Microsoft thwarts mega-DDoS attack on Azure platform

Microsoft’s Azure Networking team have shared details of how they beat off one of the largest attempted distributed denial of service (DDoS) attacks in internet history, which targeted an unnamed Azure customer in Europe.

The 2.4 terabit per second (Tbps) attack took place in the last week of August and was more than double the size of the previous largest attack on a single IP detected on Azure, a 1Tbps event that occurred in spring 2020, at the beginning of the Covid-19 pandemic. It is also higher than any network volumetric event previously detected on Azure.

In a disclosure blog, Microsoft Azure Networking programme manager Alethea Toh and principal network engineer Syed Pasha revealed that the attack traffic originated from about 70,000 sources in multiple APAC countries, and the US.

The vector was a user datagram protocol (UDP) reflection spanning a period of just over 10 minutes, with three short-lived bursts that ramped up in seconds. The first peak was 2.4Tbps, the second 0.55Tbps, and the third 17Tbps.

“Attacks of this size demonstrate the ability of bad actors to wreak havoc by flooding targets with gigantic traffic volumes trying to choke network capacity,” wrote Toh and Pasha.

“However, Azure’s DDoS protection platform, built on distributed DDoS detection and mitigation pipelines, can absorb tens of terabits of DDoS attacks. This aggregated distributed mitigation capacity can massively scale to absorb the highest volume of DDoS threats, providing our customers with the protection they need.”

The attack was successfully mitigated by Azure’s DDoS control plane logic, which dynamically allocated resources to optimal locations physically near the origin of the attack, meaning none of the malicious traffic reached the customer region. This logic kicks in when continuous monitoring detects that deviations from traffic volume baselines are extremely large and takes place in a matter of seconds to mitigate and prevent collateral damage.

“Whether in the cloud or on-premises, every organisation with internet-exposed workloads is vulnerable to DDoS attacks,” wrote the blog’s authors. “Because of Azure’s global absorption scale and advanced mitigation logic, the customer did not suffer any impact or downtime.”

ImmuniWeb founder Ilia Kolochenko, who is also a member of Europol’s Data Protection Experts Network, said this was a great demonstration of how the cyber capabilities of large public cloud providers can be of wider benefit.

“Virtually no on-premises infrastructure would resist such annihilating DDoS, even if protected by a cloud-based anti-DDoS solution,” Kolochenko told Computer Weekly in emailed comments. “We have witnessed how the largest anti-DDoS vendors abandoned some of their customers under extreme DDoS attacks to avoid any negative impact on other clients.

“The leading cloud vendors, notably AWS and Azure, offer probably the most comprehensive and efficient DDoS protection to their clientele. All premium features are quite costly, however they offer amazing value for money compared to other solutions.”

Kolochenko added that while many cite cyber security and compliance concerns as a blocker to moving data into a public cloud environment, in reality a correctly configured and hardened cloud infrastructure should enhance anyone’s security posture through better automation and incident response capabilities.

“It is essential, however, to ensure that your team is properly trained prior to moving your crown jewels to a cloud – the vast majority of devastating cloud incidents stem from misconfigurations and human error,” he added.