Powershell script to monitor and protect Azure VM against Denial of Service attacks


To get started with Azure Powershell see this post.

Public facing web sites are increasingly getting exposed to distributed denial of service attacks. This controller script puts together a couple of tools/scripts that extract  IPs from HTTPErr logs based on frequency and set/update Azure VM Endpoint Access Control List. This script is available on the Microsoft Script Center Repository.

The script will:

  • Check if the computer running it has Internet access
  • Open a PS session to the Azure VM
  • Collect a group of web counters
  • Download HTTPErr log files if any
  • Archive those log files to a local folder on the Azure VM
  • Parse the downloaded files, extract IPs, identify those that appear more than $Threshold times
  • Retrieve the VM web Endpoint ACL
  • Update the VM web Endpoint ACL by adding offending IPs
  • Check if a given URL is online

Example:

E:\Install\Scripts\Azure\AZ-MonitorAndRepair.ps1 -SubscriptionName SB01-Subscription -VMName SB01 -AdminName Samb -PwdFile d:\sandbox\Cred.txt -EndPointName HTTP -URL http://mysitehere.com -Verbose

This example runs the script once. This can be used to generate the d:\sandbox\Cred.txt encrypted password file if it does not exist.

Az001

In this example, 5 HTTPErr log file were found, archived, downloaded, processed for IPs showing up more than 500 times. The 6th file is the current log file. No IPs were found that showed up more than 500 times, and the ACL was not changed.

If IPs were found that showed up more than 500 times (default $Threshold) in any of the logs, the script will update the VM ACL:

Az002

Example:

$RepeatEvery = 300 # seconds
$ScriptPath = 'E:\Install\Scripts\Azure\AZ-MonitorAndRepair.ps1'
$Params = @{
  SubscriptionName = 'SB01-Subscription'
  VMName = 'SB01'
  AdminName = 'Samb'
  PwdFile = 'd:\sandbox\Cred.txt'
  EndPointName = 'HTTP'
  URL = 'http://mysite.com'
  Verbose = $true
}
While ($true) { # Repeat until CTRL-C
  "Start at $(Get-Date)"
  $D = Measure-Command { & $ScriptPath @Params }
  "End at $(Get-Date)"
  " done in $($D.Minutes):$($D.Seconds) mm:ss, waiting for $RepeatEvery seconds"
  Start-Sleep -Seconds $RepeatEvery
}

In this example the script runs every 5 minutes and displays progress on the console screen.

Az003

Example:

$R = 300 # seconds
$ScriptPath = 'E:\Install\Scripts\Azure\AZ-MonitorAndRepair.ps1'
$ScriptLog = "D:\Docs\EG\Azure\Mitigate-DDOS_$(Get-Date -format yyyyMMdd).txt"
$Params = @{
 SubscriptionName = 'SB01-Subscription'
 VMName = 'SB01'
 AdminName = 'Samb'
 PwdFile = 'd:\sandbox\Cred.txt'
 EndPointName = 'HTTP'
 URL = 'http://mysite.com'
 Verbose = $true
}
While ($true) { # Repeat until CTRL-C
 "Start at $(Get-Date)" *>> $ScriptLog
 $D = Measure-Command { & $ScriptPath @Params *>> $ScriptLog }
 "End at $(Get-Date)" *>> $ScriptLog
 " done in $($D.Minutes):$($D.Seconds) mm:ss, waiting for $R seconds" *>> $ScriptLog
 Start-Sleep -Seconds $R
}

This is a similar example. The script runs every 5 minutes and logs all output to log file $ScriptLog

Example:

$ScriptPath = 'E:\Install\Scripts\Azure\AZ-MonitorAndRepair.ps1'
$ScriptLog = "D:\Docs\EG\Azure\Mitigate-DDOS_$(Get-Date -format yyyyMMdd).txt"
$Params = @{
 SubscriptionName = 'SB01-Subscription'
 VMName = 'SB01'
 AdminName = 'Samb'
 PwdFile = 'd:\sandbox\Cred.txt'
 EndPointName = 'HTTP'
 URL = 'http://mysite.com'
 Verbose = $true
}
"Start at $(Get-Date)" *>> $ScriptLog
$Duration = Measure-Command { & $ScriptPath @Params *>> $ScriptLog }
"End at $(Get-Date)" *>> $ScriptLog
" done in $($Duration.Minutes):$($Duration.Seconds) mm:ss" *>> $ScriptLog

This example runs once and logs all output to $ScriptLog file.
When saved as E:\Install\Scripts\Mitigate-DDOS4.ps1 for example, this short script can be scheduled to run every 5 minutes:

$a = New-JobTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Seconds 300) -RepetitionDuration ([TimeSpan]::MaxValue)
Register-ScheduledJob -Name DDOS4 -FilePath E:\Install\Scripts\Mitigate-DDOS4.ps1 -Trigger $a

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s