Microsoft has confirmed that the cause of the July 30 service outage was a distributed denial of service attack. However, its advisory added that the problem was exacerbated by an “error in the implementation of its defenses” during a mitigation attempt.
Azure cloud services were affected between approximately 11:45 UTC and 19:43 UTC after being inundated with internet traffic. Security professionals in Redmond say that Azure Front Door and Azure Content Delivery Network components were “performing below acceptable thresholds, resulting in intermittent failures, timeouts, and latency spikes.”
Microsoft has DDoS protection mechanisms in place that are automatically activated. However, a bug in their implementation “amplified the impact of the attack rather than mitigating it.” The security team made network configuration changes and failovers to alternate network paths to provide relief to core systems.
Most of the impact was mitigated within two and a half hours, but more work was needed by 18:00 UTC to restore availability for all users. The incident was declared over at 20:48 UTC.
The person behind the DDoS attack has not yet been identified, but the hacker group “SN_blackmeta” has claimed responsibility. Microsoft says it will publish a preliminary analysis of the incident before the end of the week and a more in-depth analysis within 14 days.
TechRepublic has reached out to Microsoft for comment.
SEE: White hat hackers discover 38TB of internal Microsoft data leak via Azure Storage
The Azure service outage was global in scope and affected a subset of customers attempting to connect to Azure App Services, Application Insights, Azure IoT Central, Azure Log Search Alerts, Azure Policy, the Azure portal itself, and a subset of Microsoft 365 services and Microsoft Purview.
On Tuesday, several different organizations issued statements to notify users that their services were disrupted as a result of the DDoS attack on Azure. These included Minecraft creator Mojang, GitHub's CodeSpaces, DocuSign, water companies, courts and football clubs. Microsoft later apologized for the inconvenience.
Stephen Robinson, a senior threat intelligence analyst at security firm WithSecure, told TechRepublic in an emailed statement: “Modern online services rely on stacked layers of dependencies, and in a significant proportion of service stacks you'll find Microsoft services. One of the affected Microsoft services, GetIn, is used to allow people to sign in to services and websites, and without it, users are unable to sign in.
“So while this disruption was short-lived and affected a subset of services, the impact was felt by many people.”
What is a denial of service attack?
A denial of service (DoS) attack is an attack strategy in which a malicious actor attempts to prevent others from accessing a web server, web application, or cloud service by flooding it with service requests.
While a DoS attack is essentially single-source, a distributed denial of service (DDoS) attack uses a large number of machines on different networks to disrupt the service of a particular service provider; this is more difficult to mitigate as the attack is carried out from multiple sources.
DDoS attacks are on the rise
DDoS attacks are becoming more frequent. Cloudflare recorded a 20% year-over-year increase in Q2 2024, after a 50% increase in Q1. There are indications that this increase is linked to geopolitics, as the anti-DDoS service Stormwall notes a correlation with election periods and an increase in attacks on Israel since the escalation of the conflict in Gaza.
SEE: New record-breaking DDoS attack: HTTP/2 Rapid Reset Zero-Day reported by Google, AWS and Cloudflare
Major DDoS attacks affecting Microsoft services are rare, but not unheard of. In June 2023, a series of targeted attacks against Azure and other online platforms were attributed to a hacktivist group called Anonymous Sudan, disrupting services such as Outlook and OneDrive.
Microsoft also reported a spike in DDoS attacks during the holiday season that year as attackers sought to take advantage of fewer staff.
However, this summer Microsoft has suffered outages unrelated to DDoS attacks. On July 19, tens of thousands of users in the US were unable to access Microsoft 365 services after an Azure configuration change. This happened just hours after a bug in an update to CrowdStrike’s Falcon sensor affected 8.5 million Windows devices worldwide.
