Microsoft Azure Outage Caused by DDoS Attack

Microsoft has confirmed the cause of the outage on July 30 was a distributed denial-of-service attack. However, its advisory added that the issue was exacerbated by an “error in the implementation of their defenses” during a mitigation attempt.

The Azure cloud services were impacted between approximately 11:45 UTC and 19:43 UTC after being flooded by internet traffic. Redmond security pros say that the Azure Front Door and Azure Content Delivery Network components were “performing below acceptable thresholds, leading to intermittent errors, timeout, and latency spikes.”

Microsoft has DDoS protection mechanisms that kick in automatically. However, an error in their implementation “amplified the impact of the attack rather than mitigating it.” The security team performed network configuration changes and failovers to alternate networking paths to provide relief to the primary systems.

The majority of the impact was mitigated within two-and-a-half hours, but more work needed to be done at 18:00 UTC to restore availability for all users. The incident was declared over at 20:48 UTC.

The party responsible for the DDoS has not yet been identified. However, the hacktivist group “SN_blackmeta” has claimed responsibility. Microsoft says it will release a preliminary post-incident review before the end of the week and a more in-depth review within 14 days.

TechRepublic has reached out to Microsoft for comment.

SEE: White Hat Hackers Discover Microsoft Leak of 38TB of Internal Data Via Azure Storage

The Azure outage had global reach, impacting a subset of customers attempting to connect to Azure App Services, Application Insights, Azure IoT Central, Azure Log Search Alerts, Azure Policy, the Azure portal itself, and a subset of Microsoft 365 and Microsoft Purview services.

Many different organisations made statements on Tuesday, notifying users that their services were disrupted as a result of the Azure DDoS attack. These include Minecraft maker Mojang, GitHub’s CodeSpaces, DocuSign, water companies, courts and football clubs. Microsoft later apologised for the inconvenience.

Stephen Robinson, senior threat intelligence analyst at security firm WithSecure, told TechRepublic in an emailed statement: “Modern online services are built on stacked layers of dependencies, and in a significant proportion of service stacks you will find Microsoft services. One of the affected Microsoft services, Entra, is used to allow people to log on to services and websites, and without it, users are not able to log in.

“As such, while this outage only lasted for a short time and affected a subset of services, the impact was still noticeable to many people.”

What is a denial of service attack?

A denial of service (DoS) attack is an attack strategy where a malicious actor attempts to prevent others from accessing a web server, web application or cloud service by flooding it with service requests.

While a DoS attack is essentially of a single origin, a distributed denial of service (DDoS) attack uses a large number of machines on different networks to disrupt a particular service provider; this is more challenging to mitigate as the attack is being waged from multiple sources.

DDoS attacks are on the rise

DDoS attacks are becoming more prevalent. Cloudflare recorded a 20% year-on-year increase in Q2 2024, after a 50% increase in Q1. There are indications that this increase is linked to geopolitics, with anti-DDoS service Stormwall noting a correlation with election periods and an increase of attacks on Israel since the escalation of the conflict in Gaza.

SEE: New DDoS Attack is Record Breaking: HTTP/2 Rapid Reset Zero-Day Reported by Google, AWS & Cloudflare

Significant DDoS attacks that impact Microsoft’s services are rare but not unheard of. In June 2023, a series of attacks targeting Azure and other online platforms were attributed to a hacktivist group named Anonymous Sudan, disrupting services like Outlook and OneDrive.

Microsoft also reported an increase in DDoS attacks over the holiday season that year, as attackers sought to take advantage of lower staff numbers.

However, non-DDoS outages have plagued Microsoft this summer. On July 19, tens of thousands of users in the U.S. could not access Microsoft 365 services after an Azure configuration change. This came just hours after an error in a CrowdStrike Falcon Sensor update disrupted 8.5 million Windows devices worldwide.