An implementation error actually worsened the impact of a DDoS attack on Microsoft rather than mitigating it. As a result, parts of Azure and various 365 and Purview services were unreachable for hours on Tuesday.
These are Microsoft‘s preliminary findings on the outage. An unexpected usage spike of the Azure Front Door and the Azure Content Delivery Network negatively impacted their availability. This was due to a DDoS attack, but this incident only indirectly led to the global outage. Internal investigations point to “an error in the implementation of our defenses [which] amplified the impact of the attack rather than mitigating it,” Microsoft states.
Third outage in a short time
The incident is curious to say the least; how could it happen that a DDoS attack triggered something at Microsoft that actually amplified its impact unwillingly? The company promises to make a Preliminary Post Incident Review (PIR) available within 72 hours. A Final Post Incident Review will follow within two weeks. Based on previous incidents, we can expect a comprehensive timeline and some 600 to 800 words explaining what happened.
In addition, the global impact is striking. Microsoft has had two prominent outages in the past month without interference from another vendor, including this week’s incident. The other one occurred in the central United States on July 18, but it was quickly overshadowed by the infamous CrowdStrike outage the day after.
Read further: CrowdStrike reveals cause of global Windows blue screen problems
Alois Reitbauer, Chief Technology Strategist at Dynatrace, fears that such outages will “increasingly become part of customers’ digital experience.” This is especially worrying given they can have a major impact. “The traditional approach to response is for teams to deploy multiple tools to manually aggregate insights to find the problem. This approach is not scalable.” Instead, companies need to deploy AI, Reitbauer argues. “Organizations that harness the power of the three AI capabilities (causal, generative and predictive) are better able to prioritize business decisions and respond faster to these incidents.”
Magnifying glass
Currently, Microsoft services are under a magnifying glass. Users who had never heard of CrowdStrike will have assumed that the July 19 incident in particular was caused by Microsoft. Yet the July 18, July 19 and July 30 incidents have completely different culprits. Two of them stemmed from different Microsoft configuration errors, with a global impact on July 30, while the other came from a CrowdStrike update.
It would be helpful if Microsoft could provide some nuance in subsequent reporting on the incident. For example, we don’t know how many DDoS attacks the company successfully averts and how it mitigates them. We can imagine it’s having to deal with attempts to take its services down continuously. No company can guarantee 100 percent availability, especially if it cultivates the interest of malicious actors with the budget to inflict damage. This has led to profound exploits on several occasions, as the Russian and Chinese attacks in the past year showed. A DDoS attack is actually child’s play compared to these types of infiltrations. Any attacker with enough equipment can carry it out.