Microsoft Reports 2.4 Tbps DDoS Attack Targeting an Azure Customer

Microsoft recently revealed that one of its Azure customers was hit by a 2.4 Tbps distributed denial-of-service (DDoS) attack last August.

In the blog post “Business as usual for Azure customers despite 2.4 Tbps DDoS attack,” Amir Dahan Senior Program Manager at Microsoft’s Azure Networking said the 2.4 Tbps DDoS attack is 140 percent higher than 2020’s 1 Tbps attack and higher than any network volumetric event previously detected on Azure.

Dahan said the 2.4 Tbps DDoS attack on Azure infrastructure originated from approximately 70,000 sources and from multiple countries in the Asia-Pacific region, including Malaysia, Vietnam, Taiwan, Japan, and China, as well as from the United States.

“The attack vector was a UDP reflection spanning more than 10 minutes with very short-lived bursts, each ramping up in seconds to terabit volumes,” Dahan said. “In total, we monitored three main peaks, the first at 2.4 Tbps, the second at 0.55 Tbps, and the third at 1.7 Tbps.”

With the adoption of cloud services, Dahan said, “Bad actors, now more than ever, continuously look for ways to take applications offline.’

In the blog post "Azure DDoS Protection—2021 Q1 and Q2 DDoS attack trends," Alethea Toh Program Manager at Microsoft’s Azure Networking reported that the first half of 2021 saw a sharp increase in DDoS attacks on Azure resources per day. Toh said Microsoft’s Azure mitigated an average of 1,392 DDoS attacks per day in the first half of 2021, the maximum reaching 2,043 attacks on May 24, 2021.

“In total, we mitigated upwards of 251,944 unique [DDoS] attacks against our global infrastructure during the first half of 2021,” Toh said.

Toh added that in the first half of 2021, the average DDoS attack size was 325 Gbps, with 74 percent of the attacks being 30 minutes or less and 87 percent being one hour or less.

In 2020 Google, meanwhile, revealed a 2.5 Tbps DDoS attack on its infrastructure. In the blog post “Exponential growth in DDoS attack volumes,” Damian Menscher, Security Reliability Engineer at Google, said that Google’s infrastructure was hit by a 2.5 Tbps DDoS attack in September 2017. This 2.5 Tbps DDoS attack on Google infrastructure, Menscher said, was a culmination of a six-month campaign that utilized multiple methods of attack, simultaneously targeting Google’s thousands of IPs.

“The attacker used several networks to spoof 167 Mpps (millions of packets per second) to 180,000 exposed CLDAP, DNS, and SNMP servers, which would then send large responses to us,” Menscher said.

Top Attack Vectors

DDoS is a type of cyberattack that floods targets with gigantic traffic volumes with the aim of choking network capacity.

“While UDP attacks comprised the majority of attack vectors in Q1 of 2021, TCP overtook UDP as the top vector in Q2,” Toh of Microsoft's Azure said. “From Q1 to Q2, the proportion of UDP dropped from 44 percent to 33 percent, while the proportion of TCP increased from 48 percent to 60 percent.”

According to Toh, in Q1 of 2021, a total of 33% attack vectors came from UDP flood, 24% from TCP other flood, 21% from TCP ACK flood, 11% from UDP amplification, 7% from IP protocol flood, 3% from TCP SYN flood.

For Q2 of 2021, Toh said, a total of 23% attack vectors came from UDP flood, 29% from TCP other flood, 28% from TCP ACK flood, 10% from UDP amplification, 6% from IP protocol flood, and 3% from TCP SYN flood.

In January, Toh said, Microsoft Windows servers with Remote Desktop Protocol (RDP) enabled on UDP/3389 were being abused to launch UDP amplification attacks, with an amplification ratio of 85.9:1 and a peak at approximately 750 Gbps.

In February, Toh said, video streaming and gaming customers were getting hit by Datagram Transport Layer Security (D/TLS) attack vector which exploited UDP source port 443.

In June, Toh said, reflection attack iteration for the Simple Service Delivery Protocol (SSDP) emerged. SSDP normally uses source port 1900. The new mutation, Toh said, was either on source port 32414 or 32410, also known as Plex Media Simple Service Delivery Protocol (PMSSDP).

Cybersecurity Best Practices

Organizations with internet-exposed workloads are vulnerable to DDoS attacks. Some DDoS attacks focus on a specific target from application layer (web, DNS, and mail servers) to network layer (routers/switches and link capacity). Some DDoS attackers may not focus on a specific target, but rather, attack every IP in your organization’s network.

Microsoft and Google have their own DDoS mitigating measures that can absorb multi-terabit DDoS attacks. On the part of Google, the company said it reported thousands of vulnerable servers to their network providers, and also worked with network providers to trace the source of the spoofed packets so they could be filtered.

Small and medium-sized organizations can now avail of a DDoS protection solution that can absorb multi-terabit DDoS attacks. Today’s DDoS protection solution operates autonomously, without human intervention. Failure to protect your organization’s resources from DDoS attacks can lead to outages and loss of customer trust.

We can also help in preventing DDoS attacks from happening by ensuring that our computers and IoT devices are patched and secured.