Unwrapping the 2023 holiday season: A deep dive into Azure’s DDoS attack landscape

As the holiday season of 2023 unfolded, it brought not only cheer and celebration but also a surge in Distributed Denial-of-Service (DDoS) attacks. This year’s trends in DDoS attacks reveal a complex and evolving threat landscape. From misconfigured Docker API endpoints enabling botnet delivery to the emergence of NKAbuse malware exploiting blockchain technology for DDoS attacks, the tactics and scale of these attacks have shown significant sophistication and diversification.

The 2023 holiday season attack landscape in Azure

In our monitoring of the attack landscape during the holiday season, we observed a notable shift in some of the attack patterns compared to the previous year. This change underscores the relentless efforts of malicious actors to refine their threat tactics and attempt to circumvent DDoS protection strategies.

Daily Attack Volume: Azure’s robust security infrastructure automatically mitigated a peak of 3,500 attacks daily. Notably, large-scale attacks, exceeding 1 million packets per second (pps), constituted 15%-20% of these incidents.*

Figure 1: Number of daily DDoS attacks towards resources in Azure.

Geographical origins: A shift in attack origins was observed, with the top two origin countries being China with 42% of the attacks and the USA with 18%. All other countries make up 40% of attacks.* This marks a change from the previous year, where both countries were equally represented as the top two regional sources.

Figure 2: Source countries for DDoS Attacks on Azure.

Attack protocols: The 2023 holiday season saw a predominant use of UDP-based attacks, targeting gaming workloads and web applications, accounting for 78% of the attacks. These include UDP reflected/amplified attacks, which predominantly leverage domain name system (DNS) and simple service discovery protocol (SSDP), as well as quick UDP internet connections (QUIC) for reflection purposes. Notably, QUIC is emerging as a more common attack vector, either by reflection or by DDoS stressors that utilize UDP port 443 randomly. This year’s holiday season attack patterns contrast sharply with the previous year, where TCP-based attacks dominated 65% of all attacks.*

Figure 3: Attacks protocols distribution.

Record-breaking attack: A staggering UDP attack, peaking at 1.5 terabits per second (Tbps), targeted a gaming customer in Asia. This attack, originating from China, Japan, the USA, and Brazil, was highly randomized, involving numerous source IPs and ports, yet was fully mitigated by Azure’s defenses.

Botnet evolution: In the past year, cybercriminals increasingly leveraged cloud resources, particularly virtual machines, for DDoS attacks. This trend continued to evolve during the holiday season, with attackers trying to exploit discounted Azure subscriptions globally. From mid-November 2023 and until end of year, we monitored compromised account attempts in 39 Azure regions, with Europe and the USA being the primary targets, accounting for about 67% of these incidents.* Azure’s defense mechanisms successfully neutralized these threats.

Figure 4: Azure regions where attempts to exploit resources for DDOS attacks occurred.

Contextualizing the threat

The 2023 DDoS attack trends in Azure mirror global patterns. Attacks are becoming politically motivated as we highlighted earlier last year, fueled by geopolitical tensions.

The emergence of DDoS-for-hire services, commonly known as “stressers” and “booters” remain popular amongst attackers. These platforms, readily available on cybercriminal forums, have democratized the ability to launch powerful DDoS attacks, making them accessible to less sophisticated criminals for minimal costs. Recent years have seen an uptick in the availability and use of these services, confirmed by international law enforcement agencies through operations like Operation PowerOFF, which last year in May targeted 13 domains associated with DDoS-for-hire platforms. Despite these efforts, stressers continue to thrive, offering a range of attack methods and power, with some capable of attacks up to 1.5 Tbps.

Cloud power: Combating the evolving DDoS threats

The rise of botnets at scale and DDoS-for-hire services poses a significant risk to online services and business operations. To fight these threats, more cloud computing power is needed to absorb the leading wave of the attack until patterns can be identified, spurious traffic diverted, and legitimate traffic preserved. When tens of thousands of devices constitute an attack, the cloud is our best defense, due to the scale needed to mitigate the largest attacks. In addition, due to the global distribution of the cloud, closer proximity helps to block attacks closest to the sources.

Ensuring robust protection

In an era where digital threats are constantly evolving, ensuring robust protection against DDoS attacks has never been more critical. Here’s how Azure’s comprehensive security solutions are designed to safeguard your digital infrastructure.

DDoS Protection Service: With the high risk of DDoS attacks, it’s essential to have a DDoS protection service like Azure DDoS Protection. This service provides always-on traffic monitoring, automatic attack mitigation upon detection, adaptive real-time tuning, and full visibility on DDoS attacks with real-time telemetry, monitoring, and alerts.

