In a recent development, Microsoft has confirmed that the ongoing outage issues faced by its various services were a result of deliberate Layer 7 DDoS attacks. The credit for these attacks has been attributed to a threat actor known as Storm-1359, also known as Anonymous Sudan.
According to Microsoft’s investigation and findings, web traffic aimed at specific services started to increase in early June 2023, leading to temporary availability problems. Upon detecting these issues, Microsoft promptly initiated an investigation to monitor the ongoing DDoS attacks.
What makes these attacks unique is their focus on targeting Layer 7 instead of the more commonly targeted Layer 3 or Layer 4. Layer 7 DDoS attacks concentrate on the application level and overload services by bombarding them with an excessive number of requests. This flood of requests overwhelms the services, rendering them unresponsive due to the inability to handle the high load.
To protect its customers against similar DDoS attacks, Microsoft has strengthened its layer 7 defenses by optimizing the Azure Web Application Firewall (WAF). This enhancement aims to provide enhanced customer protection and prevent disruptions caused by DDoS attacks. Microsoft also discovered that the threat actor Storm-1359 utilized various cloud services and open proxies to launch DDoS attacks through multiple botnets and tools.
The primary objectives of Storm-1359 appear to be causing disruptions and attracting public attention. Microsoft’s recent report presents an initial analysis that suggests DDoS attacks as the potential reason behind the Azure outage, citing a significant surge in network traffic.
To address layer 7 DDoS attack traffic, Microsoft recommends several measures to protect web applications effectively. These include utilizing layer 7 protection services like Azure Web Application Firewall (WAF), implementing bot protection managed rule sets to protect against known bad bots, blocking identified malicious IP addresses and ranges, and blocking unknown and suspicious traffic. Additionally, custom WAF rules should be created to automatically block and limit HTTP or HTTPS attacks with known signatures.
In conclusion, Microsoft has confirmed that the recent outage issues were a result of intentional Layer 7 DDoS attacks carried out by Storm-1359. To ensure the protection of its services and customers, Microsoft has strengthened its layer 7 defenses and provided recommendations for safeguarding web applications against similar attacks. By taking these proactive measures, Microsoft aims to enhance customer experience and mitigate the impact of potential future DDoS attacks.