A triple barrage of mystery DDoS attacks knocked Microsoft services including Azure, Intune offline

Back in 2021 Microsoft boasted of shielding a customer from a 2.4 Tbps DDoS attack originating from 70,000 sources. It has not shared such detail on this successful incident that it its services...

A triple barrage of mystery DDoS attacks knocked Microsoft services including Azure, Intune offline

In a short blog post published with minimal fanfare late Friday (June 16) Microsoft admitted “some services” had suffered “temporary availability” problems due to a mystery DDoS attack earlier this month.

Both the Azure portal and endpoint management tool Intune were briefly knocked offline on June 9 by one of the attacks. On June 5, Outlook, Teams, OneDrive and SharePoint also suffered intermittent outages.

Redmond itself did not specifically mention which of its services had been affected by the Microsoft DDoS attacks in its update– and did not publish the post on social media. Nor did it share details about the scale of the DDoS incident, which comes after a flurry of availability issues this month.

Microsoft DDoS attacks: Azure, Intune hit

It seems clear that Azure was hit in the attacks however.

An preliminary post-incident review from Microsoft about the June 9 Azure and Intune issues, blamed “an anomalous spike in HTTP requests being issued against Azure portal origins, bypassing existing automatic preventive recovery measures and triggering the service unavailable response” – the closest thing to shorthand for a DDoS attack you can get.

In its June 16 update Microsoft did name the DDoS types, pointing to a trio of approaches used to hit its systems including HTTP(S) flood attacks, cache bypass attacks, and slowloris attacks, all detailed on its blog – and collectively designed to sap backend services of CPU and memory, bypass the Content Delivery Network (CDN) layer, and hold web servers open.

DDoS attacks, a blunt hammer in which servers are flooded with traffic until they stop being able to respond, are sometimes used to mask or support more sophisticated intrusions. Microsoft said it has “seen no evidence that customer data has been accessed or compromised.”

Join peers following The Stack on LinkedIn

“These attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools” the Microsoft Security Response Center (MSRC) said on Friday.

None of the Microsoft DDoS attack techniques are particularly esoteric and must have been at a huge scale to impact so many services – Microsoft in October 2021 for example boasted of shielding an unnamed European customer from a massive 2.4 Tbps DDoS attack. (This was a UDP reflection-type DDoS attack that originated from 70,000 sources.)

A little-know group calling itself “Anonymous Sudan” has claimed the Microsoft DDoS attacks and a Redmond spokesperson confirmed that link to AP – with the company describing the threat actor as “Storm-1359.”

Microsoft said it had been “tuning Azure Web Application Firewall [a managed service] to better protect customers from the impact of similar DDoS attacks” and, rather oddly, suggested in its recommendations that customers “Use layer 7 protection services such as Azure Web Application Firewall (available with Azure Front Door, Azure Application Gateway) to protect web applications” – i.e. the managed service that failed, to protect the other SaaS/IaaS services that were affected by its failure.

This may be mildly amusing/poorly considered from Microsoft, but when it comes to colossal DDoS attacks, hyperscaler cloud providers are about as well equipped as anyone to mitigate such incidents swiftly and at scale.

AWS also suffered availability issues earlier this month across its periodically troubled US-EAST-1 region. It has not publicly published a detailed post-incident response for any such problems with availability since December 10, 2021, so The Stack is unable yet to share the cause.

Don't miss out. Get our alerts and newsletter