Microsoft: Azure DDoS Attack Amplified by Cyber-Defense Error

Microsoft blamed an implementation error for amplifying the impact of a distributed denial-of-service (DDoS) attack yesterday, which ended up disrupting the company's Azure cloud services for nearly eight hours.

The attack affected several Azure offerings, including Azure App Services, Azure IoT Central, Application Insights, Log Search Alerts, and Azure Policy. The disruption, which began at around 7:45 a.m. ET and lasted until 3:43 p.m. ET, also impacted the main Azure portal and a subset of Microsoft 365 and Microsoft Purview data-protection services.

DDoS Cyber-Defense Error Under Investigation

In an event summary yesterday, Microsoft described the DDoS attack as causing an "unexpected usage spike [that] resulted in Azure Front Door (AFD) and Azure Content Delivery Network (CDN) components performing below acceptable thresholds." The spike caused intermittent service errors, timeouts, and sudden latency increases.

More concerningly in some ways, "while the initial trigger event was a DDoS attack, which activated our DDoS protection mechanisms, initial investigations suggest that an error in the implementation of our defenses amplified the impact of the attack rather than mitigating it."

Microsoft has not specifically identified the mistake that exacerbated the DDoS attack. But according to its description of the events of July 30, the initial network configuration changes the company made to support DDoS mitigation efforts may have led to some unexpected "side effects." The company implemented an updated approach that it first rolled out in thbe Asia-Pacific region and Europe, and then deployed in the Americas after validating the approach worked.

"Our team will be completing an internal retrospective to understand the incident in more detail," Microsoft said. "We will publish a Preliminary Post Incident Review (PIR) within approximately 72 hours, to share more details on what happened and how we responded."

Inadvertent Errors in DDoS Mitigation

Rody Quinlan, staff research engineer at Tenable, says there are several ways an organization can mess up a DDoS mitigation effort.

"Organizations can inadvertently amplify cyberattacks through various implementation errors, such as misconfigured rate limiting, inefficient load balancing, firewall misconfigurations, overly aggressive security rules, inadequate resource scaling, incorrect traffic filtering, and dependence on single points of failure," he says. "These errors can lead to blocked legitimate traffic, overloaded servers, bottlenecked firewalls, and critical services being taken offline."

And while Microsoft's initial response might have contributed to its Azure service problems this week, the incident is another reminder of how effective DDoS attacks remain for adversaries looking to disrupt and degrade a target's online presence.

A Cloudflare report earlier this year identified a 117% increase year-over-year in network-layer DDoS attacks. Part of the reason for that is a specific increase in DDoS attacks that targeted retail, shipping, and public relations websites on and around Black Friday and the holiday shopping season in general. However, many of the attacks have also been by groups looking to send out a specific message or convey a particular political stance. Cloudflare, for example, said it has observed a massive increase in DDoS attacks that target Taiwanese, Israeli, and Palestinian sites amid geopolitical tensions in those areas, and attacks on environmental sciences websites.

DDoS Attacks Adopt "Smash & Grab" Tactics

"Trends in DDoS are often cyclical, but currently we’re seeing attacks grow larger in size, and shorter in duration," says Donny Chong, director at DDoS security vendor Nexusguard. "Our most recent data suggests that attack sizes increased by an average of 183% last year, with an average size of 0.80Gbps," he says. At the same time, between 2022 and 2023, the average duration of DDoS attacks dropped to just over 101 minutes. Currently, 81% of DDoS attacks last less than 90 minutes, Chong says.

"Part of this decrease in attack duration is due to attackers becoming more and more efficient when inflicting disruption on business," likely because they are using artificial intelligence (AI) to automate some attacks. But the shorter attack durations are also likely due to mitigation technologies, Chong says. "[Attackers] are finding it increasingly difficult to sustain prolonged disruptions. So, rather than a prolonged siege, it's now more a case of ‘smash and grab,'" he says.

Quinlan says the key to mitigating DDoS disruption is having a real-time traffic analysis capability, scalable cloud infrastructure, redundant systems, and intelligent load balancing to prevent overload. "Proper rate limiting, throttling, and WAFs [Web application firewalls] filtering malicious traffic, and regular software and hardware vulnerability remediation is crucial to protect systems," Quinlan says. "An effective incident-response plan and collaboration with Internet service providers and security providers enhance detection and mitigation capabilities."