Officials with Microsoft’s Azure public cloud said the company in late August was able to stave off a record distributed denial-of-service (DDoS) attack against a European customer that originated in the Asia-Pacific region.
The attack, which hit 2.4 terabits per second, was 140 percent higher than a 1 Tbps attack last year and higher than any similar event ever detected on the Azure public cloud, according to Amir Dahan, senior program manager for Azure networking.
The DDoS attack originated from about 70,000 sources through a range of Asian countries, including Malaysia, Vietnam, Taiwan, Japan and China, Dahan wrote in a blog post this week. Some of the traffic also came from the United States.
“The attack vector was a UDP [User Datagram Protocol] reflection spanning more than 10 minutes with very short-lived bursts, each ramping up in seconds to terabit volumes,” he wrote. “In total, we monitored three main peaks, the first at 2.4 Tbps, the second at 0.55 Tbps, and the third at 1.7 Tbps.”
Mitigating the DDoS Attack
The company was able to fend off the assault with a range of protective measures in Azure’s security arsenal, according to Dahan. DDoS attacks are designed to overwhelm websites with traffic and choke the network to the point where they essentially are shut down. They use botnets to generate the traffic and are used for a variety of reasons, from forcing companies to pay the attackers to turn off the traffic faucet to diverting attention away from something nefarious going on elsewhere.
Dahan wrote that the public cloud’s protection platform is based on distributed DDoS detection and mitigation pipelines that can absorb tens of terabits of such attacks.
“Attack mitigation lifecycle is orchestrated by our control plane logic that dynamically allocates mitigation resources to the most optimal locations, closest to the attack sources,” he wrote. “In this case, attack traffic which originated in the Asia-Pacific region and the United States, did not reach the customer region but was instead mitigated at the source countries.”
The DDoS mitigation capabilities also can detect large attacks by monitoring the infrastructure at multiple points across the network. When deviations from baselines are large, the Azure DDoS control plant logic bypasses detection steps needed for low-volume floods of traffic and immediately goes to mitigation.
DDoS an Ongoing Threat
In recent years, ransomware has gotten the lion’s share of attention from the highest levels of the tech and security industries as well as the federal government, including the Biden Administration. That said, DDoS attacks continue to be a problem. According to Microsoft Azure’s report on DDoS attack trends for the first half of the year – the report was released just a few weeks before the massive DDoS campaign against the unnamed European customer – there was a 25 percent increase in the number of attacks compared to the last quarter of 2020, but a decline in the maximum attack throughput, from 1 Tbps in the third quarter 2020 to 635 Mbps during the first six months of 2021.
Others are seeing similar trends. In Netscout’s report from the first half of the year, the company found that attackers launched 5.4 million DDoS attacks during that time, a record-breaking number that marked an 11 percent year-over-year increase.
In addition, application and network performance management solutions vendor attacks using 20 or more vectors jumped 106 percent and included a record-breaking 31-vector attack in Germany. In the first half of the year, 200,000 botnets drove 2.8 million DDoS attacks.
Cloudflare in July said it fought off a DDoS botnet attack that was sending 17.2 million requests per second against a target in the financial services industry.
IoT Exacerbating the Situation
Veterans in the cybersecurity field point to the expanding Internet of Things (IoT) space as one driver of the escalating numbers of DDoS attacks.
“For years the cybersecurity community has been talking about how IoT devices will lead to larger botnets capable of stronger DDoS attacks,” Vishal Jain, co-founder and CTO of multicloud security vendor Valtix, told eSecurity Planet. “As the volume of vulnerable, compromised and misconfigured IoT devices grow, cloud service providers will be challenged to protect their customer’s services.”
In addition, Jain said, Microsoft’s claim that it can mitigate tens of terabits of DDoS traffic put a new challenge to threat actors.
“Attackers have been known to use DDoS attacks as diversions, distracting security teams while they move laterally or exfiltrate data,” he said. “It’s possible that this was a test of a new DDoS service. Any press is good press. More likely, someone was making an ideological statement towards the target or hoping to collect a ransom by restoring downed services.”
Possible Nation-State Attack
Determining the motivation behind the attack is made more difficult by the name of the victim not being made public. Jain noted that hack-for-hire services are becoming reliable sources of income for cybercriminals, with perpetrators using profits from ransomware-as-a-service (RaaS) and similar attacks for marketing, feature development and improving their platforms.
“The cyber-underground is heavily based on reputation, so any DDoS service provider who aims to turn a profit needs to keep their customers happy by continually maintaining their product,” he said.
Ben Pick, senior application security consultant at application security company nVisium, said the size of the attack mitigated by Azure isn’t surprising given the increasing size of high-profile botnets, but determining the motivation or perpetrator is a challenge with the name of the target unpublished.
“However, given the size and global sources of the botnet devices, this was a well-funded and well-coordinated attack, which does indicate a nation state as the likely culprit,” Pick told eSecurity Planet.
The size of the attack outlined by Microsoft – surpassing 2 Tbps – indicate that bad actors are realizing the potential for rewards from DDoS attacks in their campaign and are refining their tools, according to Stefano De Blasi, cyber threat intelligence analyst at risk protection firm Digital Shadows. De Blasi also noted that the company has often seen attackers combining DDoS attacks with cyber-extortion tactics, giving a glimpse of how the threat could evolve.
“Although maybe not as eye-catching as other cyber threats, DDoS attacks remain a persistent malicious technique frequently used by various threat actors,” he told eSecurity Planet. “Although DDoS attacks are commonly associated with technically unsophisticated attackers, these events remind us that highly skilled adversaries can mount high-intensity operations that may result in severe consequences for their targets.”
Defending Against DDoS
nVisium’s Pick said enterprises can protect against DDoS attacks by using intermediate tools at network boundaries.
“Most cloud services include security tools to mitigate or outright prevent DDoS attacks,” he said. “Utilizing a specific tool is a better protection mechanism than spinning up resources to accommodate the additional network bandwidth, as that can cause massive impacts to the overall infrastructure costs.”
Valtix’s Jain also said an incident response plan that includes a DDoS mitigation service will alert organizations about a possible DDoS attack and identify what is impacted, enabling security teams to take a proactive approach rather than reacting to downed services. In addition, they should use edge-based volumetric L4 DDoS protections that complement L7 DDoS protections close to internet-facing applications.