Microsoft Azure logo close-up showing DDoS attack caused Azure outage

DDoS Attack Creates Global Azure Outage for Eight Hours

Customers who noticed issues with Azure on July 30 were likely trying to access it during a newly confirmed DDoS attack, which Microsoft says was exacerbated by an error in the implementation of their automated defense systems. The Azure outage lasted for about eight hours in total, though some users were able to access their accounts after only about three hours.

Microsoft Azure outage had global impact on a variety of services

While the Azure outage impacted customers around the world, it was not universal. However, it did limit a very broad variety of Microsoft’s services. One of the impacted services was authentication tool Entra, which in turn caused outages at a variety of organizations from GitHub and DocuSign to Minecraft developer Mojang.

Microsoft confirmed that it was weathering a DDoS attack on Azure from 11:45 UTC to 19:43 UTC on July 30. The company has automated defense mechanisms that would usually fend off such an attack, but it appears that there was an implementation error that actually magnified the impact of the DDoS attack rather than limiting it. The company says it was able to mitigate most of the Azure outage within 2.5 hours, but it took the full period to restore access to all customers.

Microsoft has not yet attributed the attack to anyone, but a group calling itself “Blackmeta” took to social media to claim the attack and provided some evidence that they were the perpetrators. The group styles itself as an anti-US “hacktivism” collective that purportedly targets American and French companies and critical infrastructure. Microsoft says that it plans to release a more detailed analysis of the incident by mid-August.

That analysis will likely provide much more detail on the specific technical failures involved in the Azure outage, but Rody Quinlan (staff research engineer, Tenable) provides some preliminary general thoughts on how a mistake in a defensive setup might actually help a DDoS attack gain steam: “Organizations can inadvertently amplify cyberattacks through various implementation errors, such as misconfigured rate limiting, inefficient load balancing, firewall misconfigurations, overly aggressive security rules, inadequate resource scaling, incorrect traffic filtering, and dependence on single points of failure. These errors can lead to blocked legitimate traffic, overloaded servers, bottlenecked firewalls, and critical services being taken offline.”

DDoS attacks spike due to hacktivism and for-profit applications

Though at least occasional outages should be expected with a company the size of Microsoft and the breadth of products it has, massive news-making outages are starting to become an annual event. The recent Azure outage follows a botched Enterprise Configuration Service (ECS) deployment in July 2022, which knocked out a variety of Microsoft 365 services for a few hours, and a January 2023 WAN router IP change that was botched and took out various Azure services for about five hours.

These are far from the only recent outages for Microsoft, however. On the same day that the errant CrowdStrike update “blue screened” millions of Windows PCs around the world, an Azure configuration change caused a temporary outage of some Microsoft 365 services. Past Azure outages (from 2018 and earlier) have been caused by colorful reasons such as a lightning strike near a Texas data center, the accidental release of fire suppression gas in a server room, and a cooling system failure at a Japanese data center.

Azure outages have not been the company’s only concern with the service. There has also been something of a pattern developing in terms of internal Microsoft storage buckets being exposed to the general public in one way or another. In September 2023, security researchers found a highly sensitive storage account exposed via an overly permissive Shared Access Signature (SAS) token that held internal messages and passwords and may have been open to exploitation as far back as July 2020. That was preceded by the September 2022 discovery of an Azure Blob Storage bucket containing sensitive internal Microsoft files that was left open due to a misconfiguration.

But this does not necessarily point to any worrying new developments in Microsoft’s security level, as David Higgins (Senior Director, Field Technology Office at CyberArk) notes: “It does highlight some key points though. Firstly, again, around the misconfiguration—a strong reminder that implementing security isn’t enough and organizations should take proactive steps to constantly test their own defenses. Secondly, the importance of operational resilience—organizations need to ensure they have proven contingency processes in place so that an outage in Microsoft services doesn’t stop business.”

DDoS attacks are also seeing a general rise, particularly those targeting cloud services. Several recent studies noted a spike in 2023 along with a general increase in capacity and improvement in techniques wielded by the biggest attackers. This appears to have revived it as a profitable avenue for cyber crime after activity had flatlined since about 2020. Businesses can now expect to weather a DDoS attack almost once a month on average. Late 2023 saw the development of the “HTTP/2 Rapid Reset Attack” which broke world records for DDoS attack size in its initial deployments against CloudFlare, Google and Amazon. Security patching has since greatly reduced the threat potential of this approach, but can require proactive patching by some organizations. DDoS attacks are also picking up as a cyber warfare technique as military conflicts continue to develop around the world, undertaken both by military intelligence units and “hacktivists” that have varying levels of direct alignment with them.