Microsoft recently reported and responded to a surge in Layer 7 Distributed Denial of Service (DDoS) attacks impacting their services, providing important insights and recommendations for businesses worldwide.

In early June 2023, Microsoft began investigating an influx of traffic that momentarily affected service availability. The company tracked the ongoing DDoS activity back to a threat actor, labeled as Storm-1359. The attackers appear to be leveraging multiple virtual private servers (VPS), rented cloud infrastructure, open proxies, and DDoS tools to execute these attacks.

Storm-1359 Attacks and Microsoft’s Response

Storm-1359’s attacks brought disruption and temporary outages to numerous Microsoft services including Azure, Outlook, OneDrive, Teams, and other Microsoft 365 software suite. While this caused inconvenience, Microsoft reassured customers that no evidence suggested any customer data had been compromised.

Notably, these attacks targeted layer 7 of the OSI model, in contrast to the more conventional layer 3 or 4 attacks. In response, Microsoft fine-tuned Azure’s Web Application Firewall (WAF) to bolster layer 7 defenses and protect customers from similar DDoS threats.

Microsoft Security Experts

Storm-1359’s Attack Techniques

Storm-1359 employs a variety of layer 7 DDoS attack methods:

  1. HTTP(S) flood attack: The threat actor overloads the system resources with a multitude of HTTP(S) requests and SSL/TLS handshakes, causing the application backend to run out of CPU and memory.
  2. Cache bypass: This technique tries to circumvent the CDN layer, which can overload origin servers. The attacker generates URLs, causing all requests to be forwarded to the origin instead of serving from cached contents.
  3. Slowloris attack: The client opens a connection, requests a resource, then deliberately delays acknowledging the download. This forces the server to maintain the connection and keep the requested resource in memory.

Microsoft’s Recommendations for Layer 7 DDoS Protection

Given the increasing sophistication of these attacks, Microsoft has outlined recommendations to enhance layer 7 DDoS protection:

  1. Use layer 7 protection services: Services such as Azure’s Web Application Firewall (WAF), available with Azure Front Door and Azure Application Gateway, can be used to protect web applications.
  2. Leverage bot protection: For Azure WAF users, Microsoft recommends using the bot protection managed rule set. This offers protection against known malicious bots.
  3. Block suspicious IP addresses: Microsoft suggests that IP addresses and ranges identified as malicious should be blocked.
  4. Geofencing: Traffic from outside a defined geographic region, or even within a defined region, should be blocked, rate-limited, or redirected to a static webpage.
  5. Create custom WAF rules: Microsoft advises creating custom WAF rules to automatically block and rate limit HTTP or HTTPS attacks with known signatures.

Microsoft’s response to the Storm-1359 threat actor illustrates a proactive and iterative approach to cybersecurity. As cyber threats continue to evolve, so too must our defenses. Microsoft’s recent experiences provide valuable insights and lessons that can help businesses worldwide enhance their resilience against such cyber threats.