2023-06-19
Microsoft Says Cloud Portal Outages Were Due to DDoS Attacks
In a June 16 blog post, Microsoft revealed that recent cloud outages were caused by Layer 7 distributed denial-of-service (DDoS) attacks. Microsoft’s Outlook.com, OneDrive, and Azure Cloud portals suffered outages earlier this month. At the time, Microsoft said they were “applying load balancing processes in order to mitigate the issue.”
Editor's Note
It is very difficult to protect highly interactive web applications with a global user base from a DDoS attack. But it is somewhat surprising that a large provider like Microsoft can be impacted by a DDoS attack initiated by a rather "random/unknown" group.

Johannes Ullrich
Timely post, since Microsoft’s data shows July and August for some reason are the top months for DDoS attacks hitting Azure services. This is an area where cloud services and service-level agreements (SLAs) are quite complicated, especially for Infrastructure as a Service. An attack against Azure is one thing, an attack against your resources on Azure may be a totally different issue. For example, Microsoft’s guide to SLAs for its online services is 99 pages long; Azure SLAs take up 70 pages alone. There are add-on fee-based DDoS protection services at the IP address level and the overall network level, as well as fee-based Azure Web App Firewall services – and all those have their own SLAs. Some of the DDoS SLAs cover the costs of increasing resources to maintain performance, sometimes not. All SLAs essentially only provide some cost relief vs. any guarantee of uptime. Make sure your procurement and legal teams have researched applicable SLAs and that a conscious decision has been made about the need for backup/switchover capabilities vs. just living with any outage time.

John Pescatore
Takes a lot of guts to publicly reveal a shortfall; kudos to Microsoft for sharing what happened and how to improve. Microsoft had DDoS protections dialed in for a layer 3 or 4 attack. Subsequently Microsoft turned up their protections at layer 7. There is no such thing as being completely immune to DDoS attacks, but the lessons learned from Microsoft can help you raise the bar and weather the storm. Make sure that both you and your CDN have protections in place, such as a WAF, configured with the latest DDoS configuration your provider offers.

Lee Neely
Expect this to be the first of many in the news. This is bound to happen as we consolidate providers. You have to wonder if AWS ever has a DDoS against us-east-1.

Moses Frost
No real surprise here: it was a DDoS attack on Azure applications. MSFT recommends using a web application firewall, at an additional cost, to mitigate this sort of attack. Given that additional costs are involved, probably a good time to review the service level agreement to adjudicate responsibility to maintain service uptime.

Curtis Dukes
Read more in
Microsoft: Microsoft Response to Layer 7 Distributed Denial of Service (DDoS) Attacks
The Register: With dead-time dump, Microsoft revealed DDoS as cause of recent cloud outages
Bleeping Computer: Microsoft confirms Azure, Outlook outages caused by DDoS attacks
Security Week: Microsoft Says Early June Disruptions to Outlook, Cloud Platform, Were Cyberattacks
SC Magazine: Hacktivist group Anonymous Sudan a ‘bear in wolf’s clothing’