European Azure customer hit by record 2.4 Tbps DDoS attack

Microsoft shrugs off attack

An unnamed European user of Azure was hit by a record DDoS attack of 2.4 Tbps, originating from 70,000 sources in the last week of August, Microsoft -- which successfully mitigated the attack -- said. The incident comes after AWS also fended off a 2.3 Tbps DDoS attack in 2020 that lasted for three days. To put the scale of the record DDoS attack in context, it is nearly double the 1.3 Tbps attack that blasted GitHub in 2018, or over double the circa 1 Tbps Mirai botnet DDoS attack that famously knocked the late DNS provider Dyn offline in 2016.

"The attack traffic originated from... multiple countries in the Asia-Pacific region, such as Malaysia, Vietnam, Taiwan, Japan, and China, as well as from the United States. The attack vector was a UDP reflection spanning more than 10 minutes with very short-lived bursts, each ramping up in seconds to terabit volumes. In total, we monitored three main peaks, the first at 2.4 Tbps, the second at 0.55 Tbps, and the third at 1.7 Tbps," Amir Dahan, Senior Program Manager, Azure Networking, said in a Microsoft blog on October 11.

See also: 7 free enterprise-ready cybersecurity tools

TCP SYN floods and UDP reflection attacks, which attempt to reflect and amplify packets off legitimate services running on the internet, were also among the most common infrastructure-layer events detected by AWS Shield over the past year -- with gaming servers/gaming companies often the target. (AWS notes that "many gaming applications rely upon UDP traffic, which makes it infeasible to block UDP as a countermeasure against the most common DDoS attacks, like UDP reflection attacks or UDP floods.")

Research by Kaspersky this summer found that overall, globally, in Q2 of 2021, attacks had fallen by 38.8% year-on-year, but there's no shortage of organisations out there still trying to leverage DDoS-for-Ransom attacks. Various bad actors have, for example, recently been exploiting Realtek SDK vulnerabilities -- including CVE-2021-35395, which impacts IoT devices manufactured by 65 vendors who use the Realtek chipsets and SDK -- to build out their botnets, as DDoS mitigation firm Radware recently noted

(Its researchers named a new Mirai botnet variant using Realtek bugs “Dark.IoT”, based on malware file names all beginning with “Dark” and the hostnames using LMAO to 'laugh' at IoT ‘lmaoiot.xyz. It now uses 13 different DDoS attack vectors, leveraging over a dozen different exploits. Radware researchers nonetheless described the attackers as "unskilled and opportunist".

Microsoft said of the record DDoS attack in August that the customer suffered no downtime or impact and that it could shrug off attacks even significantly greater than that, noting that its "DDoS protection platform, built on distributed DDoS detection and mitigation pipelines, can absorb tens of terabits of DDoS attacks."

Referring the record DDoS attack on the European Azure customer, Ilia Kolochenko, Founder of ImmuniWeb, and a member of Europol Data Protection Experts Network noted: "This is a great example of the security advantages offered by public cloud providers. Virtually no on-premises infrastructure would resist such annihilating DDoS, even if protected by a cloud-based anti-DDoS solution. We witnessed how the largest anti-DDoS vendors abandoned some of their customers under extreme DDoS attacks to avoid any negative impact on other clients."

In his view, "the leading cloud vendors, notably AWS and Azure, offer probably the most comprehensive and efficient DDoS protection." Other vendors, from Akamai to Cloudflare, Fastly, Imperva, Neustar, Radware and beyond may disagree. All offer different types of DDoS mitigation, from the basic dropping of all nonapplication traffic (for example, SYN and ICMP packets) at their edge-caching servers, which protects against common and bandwidth-consuming, network-layer DDoS attacks, through to dedicated "scrubbing centres" and beyond.

Follow The Stack on LinkedIn