Microsoft Confirms Recent Service Outages Caused by DDoS Attack
Microsoft has confirmed that the recent outages on its popular services, including Outlook, Teams, OneDrive, and Azure, were a result of a distributed denial-of-service (DDoS) attack. The company identified the threat actor behind the attack as Storm-1359, also known as Anonymous Sudan. Initially believed to be a hacktivist group protesting an event, Storm-1359 has since been linked to the Russian state.
In a blog post, Microsoft stated that Storm-1359 has access to a collection of botnets and tools that allow them to launch DDoS attacks from multiple cloud services and open proxy infrastructures. The company believes that the attacker&https://adarima.org/?aHR0cHM6Ly9tY3J5cHRvLmNsdWIvY2F0ZWdvcnJ5Lz93cHNhZmVsaW5rPWg2YlRWRHBWdVl3QXBic0NhZGZFZUZsZ2lIbmlrVUZOTVQyRjJMMjUwZEVwYWNIVjFURkJGVFRSRVVUMDk-8217;s main objective is disruption and publicity.
Unlike typical DDoS attacks that target layers 3 or 4 of the network stack, Storm-1359 focused on the application layer (layer 7). This approach enables the attacker to exhaust the application&https://adarima.org/?aHR0cHM6Ly9tY3J5cHRvLmNsdWIvY2F0ZWdvcnJ5Lz93cHNhZmVsaW5rPWg2YlRWRHBWdVl3QXBic0NhZGZFZUZsZ2lIbmlrVUZOTVQyRjJMMjUwZEVwYWNIVjFURkJGVFRSRVVUMDk-8217;s CPU and memory resources, rendering it overwhelmed and unresponsive.
Within their layer 7 DDoS attacks, Storm-1359 employed several tactics, including HTTP(S) flood attacks, cache bypass attacks, and Slowloris attacks. An HTTP(S) flood attack floods the targeted system with a massive number of distributed HTTP(S) requests and SSL/TLS handshakes. The goal is to overwhelm the application backend&https://adarima.org/?aHR0cHM6Ly9tY3J5cHRvLmNsdWIvY2F0ZWdvcnJ5Lz93cHNhZmVsaW5rPWg2YlRWRHBWdVl3QXBic0NhZGZFZUZsZ2lIbmlrVUZOTVQyRjJMMjUwZEVwYWNIVjFURkJGVFRSRVVUMDk-8217;s resources, causing it to become unresponsive.
Cache bypass attacks aim to bypass the content delivery network (CDN) layer and overwhelm the origin servers. By sending specific queries with generated URLs, the attacker forces all requests to be forwarded to the origin servers, instead of utilizing cached content.
In a Slowloris attack, the attacker requests a resource from a web server but intentionally delays or fails to acknowledge the download. This forces the web server to keep the connection open and hold the requested resource in memory.
To mitigate the impact of layer 7 DDoS attacks, Microsoft recommends installing a layer 7 web application firewall (WAF) protection service. The Azure WAF, available with Azure Front Door and Azure Application Gateway, can be used to protect web applications by implementing various settings.
Microsoft recommends configuring bot protection for known bad bots, identifying and blocking malicious IP addresses and HTTPS attacks with custom WAF rules, and limiting traffic from specific geographic regions.
In conclusion, the recent outages experienced by Microsoft services were caused by a DDoS attack carried out by Storm-1359, a threat actor believed to have ties to the Russian state. Their focus on layer 7 attacks distinguishes them from traditional DDoS attacks. To protect against such attacks, Microsoft suggests implementing a layer 7 WAF with the recommended settings. As cyber threats continue to evolve, it is crucial for organizations to remain vigilant and take proactive measures to ensure the security and availability of their services.