Protecting Microsoft Apps from L7 DDoS Attacks

Jay Kelley Miniature
Jay Kelley
Published June 29, 2023

Many of us recently experienced difficulties in accessing some of the core applications that both our organizations and we, as individuals, use every day personally or for our jobs. One by one, many had issues accessing the Microsoft web portal, then OneDrive, and finally, Microsoft Azure Portal on successive days early in June.

Some speculated that the inability to access critical Microsoft applications might have been caused by misconfiguration. Others opined that it may have been a cyberattack. Microsoft communicated that they managed and balanced increased traffic rates to their vital applications. 

Then, on Friday, June 16, a blog posted by the Microsoft Security Response Center (MSRC) titled Microsoft Response to Layer 7 Distributed Denial of Service (DDoS) Attacks outlined the root cause of the outages to the Microsoft applications, which began on June 7 and continued through June 9.

The blog confirmed that Microsoft had been the victim of a layer 7 (L7) DDoS attack, causing a temporary inability to access those services, identified in other publications as, OneDrive, and Microsoft Azure Portal.

The blog post stated that Microsoft “identified surges in traffic against some services that temporarily impacted availability.” It also mentioned that Microsoft “promptly opened an investigation and began tracking ongoing DDoS activity.” The MSRC blog explained that the attack had been perpetrated by a threat actor Microsoft tracks and has identified as Storm-1359, also known as Anonymous Sudan. The blog highlighted that Microsoft saw no evidence customer data had been accessed or compromised. The DDoS attacks were meant to disrupt and bring attention to and promote the attackers – Storm-1359, a.k.a. Anonymous Sudan.

While many DDoS attacks target layer 3 (Network layer) or layer 4 (Transport layer) of the OSI (Open Systems Interconnection) model, an L7 (Application layer) DDoS attack is a different beast altogether. L7 DDoS attacks are much more difficult to detect than L3 or L4 DDoS attacks as they tend to be complex, covert, and undistinguishable from legitimate web application traffic. The attacks target specific components of an application server, bombarding them with requests until they are overburdened and unable to respond to any traffic. These attacks also morph, with attacks changing frequently and many times at random. 

According to Microsoft, the L7 DDoS attack on their services leveraged “a collection of botnets and tools” that enabled the attackers to launch their attack from several cloud services and “open proxy infrastructures,” relying on virtual private servers, cloud environments, open proxies, and purchased or acquired DDoS tools.

Storm-1359 (a.k.a., Anonymous Sudan) employed three different types of L7 DDoS attacks against Microsoft:

  • HTTP(S) flood attack, in which a considerable number of requests, including SSL / TLS handshakes and HTTP(S) requests from a variety of devices across regions and source IP addresses overload system resources, like CPU and memory, causing an application server to cease processing requests.
  • Cache bypass circumvents content delivery networks (CDNs) by launching requests against URLs created and spawned by an attacker, which direct the application to forward all requests to the origin server.
  • Slowloris utilizes a single system to initiate a web server connection and forces the connection to remain open by failing to acknowledge or slowing the acceptance of a resource request.

In the blog post, Microsoft stated they had “hardened layer 7 protections including tuning Azure Web Application Firewall (WAF) to better protect customers” from DDoS attacks.

Microsoft went on to make several recommendations to customers to further protect against L7 (Application layer) DDoS attacks, including:

  • Using Azure WAF or another L7 services to protect web apps
  • Using bot protection in Azure WAF or another service to defend against malicious bots
  • Identifying malicious IP addresses and ranges and blocking them
  • Blocking, setting rate limits, or redirecting traffic from outside a defined geographic region or within an identified region
  • Leveraging known attack signatures to create custom WAF policies to automatically block or rate limit malicious HTTP(S) traffic

F5 web app and API security (WAAP) already helps many Microsoft users and customers secure web applications from complex, difficult to detect L7 DDoS attacks. F5 WAAP is built on the F5 WAF engine and its acclaimed detection and monitoring capabilities, enabling familiarity. Available in any delivery model necessary (hardware, SaaS, and in software as a virtual edition on Microsoft Azure) and in any combination, F5 WAAP can be deployed anywhere apps are hosted, working together to ensure comprehensive protection from L7 DDoS attacks.

Also available is the award-winning F5 Distributed Cloud Bot Defense, F5’s SaaS-based bot mitigation and defense solution, which defends the world’s largest banks, retailers, and airlines. Distributed Cloud Bot Defense protects against malicious bots based on its unparalleled analysis of devices and behavioral signals that unmask automation.

For more about F5 WAAP and DDoS protection solutions and bot defense: