Monday, 19 June 2023 10:12

Microsoft Says June Azure Outages Caused by Coordinated DDoS Attack

Written by

Reading time is around minutes.

According to a statement that Microsoft released on Friday, several outrages in their Azure environment were caused by a large-scale Distributed Denial of Service attack. The attack began in early June 2023 when “surges in traffic” began causing availability impacts. Microsoft began an investigation into the incident and are now tracking a potentially new threat group (Storm-1359). The new group is using a somewhat different attack vector although most of the moving parts behind the attack are common.

According to Microsoft, Storm-1359 targeted Layer 7 of the OSI model (The Application Layer) rather than the more commonly targeted layer 4 (Transport) or Layer 3 (Network). As of this article, there is no evidence of any data theft or other indications of compromise on the services. It is not uncommon for an attacker to use a service disruption attack to hide more invasive operations so the lack of any additional IOC could indicate that disruption was the goal of the group in this instance. It does not mean that the group’s tactics will not change in the future though.

Storm-1359, like many disruption campaigns, appears to use a network of bots and compromised VPS (Virtual Private Servers) systems combined with open proxies. Nothing all that crazy in the world of DDoS campaigns making it an easy assumption for Microsoft to make at this stage. The types of attack used in this campaign were HTTP(S) Flood, Cache Bypass, and Slowloris. Each one of these types of attacks aims to overload the capacity of the servers hosting the service via different mechanisms. HTTP(S) Flood attacks send massive number of TLS/SSL handshake requests along with other HTTP(S) traffic to overload compute resources. Cache Bypass forces the server to ignore cached content send the data directly from the origin server again trying to exhaust compute resources. Slowloris tries to exhaust memory by requesting something from the server/service and either ignoring the request or accepting so slowly that is forces the server to keep the request in memory longer than needed.

DDoS attacks can be complicated to protect against when layer 3 or 4 are the target. It often becomes an arms race of resources and how quickly your equipment can identify and discard bad traffic. With a layer 7 attack the same applies just from a different angle. The use of properly configured Web Application Firewalls (with a decent reserve of compute power) can identify and limit incoming attacks like th ones used by Storm-1359. Rate limiting HTTP/HTTPS request, Botnet protections, Geo Fencing are all examples of good practices to limit the impact of this type of attack. For those that do not have an internal infrastructure (all cloud based), most cloud services do have a WAF option available. There are also several third party WAF resources available that can protect against DDoS and other front door attacks.
Stay Safe out there.

Read 833 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.