Yesterday I noticed some suspicous activity when running netstat | grep http on my Azure Ubuntu VM:

There were over 60 lines like this:

tcp        0      0 ser:http               hosted-by.blazing:29248 SYN_RECV    tcp        0      0 ser:http               hosted-by.blazingf:59438 SYN_RECV    tcp        0      0 ser:http               8.8.8.8:7057 SYN_RECV    # [SNIP] 

I am guessing this is a SYN flood attack, and given the presense of 8.8.8.8 possibly some IP Spoofing? I don’t have any DDOS protection from Azure, just a standard Ubuntu VM. I tried a few things:

Uncommented the line net.ipv4.tcp_syncookies=1 in /etc/sysctl.conf and ran sysctl -p but the above packets continued.

I already have my own iptables script in place, to lock the server down a bit. Whilst checking over this script, I noticed some unrelated lines in /var/log/syslog:

INFO Exception processing GoalState-related files: [ProtocolError]  [Wireserver Exception] [HttpError] [HTTP Failed] GET http://168.63.129.16/machine/?comp=goalstate -- IOError timed out -- 6 attempts made 

Some investigation into this IP, shows that it’s part of Azure’s infastructure, so I went ahead and added this to my firewall script, to allow outgoing traffic to this IP on port 80.

Suddenly the earlier SYN traffic stopped.

Is this just chance, or would allowing traffic out to 168.63.129.16 somehow start providing some protection against this attack, even without any DDOS protection enabled through Azure portal?