Posted on October 15, 2021 at 3:42 PM
Microsoft Defends against 2.4 Tbps DDoS Attack on Azure Cloud Services
Distributed Denial of Service (DDoS) attacks have been rising, and their intensity is becoming even bigger. Microsoft has been the latest victim of a major DDoS attack, but it managed to thwart it.
The DDoS attack that targeted Microsoft came in at 2.4 terabits per second (Tbps). The DDoS attack that Microsoft has recently battled against was targeted at its European Azure cloud services. This DDoS attack could have been the biggest one to be ever reported.
Largest DDoS Attack on Azure Cloud
Researchers have stated that this attack on the Azure cloud could be the biggest DDoS attack to date. The attack was even bigger than a previous attack in 2020 on Azure 1, reported a 1Tbps. In its report, Microsoft stated that this attack was “higher than any network volumetric event previously detected on Azure.”
Microsoft has provided scanty details into this attack, and it has not given the actual targets of the attack. Nevertheless, the report states that the attack originated from more than 70,000 sources. The attack’s origin has also been traced to the Asia-pacific countries, including China, Japan, Malaysia, Taiwan and Vietnam. Some sources also point to the United States.
The attack vector used to launch the attack was a User Datagram Protocol (UDP). The attack’s total duration was 10 minutes, and it came with short-lived bursts. These bursts increase in seconds to the terabit volumes. The attack peaked at three main instances. The first peak was at 2.4 Tbps, the second one was at 0.55 Tbps, and the third peak was at 1.7 Tbps.
The UDP reflection attack is a technique used by threat actors to exploit the stateless nature of UDP. Once this attack has been launched, it appears to reflect back and forth within the local network, hence its name. The attack also depends on the UDP request packet’s source internet protocol (IP) falsification.
The UDP packet with the falsified source IP is sent to an intermediary server by the attacker. The server then sends its UDP response packets to the targeted users rather than sending them back to the threat actor. The intermediary server increases the intensity of the attack because it generates greater network traffic than the request packet. This multiplies the attack traffic.
The intensity of the attack traffic depends on the attack protocol that the threat actors are exploiting. Parties launching DDoS attacks mainly exploit internet protocols such as CharGen, DNS, memcached, NTP and QOTD. Memcached is the most common IP exploited in DDoS attacks.
Memcached is an open-source object-caching system that boasts high performance. This system is mainly used by social media networks with high traffic, such as Facebook. As an in-memory key-value store, it is also used by its creator, LiveJournal, to store smaller proportions of arbitrary data.
In terms of data storage, Memcached is highly useful. However, reports by Cloudflare have shown that the IP can be exploited, which can cause an amplification of attack traffic. According to Cloudflare, if an attacker lodged 15 bytes of request, it can lead to 750 KB of attack traffic, a 51,200x amplification.
Microsoft did not mention the specific IP used in launching these attacks, but in its report, it mentioned DNS. Attacks targeting DNS IPs do not have the extent of amplification, such as Memcached. DNS exploits can lead to 28 to 54 times of amplification of the original bytes. In this case, if the attacker sends a request of 64 bytes to a DNS server, it could lead to 3400 bytes of attack traffic.
Azure DDoS Protection Layer defended against Attack
Microsoft failed to give the exact details on how it defended itself against the attack. However, it noted that Azure’s cloud services have a DDoS protection layer that detects DDoS attacks and mitigates the effects of the attack. Microsoft further noted that the protection layer could absorb tens of terabits of attack traffic.
“This aggregated, distributed mitigation capacity can massively scale to absorb the highest volume of DDoS threats, providing our customers the protection they need,” Microsoft noted.
Once the Azure DDoS protection protocol detects an attack, its mitigation strategies are triggered. According to Microsoft, this working mechanism ensures that the protection layer offers the fastest time needed to mitigate the attack. Furthermore, it reduced the collateral damage caused by such attacks.
All Azure users benefit from this DDoS protection protocol. However, Microsoft recommends that users also subscribe to the Azure DDoS Protection Standard. This standard not only defends against DDoS attacks but also provides cost protection. This extra layer of protection offers data transfer and compensates for the resource costs incurred from DDoS attacks.