You may have recently heard that Microsoft’s Azure Cloud Platform endured a denial of service attack (DDoS) in the last week of August.
This comes just a month after the Russian internet giant Yandex was targeted with a record-breaking DDoS attack by new botnet Mēris, which attacked the company’s web infrastructure with millions of HTTP requests, escalating to a height of 21.8 million requests per second.
This attack on Microsoft, which targeted an unnamed European customer, operated at a similar astounding level, operating at 2.4 Terra bytes per second (Tbps) surpassing the 2.3 Tbps attacks targeted at Amazon Web Services in 2020.
What this means was that there was an extremely high level of data transmission during the attack, a fact which has grave implications in the context of a DDoS attack.
A DDoS attack, is a malicious attempt to disrupt the typical traffic of a targeted network, service or server, by overwhelming the target or its nearby infrastructure with an insurmountable flood of internet traffic.
If that sounds slightly confusing don't worry, here’s a quick diagram that neatly details how these attacks tend to work:
This flood of traffic naturally requires large amounts of data, in this case, huge amounts of TerraBytes.
This specific attack was also a reflected amplification attack, which is a specific type of denial of service attack. It’s where a threat actor takes advantage of the connectionless nature of UDP protocol with spoofed requests, to overwhelm the targeted network or server with a flood of packets.
This subsequently either renders the server and its surrounding infrastructure unavailable or disrupts it enough to be a serious problem.
For note, User Datagram Protocol (UDP) is a communications protocol that is used to establish loss-tolerating and low-latency connections between online applications. It speeds up transmissions by allowing receiving parties to receive data before they provide an official agreement.
The reason UDP is connectionless and therefore vulnerable to reflected amplification attacks is because it does not have a mechanism to ensure the payload, aka the carrying capacity of a transmission data unit, is not corrupted.
Because of this, it has to look after data integrity by itself, foregoing establishing a connection between the source and destination when you submit data.
This attack on Microsoft Azure’s Cloud platform originated from a botnet of approximately 70,000 compromised devices. These devices were located overwhelmingly across the Asia-Pacific reason, in China, Japan, Malaysia, Vietnam, Taiwan and the US.
Microsoft identified three short-lived bursts, which ramped up in mere seconds to terabit volumes, with the first attack at 2.4Tbps, the second at 0.55 Tbps and the final attack at 1.7 Tbps.
Amir Dahan, senior program manager for Azure Networking commented that "Bad actors, now more than ever, continuously look for ways to take applications offline," going on to say that "Attacks of this size demonstrate the ability of bad actors to wreak havoc by flooding targets with gigantic traffic volumes trying to choke network capacity."