DDoS Protection , Incident & Breach Response , Security Operations
Microsoft Says It Mitigated Largest-Ever DDoS Attack
2.4 Tbps Attack Was 140% Higher Than All Recorded AttacksTechnology giant Microsoft has disclosed that it mitigated a DDoS attack of 2.4 terabytes per second, which targeted an undisclosed European customer using its cloud computing service Microsoft Azure.
See Also: Rising IoT Botnets and Shifting Ransomware Escalate Enterprise Risk
The attack, observed in the last week of August, was 140% higher in scale than any previously recorded network volumetric event on Azure, according to a blog post that appeared in the Microsoft Azure blog Monday.
According to the post, the DDoS attack traffic originated from nearly 70,000 sources in countries including Malaysia, Vietnam, Taiwan, Japan, China and the U.S. The attack traffic did not reach the targeted client's location and was mitigated in the source countries, Microsoft says.
Attack Details
The attack vector, the report says, was a user datagram protocol or UDP, reflection that lasted over 10 minutes with "very short-lived bursts, each ramping up in seconds to terabit volumes."
UDP is usually used in time-sensitive applications, such as video playback, because it enables rapid transfer of data. There is a chance when using UDP that some packets may be lost in transit. As UDP does not require an established connection in order for data to be transferred, it is often exploited to propagate DDoS attacks.
The 2.4 Tbps attack occurred on an undisclosed date in August and was followed by a smaller spike measuring 0.55 Tbps and a third spike scaling 1.7 Tbps was recorded at 2:40 PM, the blog notes.
Prior to the August attack, the March-April 2020 1.6 Tbps DDoS attack was the highest bandwidth volume Microsoft had ever recorded. The company, at the time, said that it was a reflection attack of a 1 Tbps attack that had previously been observed on a single public IP.
According to the authors of the blog post, the magnitude of the latest attack demonstrates the ability of bad actors to "wreak havoc" by flooding targets with huge traffic volumes that bottleneck network capacity.
Also, when deviations from baselines are extremely large, Microsoft's control plane logic bypasses normal detection steps that are usually needed for lower-volume attacks and immediately kicks in the mitigation procedure, the post says, and this ensures the fastest time-to-mitigation and prevents collateral damage from such large attacks.
Impressive Mitigation Process
Speaking about the mitigation process that averted a possible large-scale targeted attack, Ilia Kolochenko, founder of Swiss cybersecurity firm ImmuniWeb and member of Europol Data Protection Experts Network, tells Information Security Media Group that almost no on-premises infrastructure would resist such an "annihilating" DDoS attack, despite being protected by cloud-based anti-DDoS solutions.
Although many companies are reluctant to migrate their data to a public cloud, in reality, a properly configured and hardened cloud infrastructure offers capacities to automate security and incident response, saving time and beefing up cyber resilience, Kolochenko adds.
David Tippett, a DevOps engineer at American stock exchange NASDAQ, tells ISMG that the attack was directed at a single tenant in Azure - the targeted organization. This means the hackers were likely targeting a single IP or a handful of services that were allocated to that tenant, he says, so scaling out these services to handle the load would result in a lot of additional cost for that tenant.
"Instead of allowing the malicious traffic to the tenant, they mitigated it by detecting and discarding irrelevant traffic at 2.4 Tbps at a single location, for just one customer resource. This is what makes [the mitigation of the DDoS attack] so impressive," he says.
As opposed to a DoS attack, in which one system sends malicious data packets to a server, a DDoS attack stems from multiple systems. The sheer volume of requests flooding a targeted organization's data center could crash its webpages and adversely affect the bandwidth and processing capabilities of the targeted servers or data center.
Microsoft says the victim of the latest attack might have incurred extensive financial damage in addition to other intangible costs if it had been operating out of its own data center.
Shorter, Deadlier DDoS Attacks
In a February 2021 blog post that highlighted trends observed in 2020, Microsoft says that DDoS attacks had grown over 50%, with increasing complexity and a significant increase in the volume of DDoS traffic. In 2020, Microsoft says, it mitigated an average of 500 multi-vector attacks on Azure resources on any given day.
According to the blog, the COVID-19 outbreak and subsequent shift to remote working brought about surges in internet traffic that made it easier for attackers to launch DDoS attacks as they no longer had to generate much traffic to bring down services. During March-April 2020, Microsoft says, it mitigated between 800 and 1,000 multi-vector attacks per day.
High-volume, short-burst DDoS attacks similar to the latest 2.4 Tbps one, also occurred in March-April 2020, it says, adding that most DDoS attacks it observed in 2020 lasted less than an hour and 53% of the attacks did not last for more than 10 minutes, it adds.
Microsoft also says in its report that there were multi-vector attacks in March-April 2020. In that type of attack, bad actors use multiple points of entry to make it tougher for organizations to mitigate the complex attack.
"Cybercriminals can exploit huge traffic streams to launch DDoS attacks, which makes it harder to distinguish between legitimate and malicious traffic," the Microsoft blog post on Monday says.
Common Attack Vectors
The most common attack vectors in 2020 were UDP flood attacks, UDP reflection attacks and SYN flood attacks. According to Cloudflare, UDP flooding is a DDoS attack that overwhelms the target server with numerous UDP packets. UDP reflection attacks are the same as UDP attacks except that the hacker uses a spoofed IP address. And SYN flood attacks are DDoS attacks in which the hacker sends repeated initial connection requests to overwhelm the server.
While most DDoS attacks on Azure originated from the U.S, Russia, Brazil and the U.K, the destination regions were Amsterdam, the U.S, Hong Kong, Singapore and Brazil, according to Microsoft's 2020 report.