In response to a series of Layer 7 Distributed Denial of Service (DDoS) attacks, Microsoft has taken swift action to enhance its security measures and protect its customers. The attacks, initiated by a threat actor known as Storm-1359, targeted Microsoft’s services, causing temporary disruptions in availability. However, there is no evidence to suggest that customer data has been compromised.

Microsoft is recommending Level 7 Azure Web Application Firewall Services for its users

Microsoft’s investigation revealed that Storm-1359 employs a combination of tactics, including accessing multiple virtual private servers (VPS), rented cloud infrastructure, open proxies, and DDoS tools. Unlike traditional DDoS attacks that focus on Layer 3 or 4, these recent attacks specifically targeted Layer 7, posing a greater challenge to mitigation efforts.

Microsoft

To address this new wave of attacks, Microsoft has hardened its Layer 7 protections by fine-tuning the Azure Web Application Firewall (WAF). This proactive measure aims to shield customers from the impact of similar DDoS attacks. While the existing tools and techniques have proven highly effective in mitigating disruptions, Microsoft remains committed to continuous improvement.

To assist customers in fortifying their own environments against similar attacks, Microsoft encourages them to review the technical details and recommended actions provided. By implementing the suggested measures, customers can enhance the resilience of their systems and minimize the potential impact of Layer 7 DDoS attacks.

Microsoft’s analysis of Storm-1359 revealed that the threat actor possesses a collection of botnets and tools capable of launching DDoS attacks from various cloud services and open proxy infrastructures. Storm-1359 appears primarily motivated by disruption and seeking publicity through its activities.

The attacks launched by Storm-1359 encompass several types of Layer 7 DDoS attacks. These include the HTTP(S) flood attack, which overwhelms system resources with an excessive load of SSL/TLS handshakes and HTTP(S) requests. Additionally, Storm-1359 employs cache bypass techniques to overload origin servers by sending queries against generated URLs, effectively bypassing the CDN layer. Another attack method utilized is Slowloris, where the attacker opens a connection to a web server, requests a resource, and then deliberately fails to acknowledge or accept the download. This forces the server to keep the connection and requested resource in memory, causing resource depletion.

To mitigate the impact of Layer 7 DDoS attacks, Microsoft recommends customers utilize layer 7 protection services such as Azure Web Application Firewall (WAF), which is available with Azure Front Door and Azure Application Gateway. Customers should also block IP addresses and ranges identified as malicious and consider implementing rate limiting or redirection of traffic from outside or within specific regions. By creating custom WAF rules to automatically block and rate limit HTTP or HTTPS attacks with known signatures, organizations can further fortify their defenses against Layer 7 DDoS attacks.

RELATED:

(Source)

RELATED ARTICLESMORE FROM AUTHOR