On July 30, a sustained cyberattack wreaked havoc on Microsoft’s Azure cloud services, causing nearly eight hours of disruption. The attack, exacerbated by an implementation error, affected multiple Azure offerings, including Azure App Services, Azure IoT Central, Application Insights, Log Search Alerts, and Azure Policy. The disruption began at around 7:45 a.m. ET and lasted until 3:43 p.m. ET, impacting the main Azure portal and a subset of Microsoft 365 and Microsoft Purview data-protection services.
DDoS Cyber-Defense Error Under Investigation
In an event summary, Microsoft detailed the DDoS attack, describing it as causing an “unexpected usage spike [that] resulted in Azure Front Door (AFD) and Azure Content Delivery Network (CDN) components performing below acceptable thresholds.” The surge led to intermittent service errors, timeouts, and sudden latency increases.
More troublingly, Microsoft’s initial DDoS protection mechanisms inadvertently amplified the attack’s impact instead of mitigating it. While the exact mistake remains unidentified, Microsoft’s description suggests that initial network configuration changes made to support DDoS mitigation efforts caused unexpected “side effects.” After validating the approach in the Asia-Pacific region and Europe, the company implemented an updated strategy in the Americas.
“Our team will be completing an internal retrospective to understand the incident in more detail,” Microsoft said. “We will publish a Preliminary Post Incident Review (PIR) within approximately 72 hours, to share more details on what happened and how we responded.”
Inadvertent Errors in DDoS Mitigation
Rody Quinlan, a staff research engineer at Tenable, notes that several implementation errors can amplify cyberattacks. “Organizations can inadvertently amplify cyberattacks through various implementation errors, such as misconfigured rate limiting, inefficient load balancing, firewall misconfigurations, overly aggressive security rules, inadequate resource scaling, incorrect traffic filtering, and dependence on single points of failure,” he says. These errors can lead to blocked legitimate traffic, overloaded servers, bottlenecked firewalls, and critical services being taken offline.
Microsoft’s initial response to the DDoS attack might have contributed to its Azure service problems, underscoring the persistent effectiveness of DDoS attacks for adversaries aiming to disrupt and degrade online presence.
Trends in DDoS Attacks
A Cloudflare report earlier this year identified a 117% increase year-over-year in network-layer DDoS attacks. The report attributed this rise partly to increased attacks targeting retail, shipping, and public relations websites during Black Friday and the holiday shopping season. Additionally, many attacks have been politically motivated, with a notable increase in attacks on Taiwanese, Israeli, and Palestinian sites amid geopolitical tensions, as well as attacks on environmental sciences websites.
DDoS Attacks Adopt “Smash & Grab” Tactics
“Trends in DDoS are often cyclical, but currently we’re seeing attacks grow larger in size and shorter in duration,” says Donny Chong, director at DDoS security vendor Nexusguard. “Our most recent data suggests that attack sizes increased by an average of 183% last year, with an average size of 0.80Gbps.” At the same time, the average duration of DDoS attacks dropped to just over 101 minutes between 2022 and 2023. Currently, 81% of DDoS attacks last less than 90 minutes.
This decrease in attack duration is partly due to attackers becoming more efficient, possibly using artificial intelligence (AI) to automate attacks. Shorter attack durations are also likely due to improved mitigation technologies. “[Attackers] are finding it increasingly difficult to sustain prolonged disruptions. So, rather than a prolonged siege, it’s now more a case of ‘smash and grab,'” Chong explains.
Quinlan emphasizes the importance of real-time traffic analysis, scalable cloud infrastructure, redundant systems, and intelligent load balancing to prevent overload in mitigating DDoS disruption. “Proper rate limiting, throttling, and WAFs [Web application firewalls] filtering malicious traffic, and regular software and hardware vulnerability remediation are crucial to protect systems,” he says. “An effective incident-response plan and collaboration with Internet service providers and security providers enhance detection and mitigation capabilities.”
The recent Azure DDoS attack highlights the ongoing threat of DDoS attacks and the critical importance of robust cyber-defense mechanisms. This rise in DDoS attacks comes amid increasing intensity. In early July, France-based OVHCloud successfully defended against a record-breaking DDoS assault that peaked at 840 million packets per second. These attacks occur when hackers harness a network of compromised devices—such as PCs, servers, or IoT devices—to flood an internet service or website with excessive traffic, overwhelming the IT systems and causing them to go offline.
As organizations continue to face increasingly sophisticated and frequent cyber threats, ensuring that mitigation strategies are correctly implemented and regularly reviewed is paramount to maintaining service availability and security. Microsoft’s upcoming Preliminary Post Incident Review will hopefully provide more insights and lessons learned to bolster defenses against future attacks.