Microsoft faced a significant disruption to its Azure cloud services due to a distributed denial-of-service (DDoS) attack that lasted nearly eight hours. The attack impacted various Azure offerings, including Azure App Services, Azure IoT Central, Application Insights, Log Search Alerts, and Azure Policy, as well as a subset of Microsoft 365 and Microsoft Purview data-protection services. The disruption began at around 7:45 a.m. ET and lasted until 3:43 p.m. ET, affecting the main Azure portal and causing service errors, timeouts, and latency increases.
In an event summary, Microsoft attributed the DDoS attack to an “unexpected usage spike” that caused Azure Front Door (AFD) and Azure Content Delivery Network (CDN) components to underperform. The company acknowledged that while the initial trigger was a DDoS attack that activated their DDoS protection mechanisms, an error in the implementation of their defenses exacerbated the impact of the attack rather than mitigating it.
Microsoft has initiated an internal retrospective to delve deeper into the incident and plans to publish a Preliminary Post Incident Review (PIR) within 72 hours to provide further details on the event and their response. The company did not specify the exact mistake that amplified the DDoS attack, but it mentioned that network configuration changes made to support DDoS mitigation efforts may have led to unexpected side effects. The updated approach was initially rolled out in the Asia-Pacific region and Europe before being deployed in the Americas after successful validation.
Rody Quinlan, a staff research engineer at Tenable, highlighted various ways in which organizations can inadvertently worsen DDoS attacks through implementation errors. These errors include misconfigured rate limiting, inefficient load balancing, firewall misconfigurations, aggressive security rules, inadequate resource scaling, incorrect traffic filtering, and reliance on single points of failure. Such mistakes can block legitimate traffic, overload servers, bottleneck firewalls, and disrupt critical services.
The incident serves as a reminder of the ongoing threat posed by DDoS attacks, with a Cloudflare report citing a significant increase in network-layer DDoS attacks. These attacks have targeted retail, shipping, and public relations websites, particularly around seasonal shopping events like Black Friday. Some attacks are driven by groups looking to convey specific messages or political stances, reflecting the evolving nature of DDoS threats amidst geopolitical tensions.
According to Donny Chong, director at DDoS security vendor Nexusguard, DDoS attacks are becoming larger in size but shorter in duration, with attackers adopting a “smash and grab” approach. Attack sizes have increased significantly, while the average duration of attacks has decreased, indicating a shift towards more efficient disruption tactics. Mitigating DDoS disruption requires real-time traffic analysis, scalable cloud infrastructure, redundant systems, intelligent load balancing, proper rate limiting, and collaboration with internet service providers and security providers to enhance detection and mitigation capabilities.