Microsoft says June Azure, Outlook outages were caused by DDoS attack
In early June, many users reported on Twitter that Outlook was down, and it impacted around 18,000 users. After the complaints, Microsoft opened an investigation and now it has revealed that the surge in traffic that impacted the availability of some of its services was a Distributed Denial-of-Service (DDoS) attack.
Microsoft confirmed the attack in a blog and shared some technical information and suggestions for preventing such attacks in the future.
Microsoft has identified the threat actor as Storm-1359, who used multiple virtual private servers (VPS), rented cloud infrastructure, open proxies, and DDoS tools to target some Microsoft services and impact their availability.
The attack targeted layer 7 rather than layer 3 or 4 and the company has claimed no “customer data has been accessed or compromised.” In addition to this, Microsoft has said that it has hardened its layer 7 protections, including tuning Azure Web Application Firewall (WAF), to better protect customers from similar attacks in the future.
The company has provided some technical details about the types of layer 7 DDoS attack traffic that Storm-1359 used, such as HTTP(S) flood attack, cache bypass, and slowloris.
Technical details
HTTP(S) flood attack aims to exhaust the system resources with a high load of SSL/TLS handshakes and HTTP(S) requests processing. Cache bypass attempts to bypass the CDN layer and can result in overloading the origin servers. Slowloris attack is where the client opens a connection to a web server, requests a resource (e.g., an image), and then fails to acknowledge the download. This forces the web server to keep the connection open and the requested resource in memory.
Recommendations
The company has given some recommendations for customers to increase the resilience of their environments to help mitigate similar attacks, such as using layer 7 protection services like Azure WAF, enabling bot protection, blocking malicious IP addresses and geographic regions, and creating custom WAF rules.
Microsoft stopped one of the biggest DDoS attacks in history in 2021, which went on for over 10 minutes with traffic reaching 2.4 Tbps at its highest. In 2022, another attack hit 3.47Tbps. The size of the traffic spikes in the June attack is unknown.
According to Check Point Research (CPR), the global weekly cyber attacks rose by 7 per cent in Q1 2023 versus the same quarter last year, with each organisation facing an average of 1,248 attacks per week.
Globally, in Q1 2023, the education/research sector was hit the hardest with the highest number of attacks, averaging 2,507 per organisation per week, representing a 15 per cent surge from Q1 2022.
The post Microsoft says June Azure, Outlook outages were caused by DDoS attack appeared first on Techlusive.
In early June, many users reported on Twitter that Outlook was down, and it impacted around 18,000 users. After the complaints, Microsoft opened an investigation and now it has revealed that the surge in traffic that impacted the availability of some of its services was a Distributed Denial-of-Service (DDoS) attack.
Microsoft confirmed the attack in a blog and shared some technical information and suggestions for preventing such attacks in the future.
Microsoft has identified the threat actor as Storm-1359, who used multiple virtual private servers (VPS), rented cloud infrastructure, open proxies, and DDoS tools to target some Microsoft services and impact their availability.
The attack targeted layer 7 rather than layer 3 or 4 and the company has claimed no “customer data has been accessed or compromised.” In addition to this, Microsoft has said that it has hardened its layer 7 protections, including tuning Azure Web Application Firewall (WAF), to better protect customers from similar attacks in the future.
The company has provided some technical details about the types of layer 7 DDoS attack traffic that Storm-1359 used, such as HTTP(S) flood attack, cache bypass, and slowloris.
Technical details
HTTP(S) flood attack aims to exhaust the system resources with a high load of SSL/TLS handshakes and HTTP(S) requests processing. Cache bypass attempts to bypass the CDN layer and can result in overloading the origin servers. Slowloris attack is where the client opens a connection to a web server, requests a resource (e.g., an image), and then fails to acknowledge the download. This forces the web server to keep the connection open and the requested resource in memory.
Recommendations
The company has given some recommendations for customers to increase the resilience of their environments to help mitigate similar attacks, such as using layer 7 protection services like Azure WAF, enabling bot protection, blocking malicious IP addresses and geographic regions, and creating custom WAF rules.
Microsoft stopped one of the biggest DDoS attacks in history in 2021, which went on for over 10 minutes with traffic reaching 2.4 Tbps at its highest. In 2022, another attack hit 3.47Tbps. The size of the traffic spikes in the June attack is unknown.
According to Check Point Research (CPR), the global weekly cyber attacks rose by 7 per cent in Q1 2023 versus the same quarter last year, with each organisation facing an average of 1,248 attacks per week.
Globally, in Q1 2023, the education/research sector was hit the hardest with the highest number of attacks, averaging 2,507 per organisation per week, representing a 15 per cent surge from Q1 2022.
The post Microsoft says June Azure, Outlook outages were caused by DDoS attack appeared first on Techlusive.
