied this is a rare incident the AZURE, normally it will not block the certain Google analystic applied URLs...there's no or little chance the AZURE activated the DDos protection since the URL's GA parameter because it is commonly used in IT industry. My apologies for not enough information.
-
ChaitanyaNaykodi-MSFT 26,101 Reputation points Microsoft Employee
2023-04-20T02:12:22.3566667+00:00 Hello @Seungbin Pang , Thank you for the quick reply here. Unfortunately, this not enough information to troubleshoot the issue here. I think it will be best to file a support ticket in this case as a support engineer can take a deeper look at your set-up and determine the exact issue. If you have a support plan you may file a support ticket, else could you please send an email to azcommunity@microsoft.com with the below details. Subject : Attn Chaitanya
Thread URL: Link to this thread.
Subscription ID
Please let me know once you have done the same.
-
ChaitanyaNaykodi-MSFT 26,101 Reputation points Microsoft Employee
2023-04-21T22:05:00.1766667+00:00 @Seungbin Pang Just following up here to see if you were able take a look at my comment above. Thank you!
-
Seungbin Pang 0 Reputation points
2023-04-25T06:48:12.2066667+00:00 A. The trigger is the same shared before. We are receiving all of the request see below 8.46k, however all was detected as malform URL.
Sample of one of 8.46k the response code 400
It is a little challenging to extract the logs as we incorporate our logging directly into the Microsoft workbench analytics for most of our entire platform. Q.
Do they know why the page seems to be loading fine with the parameter in place now? Were there additional parameters on the ad we did not know about? A. Yes, it looks fine and no malform URL detected. I believe the Google Analytics will mention this as well. On additional parameters we might not be able to advice as this from two different sites: rescue.org -> rescue.or.kr. Q. Can SG let us know how we can set up the URL differently for the next time we run Naver ads? Should the cross-site scripting be turned off? Should the URL be formed or configured in some different way in the ad platform? A. Usually there is pre-staging not just click on the link but a pre-stage with volume to test the demand capacity. I am not sure if Naver can provide a test run. URL as long it obeys the Internet rules it should be fine. Another we notice is why not use UTM in the link instead? Instagram analytics uses UTM heavily and it is cross site friendly however it has different analytic goals. Yes, cross-site scription should be turned off or it should follow uniform safe cross sites rules. Another is to consider using CloudFlare WAF services as the domain names and the internet routing flow is in your control. Q. Are there other actions SG proposes taking to handle high volumes of traffic? What are the limitations here? Has load testing been performed? A. Currently in actual the platform is able to receive hence why you see the 8.46k transactions coming in but stopped at the Azure level. The site is currently having the same capacity as that of one of our core Products and Services Charitable and SignUp. Regarding Azure DDOS this is something we have seen before. Please understand this is just additional information from our previous experiences. It is more of a response inflammation. It can be also due to WAF is not implemented at the controlling domain name however I do not know enough of the current originating domain setup reference to rescue.or.kr to comment. I no longer have the reference but it is similar to this. https://www.microsoft.com/en-us/security/business/security-101/what-is-a-ddos-attack In our experience we notice that when the Azure DNS is flooded with the what it might think as an attack it will clear the global DNS cache which we also saw thru our internet routing monitoring as the CNAME url was no longer able to request post the 8.46k requests that went thru. We moved to CloudFlare DNS with WAF to allow our own assets to be always contactable at all times and CloudFlare DNS also allows us granular control to not have the global cache emptied or clear or to quickly put back. -
ChaitanyaNaykodi-MSFT 26,101 Reputation points Microsoft Employee
2023-05-05T02:29:11.4433333+00:00 Apologies for the delayed response here. I went through the content you shared above and seems like you are getting a 400 error for your GET /ODP/Donate file and seems like you have enabled a Web Application Firewall in your set-up.
If a request is getting blocked by WAF then this is false positive, and you can go through this doc to fine tune your WAF https://video2.skills-academy.com/en-us/azure/web-application-firewall/afds/waf-front-door-tuning?pivots=front-door-standard-premium
I did not understand the DDOS reference here, it will be helpful if you ask your service provider to post a question here will be helpful. Thank you!
Sign in to comment
Sign in to answer