Microsoft Confirms Recent Cloud Outages Caused By Storm-1359 DDoS Attacks

Cloud Computing

Earlier this month, Microsoft confirmed a major outage that affected Azure, Outlook, Teams, and other Microsoft 365 services. The company has now acknowledged that the disruption to its services was caused by a distributed denial of service (DDoS) attack.

On June 5th, Microsoft tweeted about an outage that prevented thousands of users from accessing its cloud services. The company later reported that it had detected an unusual spike in network traffic that impacted the Azure cloud computing platform. At the time, a threat actor called Anonymous Sudan claimed responsibility for the cyberattack. However, Microsoft didn’t share any technical details and started a formal investigation into the incident.

In a blog post released on Friday, Microsoft confirmed that the early June outages were triggered by a Layer 7 (application layer) DDoS attack. The hacking group Storm-1359 used various botnets and tools to target Microsoft’s services. They leveraged Virtual Private Servers (VPS), DDoS tools, and cloud infrastructure to launch sophisticated DDoS attacks.

Specifically, the threat actors employed a tactic to overload the system with millions of HTTP(S) requests originating from IP addresses worldwide. They also utilized the cache bypass technique to evade the CDN layer. Lastly, the attackers carried out Slowloris attacks to exhaust the web server’s resources, resulting in a denial of service.

“Microsoft hardened layer 7 protections including tuning Azure Web Application Firewall (WAF) to better protect customers from the impact of similar DDoS attacks. While these tools and techniques are highly effective at mitigating the majority of disruptions, Microsoft consistently reviews the performance of its hardening capabilities and incorporates learnings into refining and improving their effectiveness,” Microsoft explained.

Microsoft Confirms Recent Cloud Outages Caused By Storm-1359 DDoS Attacks
Source: Cloudflare

How to protect against Layer 7 Distributed Denial of Service (DDoS) attacks

Microsoft has not found any evidence of any compromise of customer data due to the recent DDoS campaign. However, the company detailed a couple of suggestions to mitigate similar Layer 7 DDoS attacks in the future.

Microsoft recommends that IT admins should configure the bot protection managed rule set. Moreover, customers need to block malicious IP addresses and manage traffic based on the region. Microsoft recommends that custom WAF rules should be created to block/limit HTTP or HTTPS attacks with known signatures.