 Azure DDoS Protection Standard protects against man-in-the-middle (MITM) attacks. = No

 Azure DDoS Protection Standard is enabled by default in an Azure subscription. = No

 Azure DDoS Protection Standard protects against protocol attacks. = Yes

Microsoft’s security guidance for Azure states that DDoS Protection is designed to defend internet-facing resources from distributed denial-of-service events at the network and transport layers (L3/L4). The documentation explains that DDoS Protection Standard provides “adaptive, real-time tuning and automatic attack mitigation for volumetric and protocol attacks (for example, SYN/ACK floods, UDP amplification, and other L3/L4 patterns).” It further clarifies that DDoS Protection is not intended to address attacks like man-in-the-middle (MITM), which are interception/alteration threats rather than traffic-exhaustion scenarios.

Regarding enablement, Microsoft notes that Azure DDoS Protection Standard is not enabled by default. The platform provides “basic DDoS protection for all Azure public IP addresses,” but the Standard plan must be explicitly enabled on a virtual network and then applied to public IP resources in that VNet to gain its enhanced telemetry, mitigation policies, and cost-protection benefits.

Putting this together: (1) MITM is out of scope for DDoS Protection Standard → No; (2) Standard is opt-in, not automatic → No; (3) Protection against protocol attacks is a primary capability of the Standard plan → Yes.