Enable and use the latest HTTP DDoS Ruleset

Implementation Effort: Low

User Impact: Low

Overview

Application-layer (HTTP) distributed denial-of-service (DDoS) attacks are one of the most common causes of application outages. Unlike volumetric network-layer attacks, HTTP DDoS attacks often use valid-looking requests that closely resemble normal user behavior, making them difficult to mitigate using static controls such as IP blocking or fixed rate limits.

The Microsoft HTTP DDoS ruleset is an adaptive, application-layer protection capability built into Azure Web Application Firewall (WAF). It continuously learns normal traffic patterns for each protected application and automatically detects and mitigates abnormal request surges with minimal configuration. By enabling the HTTP DDoS ruleset, organizations can significantly improve application resilience while aligning with Zero Trust principles of assume breach and continuous verification. Once enabled on a WAF policy, the HTTP DDoS ruleset observes inbound traffic to learn normal request rates for each protected resource. This learning phase establishes both global request thresholds and per-client baselines.

Reference

• Application (Layer 7) DDoS protection
• Azure Web Application Firewall on Azure Front Door
• What is Azure Web Application Firewall on Azure Application Gateway?
• Web Application Firewall DRS rule groups and rules
• Best practices for Azure Web Application Firewall (WAF) on Azure Application Gateway