Beginning in early June 2023, Microsoft identified surges in traffic against some services that temporarily impacted availability. Microsoft promptly opened an investigation and subsequently began tracking ongoing DDoS activity by the threat actor that Microsoft tracks as Storm-1359.
These attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools.
We have seen no evidence that customer data has been accessed or compromised.
This recent DDoS activity targeted layer 7 rather than layer 3 or 4. Microsoft hardened layer 7 protections including tuning Azure Web Application Firewall (WAF) to better protect customers from the impact of similar DDoS attacks. While these tools and techniques are highly effective at mitigating the majority of disruptions, Microsoft consistently reviews the performance of its hardening capabilities and incorporates learnings into refining and improving their effectiveness.
Customers should review the technical details and recommended actions section of this blog to increase the resilience of their environments to help mitigate similar attacks.
Technical Details Technical Details
Microsoft assessed that Storm-1359 has access to a collection of botnets and tools that could enable the threat actor to launch DDoS attacks from multiple cloud services and open proxy infrastructures. Storm-1359 appears to be focused on disruption and publicity.
Storm-1359 has been observed launching several types of layer 7 DDoS attack traffic:
HTTP(S) flood attack – This attack aims to exhaust the system resources with a high load of SSL/TLS handshakes and HTTP(S) requests processing. In this case, the attacker sends a high load (in the millions) of HTTP(S) requests that are well distributed across the globe from different source IPs. This causes the application backend to run out of compute resources (CPU and memory).
Cache bypass – This attack attempts to bypass the CDN layer and can result in overloading the origin servers. In this case, the attacker sends a series of queries against generated URLs that force the frontend layer to forward all the requests to the origin rather serving from cached contents.
Slowloris – This attack is where the client opens a connection to a web server, requests a resource (e.g., an image), and then fails to acknowledge the download (or accepts it slowly). This forces the web server to keep the connection open and the requested resource in memory.
Recommendations – Layer 7 DDoS Protection Tips Recommendations – Layer 7 DDoS Protection Tips
Microsoft recommends customers review the following mitigations to reduce their impact to layer 7 DDoS attacks:
- Use layer 7 protection services such as Azure Web Application Firewall (WAF) (available with Azure Front Door, Azure Application Gateway) to protect web applications.
If using Azure WAF:
Use the bot protection managed rule set provides protection against known bad bots. For more information, see Configuring bot protection.
IP addresses and ranges that you identify as malicious should be blocked. For more information, see examples at Create and use custom rules.
Traffic from outside a defined geographic region, or within a defined region, should be blocked, rate limited or redirected to a static webpage. For more information, examples at Create and use custom rules.
Create custom WAF rules to automatically block and rate limit HTTP or HTTPS attacks that have known signatures.
Joint CISA FBI MS-ISAC Guide on Responding to DDoS Attacks and DDoS Guidance for Federal Agencies. US Cybersecurity and Infrastructure Security Agency (accessed 2023-06-14)