Microsoft has confirmed that the disruptions to its cloud services and applications earlier this month were caused by massive distributed denial-of-service (DDoS) attacks. The software giant began investigating the outages in early June after users reported issues with Microsoft 365, Azure, and OneDrive services. In a blog post on Friday, Microsoft stated that the attacks were carried out by a threat actor tracked as Storm-1359 and described the campaign as a disruption and publicity effort.
Fortunately, the investigation into the disruptions concluded that there was no evidence of customer data being accessed or compromised. However, Microsoft did recommend that customers apply specific mitigations to protect themselves from future layer 7 DDoS attacks. One such mitigation is the use of Azure Web Application Firewall (WAF).
The blog post explained that the recent DDoS activity focused on attacking layer 7, as opposed to the more common layer 3 or 4 attacks. In response to this, Microsoft has enhanced its layer 7 protections, including optimizing Azure WAF to better safeguard customers from similar attacks. The company emphasized that it continually reviews the performance of its hardening capabilities and incorporates any lessons learned to further improve their effectiveness.
The blog post shed light on the methods used by Storm-1359. The threat actor employed botnets and tools to launch three types of layer 7 DDoS attacks. These included cache bypass attacks, which aim to bypass content delivery network (CDN) protections; slowloris attacks, where a threat actor opens multiple connections to a web server with partial HTTP requests; and HTTP(S) flood attacks, which inundate a web server with an overwhelming volume of requests from diverse devices across various regions and IP addresses.
These attacks primarily target the memory and backend components of the affected systems, causing traffic slowdowns and ultimately triggering outages. Based on their investigation, Microsoft determined that Storm-1359 relied on multiple virtual private servers, rented cloud infrastructure, open proxies, and DDoS tools to carry out the attacks. This combination of resources resulted in prolonged disruptions for Microsoft’s customers.
The disruptions first came to light on June 5 when multiple Microsoft Twitter accounts, including Microsoft 365 Status and Microsoft Outlook, confirmed that investigations into service disruptions had commenced. Over the next two days, a series of tweets provided updates on the situation, with the company implementing mitigations to resolve the disruptions. However, these measures only offered temporary relief, as customers continued to experience issues for several days.
To prevent future attacks, Microsoft advised customers to use Azure WAF and enable the bot protection managed ruleset. They also recommended blocking IP addresses and address ranges identified as malicious and directing web traffic from outside defined geographic regions to either be blocked, rate-limited, or redirected to a static web page.
Microsoft is not the first high-profile vendor to suffer from powerful layer 7 DDoS attacks. In August 2022, Google Cloud announced that it had successfully blocked “the largest layer 7 DDoS attack at 46 million rps” targeted at an undisclosed Google Cloud Armor customer. Google highlighted an increasing frequency of DDoS attacks in recent years.
These attacks on Microsoft and other prominent tech companies underscore the ongoing threat posed by DDoS attacks and the need for robust security measures. Companies must remain vigilant, continually assess their defenses, and invest in technologies that can effectively mitigate these types of attacks. As the threat landscape evolves, it is crucial for organizations to stay one step ahead to protect their networks and data from malicious actors.