Microsoft discloses detailed analysis of Layer 7 DDoS attacks

Microsoft Corp. disclosed Friday that outages that affected its customers earlier this month were caused by a distributed denial-of-service attack launched by a threat actor called Storm-1359.

The Layer 7 DDoS attack affected Microsoft services, including Azure, Outlook and OneDrive. A “Layer 7” attack is a form of DDoS that targets the application layer of the internet protocol suite, overwhelming a service with a high volume of requests and causing service disruptions or outages. Storm-1359 hacking group is more commonly known as Anonymous Sudan.

The DDoS attack began in early June, with the web portal of Outlook.com targeted on June 7, followed by OneDrive on June 8 and the Microsoft Azure Portal on June 9. Following the attacks, Microsoft launched an internal investigation that suggests that the threat actor used multiple virtual private servers, rented cloud infrastructure, open proxies and DDoS tools to execute the attacks. Interestingly, Microsoft’s investigation found that the attacks were not only for disruption but also for publicity purposes.

Under the hood, the attacks are described as somewhat unusual. They were aimed at Layer 7, the internet protocol suite application layer. The approach taken by Storm-1359 allowed it to overwhelm Microsoft’s services with a large volume of requests, leading to service degradation or even total denial of service. A Layer 7 attack differs from the more common Layer 3 or 4 attacks, which Microsoft can easily protect against through services such as Azure Web Application Firewall.

The DDoS attack methods used by the group included HTTP(S) flood attacks, cache bypass and Slowloris, each designed to saturate a web service’s available connections, effectively preventing it from processing new requests.

Microsoft emphasized to customers that there is no evidence of customer data being accessed or compromised during these attacks.

Anonymous Sudan, or Storm-1359, was first detected in January. It has targeted organizations and government agencies worldwide with DDoS attacks and data leaks. In recent months, the group has also demanded ransom payments from large organizations, threatening to continue their attacks until the demands are met.

To avoid future attacks, Microsoft advises that customers review their Layer 7 protection measures, particularly for those who use Azure Web Application Firewall. Those users should take several steps, including using the bot protection managed rule set to guard against known harmful bots, blocking IP addresses and ranges identified as malicious, managing traffic based on geographic region, and creating custom WAF rules to block or limit attacks with known signatures.

Image: Bing AI Image Creator