Table of Contents

A Microsoft DDoS Attack and Spiderman

John Davis CEH, Director of Security Consulting, Enterprise IT Security

In the aftermath of the DDOS attack on Microsoft, I can’t help but think of a quote from Spiderman “What we believe we know may not be the truth” – Spiderman. Probably not the quote you thought we would be using here, but one that seems most relevant to what happened to Microsoft in early June. I don’t know about you, but I was very surprised a DDoS attack caused so much of disruption for Microsoft. I mean, wasn’t Microsoft supposed to be almost untouchable for the bad actors? Of course, they get hit with multiple attacks a day, but they can capture and thwart them with their immense and powerful defense systems (think of the Spider-Man web). So, what happened here? 

In a blog post on Friday, Microsoft indicated that the early June customer reported outages in Azure, Microsoft 365, and OneDrive services were caused by a layer 7 [or app layer] DDoS attack. They went even further to name the perpetrator, Storm-1359, and described the effort as “a disruption and publicity campaign”. The Microsoft investigation showed no evidence that customer data was accessed or compromised.    

“This recent DDoS activity targeted layer 7 rather than layer 3 or 4. Microsoft hardened layer 7 protections including tuning Azure Web Application Firewall (WAF) to better protect customers from the impact of similar DDoS attacks,” Microsoft wrote in the blog post. “While these tools and techniques are highly effective at mitigating the majority of disruptions, Microsoft consistently reviews the performance of its hardening capabilities and incorporates learnings into refining and improving their effectiveness.”

The blog post revealed Storm-1359 used botnets and tools to launch three types of layer 7 DDoS attacks, including cache bypass attacks, which are designed to sidestep CDN (Content Delivery Network) protections; slowloris attacks, where a bad actor uses a single system to open multiple connections to a web server and keep them open with partial HTTP requests; and HTTP(S) flood attacks, which use a high volume of requests from different devices across many regions and IP addresses.

These types of attacks affect memory and backend components and work to slow traffic and trigger outages. Based on their investigation, Microsoft assessed that the attacks relied on access to multiple virtual private servers combined with rented cloud infrastructure open proxies and DDoS tools to commit the attacks, causing prolonged disruptions for customers.

If this can happen to the omnipotent big guys, how do we mere mortals protect our networks? Well, there are a couple ways our Cyber Ninjas at EITS recommend to stay on top of the game:

  • Robust Network Architecture: Implement a well-designed network infrastructure that includes redundancy, load balancing, and failover mechanisms. This ensures that traffic can be distributed and managed effectively, reducing the impact of an attack on a single server or service.
  • Network segmentation: Implement network segmentation to isolate critical services from the rest of the network. This could help prevent an attack on one service from affecting other services.
  • Traffic Monitoring and Analysis: Employ network monitoring tools and intrusion detection systems (IDS) to identify abnormal traffic patterns and potential DDoS attacks. This allows for early detection and timely response to mitigate the impact.
  • Scalable Infrastructure: Design the system to scale dynamically to handle sudden spikes in traffic. This involves leveraging auto-scaling capabilities in cloud environments like Azure to automatically add resources when needed and absorb excess traffic.
  • DDoS Protection Services: Utilize dedicated DDoS protection services. These services can filter out malicious traffic, detect and block DDoS attacks in real-time, and provide a layer of protection against known attack vectors.
  • Load Balancing: Distribute incoming traffic across multiple servers or data centers using load balancers. This helps to distribute the load and prevent a single server or service from becoming overwhelmed during an attack.
  • Anomaly Detection: Implement anomaly detection algorithms and machine learning techniques to identify unusual behavior patterns in network traffic. This can help in distinguishing legitimate users from potential attackers and allow for proactive measures to be taken.    
  • Regular Security Audits and Updates: Conduct regular security audits to identify vulnerabilities and apply necessary patches and updates promptly. Keeping software, firmware, and security systems up to date helps protect against known vulnerabilities that attackers may exploit.
  • Incident Response Plan: Develop a comprehensive incident response plan that outlines specific steps to be taken during a DDoS attack. This includes clear roles and responsibilities, communication channels, and procedures to follow to minimize the impact and restore services quickly.
  • Patching and updates: Ensure that all systems and software were up to date with the latest security patches and updates. This will help prevent attackers from exploiting known vulnerabilities.

It’s important to note that DDoS attacks can be sophisticated, and attackers continually evolve their techniques. We recommend implementing a multi-layered defense strategy that combines various preventive measures and staying informed about the latest security practices are crucial for protecting against such attacks.

–  John Davis

Director Cybersecurity Team, EITS

“With great power comes great responsibility.” – Spiderman

The Cyber Ninjas at EITS want to help you realize you have the power to keep your network, assets, and users safe with an effective security and a recovery plan. You have the power to protect your users and customers.