Microsoft is responding to recent DDoS attacks. The early June incidents caused some service outages, but Microsoft says no customer data was compromised.
Microsoft’s Security Response Center (MSRC) has issued a detailed analysis of the cyberattacks that shut down their main online services earlier this month. The response describes a series of Layer 7 distributed denial-of-service attacks launched by a threat actor Microsoft calls Storm-1359.
According to Microsoft, the Layer 7 DDoS attacks interrupted the company’s most popular services, including Azure, Outlook and OneDrive. A “Layer 7” attack is a form of DDoS that targets the application layer of the internet protocol suite. The attack vector utilizes a high volume of requests to overwhelm the app layer and cause service disruptions or outages.
Microsoft assessed that Storm-1359 has access to a large collection of botnets and tools. These could enable the threat actor to launch DDoS attacks from multiple cloud services and open proxy infrastructures. Storm-1359 appears to be focused on disruption and publicity, MSRC said.
Preventing future disruptions through “hardening”
The DDoS attack began by targeting the web portal of Outlook.com on June 7. The attackers then moved on to OneDrive on June 8 followed by the Microsoft Azure Portal on June 9. MSRC says that Storm-1359’s attack methods included HTTP(S) flood attacks, cache bypass and Slowloris, each designed to inundate a web service’s available connections, thereby preventing it from processing new requests.
Following the attacks, Microsoft launched a detailed investigation and took steps to mitigate or prevent future attacks.
“This recent DDoS activity targeted layer 7 rather than layer 3 or 4”, MSRC explained. Microsoft says it has “hardened” layer 7 protections including tuning Azure Web Application Firewall (WAF) to better protect customers from the impact of similar DDoS attacks. “While these tools and techniques are highly effective at mitigating the majority of disruptions, Microsoft consistently reviews the performance of its hardening capabilities and incorporates learnings into refining and improving their effectiveness”, the company said.
Although the attackers disrupted services, they left customer data unaffected, according to Microsoft. “We have seen no evidence that customer data has been accessed or compromised,” the response concluded.