Microsoft’s Report on Layer 7 DDoS Attacks

In June 2023, Microsoft noticed significant traffic increases that temporarily affected the availability of some services. As a response, Microsoft immediately launched an investigation and started monitoring the ongoing Distributed Denial of Service (DDoS) activity conducted by a threat actor known as Storm-1359.

Microsoft's Storm-1359 attack disrupted Azure, Outlook, and OneDrive services – a reminder of the need to secure virtual private servers (VPS) and rented cloud infrastructure! #Cybersecurity #Azure #Outlook #OneDrive

— Paul Gedeon 🛸 (@0xedeon) June 19, 2023

Metamorphosis of attack

• These attacks rely on using multiple virtual private servers (VPS) alongside rented cloud infrastructure, open proxies, and DDoS tools.

Source: Software testing help

• No evidence has been found to suggest that customer data has been accessed or compromised during these incidents.

The recent DDoS attacks specifically targeted layer 7, different from the usual layer 3 or 4 attacks. In response, Microsoft has strengthened its layer 7 protections, including adjusting the Azure Web Application Firewall (WAF). 

What is layer 7?

The topmost layer in the OSI (Open system interconnections) model handles communication between the users and the applications. This layer plays an important role to analyze, process, and understand applications-specific protocols. 

Source: CISCO

It has the primary role of content filtering, load balancing and app-based security setups. Some of the examples of layer 7 include: 

• Web-based browsers with HTTP(s) protocols.
• Email clients with SMTP, POP3, and IMAP protocols
• FTP and VOIP protocols
• Remote desktop protocols and domain name systems

Technical analysis

According to Microsoft’s assessment, Storm-1359 has access to botnets and tools that allow the threat actor to launch DDoS attacks from various cloud services and open proxy infrastructures. 

“Storm-1359 seems to be primarily interested in causing disruption and gaining publicity.”

It has been observed utilizing different types of layer 7 DDoS attack traffic, including:

• HTTP(S) flood attack: This attack aims to overwhelm the system resources by generating a high volume of SSL/TLS handshakes and HTTP(S) requests. The attacker distributes these requests globally, using different source IP addresses. Consequently, the application backend overloads, depleting compute resources such as CPU and memory.

Source: PureVPN

• Cache bypass: This attack tries to bypass the CDN (Content Delivery Network) layer and puts excessive load on the origin servers. The attacker sends a series of queries targeting specifically generated URLs, which forces the frontend layer to forward all the requests to the origin server instead of serving cached content.

• Slowloris: This attack involves the client establishing a connection with a web server, requesting a resource (like an image), and deliberately delaying or failing to acknowledge the download. This forces the web server to keep the connection open and hold the requested resource in memory, leading to resource exhaustion.

It's 2023 and #slowloris is still a thing#Azure #DDoS pic.twitter.com/jmx2WjuAVP

— Rob 'dot com' Dyke (@robdykedotcom) June 19, 2023

How to protect your application?

Here are some valuable tips to mitigate the impact of potential attacks:

• Implement rate limiting
• Use CAPTCHA and Bot detection

• Employ web applications firewall
• Employ content delivery networks
• Monitor traffic anomalies
• Perform load testing

Source: StormIT

• Plan for horizontal and vertical traffic scalability
• Stay informed

Conclusion

These measures aim better to shield customers from the impact of similar DDoS attacks. Microsoft regularly assesses the performance of its security measures and incorporates the lessons learned to enhance their effectiveness.

DDoS can not be entirely prevented, but some best practices like those mentioned above can help you reduce the risks. Be sound to be safe!