Multi-Layered Defense: For comprehensive protection, set up a multi-layered defense by deploying Azure DDoS Protection with Azure Web Application Firewall (WAF). Azure DDoS Protection secures the network layer (Layer 3 and 4), while Azure WAF safeguards the application layer (Layer 7). This combination provides protection against various types of DDoS attacks.

Alert Configuration: Azure DDoS Protection can identify and mitigate attacks without user intervention. Configuring alerts for active mitigations can keep you informed about the status of protected public IP resources.

2024: Rising against DDoS threats

The 2023 holiday season has underscored the relentless and evolving threat of DDoS attacks in the cyber landscape. As we transition into the new year, it becomes crucial for organizations to enhance and adapt their cybersecurity strategies. This period should be a learning curve, focusing on fortifying defenses against such DDoS attacks and staying vigilant against new tactics. The resilience of Azure against these sophisticated DDoS threats highlights the critical need for robust and adaptive security measures, not just in protecting digital assets but also in ensuring uninterrupted business operations.

* Based on internal data

Source: microsoft.com

Continue reading

Defend against DDoS attacks with Azure DDoS IP Protection

Distributed denial of service (DDoS) attacks continue to rise as new threats and attack techniques emerge. With DDoS attacks becoming more frequent, it’s important for organizations of all sizes to be proactive and stay protected all year round. Small and medium businesses (SMBs) face the same risks as larger organizations though are more vulnerable as they often lack resources and specialized expertise.

We are committed to providing security solutions to all our customers. We are announcing the general availability of Azure DDoS IP Protection SKU, a new SKU of Azure DDoS Protection designed to meet the needs of SMBs.

Enterprise-grade DDoS protection at an affordable price point

Azure DDoS IP Protection provides enterprise-grade DDoS protection at an affordable price point. It offers the same essential capabilities as Azure DDoS Network Protection (previously known as Azure DDoS Protection Standard) to protect your resources and applications against evolving DDoS attacks. Customers also have the flexibility to enable protection on individual public IP addresses.

“DDoS protection is a must have today for critical websites. Azure DDoS Protection provides comprehensive protection though the existing DDoS Network Protection SKU did not fit the price point for smaller organizations. We are happy that the DDoS IP Protection SKU provides the same level of protection as the Network Protection SKU at an affordable price point and the flexibility to protect individual public IPs.”—Derk van der Woude, CTO, Nedscaper.

“We are excited that the DDoS IP Protection SKU provides enterprise-grade, cost effective DDoS protection for customers with smaller cloud environments with only a few public IP endpoints in the cloud.”—Markus Lintuala, Senior Technical Consultant, Elisa.

Key features of Azure DDoS IP Protection

◉ Massive mitigation capacity and scale—Defend your workloads against the largest and most sophisticated attacks with cloud scale DDoS protection backed by Azure’s global network. This ensures that we can mitigate the largest attacks reported in history and thousands of attacks daily.

◉ Protection against attack vectors—DDoS IP Protection mitigates volumetric attacks that flood the network with a substantial amount of seemingly legitimate traffic. They include UDP floods, amplification floods, and other spoofed-packet floods. DDoS IP Protection mitigates these potential multi-gigabyte attacks by absorbing and scrubbing them, with Azure’s global network scale, automatically. It also protects against protocol attacks that may render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack. They include SYN flood attacks, reflection attacks, and other protocol attacks. DDoS IP Protection mitigates these attacks, differentiating between malicious and legitimate traffic, by interacting with the client, and blocking malicious traffic. Resource (application) layer attacks target web applications and include HTTP/S floods and low and slow attacks. Use Azure Web Application Firewall to defend against these attacks.

◉ Native integration into Azure portal—DDoS IP Protection is natively integrated into the Azure portal for easy setup and deployment. This level of integration enables DDoS IP Protection to identify your Azure resources and their configuration automatically.

◉ Seamless protection—DDoS IP Protection seamlessly safeguards your resources. There’s no need to deploy anything in your Azure Virtual Network (VNet), or to change your current networking architecture. DDoS is deployed as an overlay on top of your current networking services.

◉ Adaptive tuning—Protect your apps and resources while minimizing false-negatives with adaptive tuning tuned to the scale and actual traffic patterns of your application. Applications running in Azure are inherently protected by the default infrastructure-level DDoS protection. However, the protection that safeguards the infrastructure has a much higher threshold than most applications have the capacity to handle, so while a traffic volume may be perceived as harmless by the Azure platform, it can be devastating to the application that receives it. Adaptive tuning guarantees your applications are protected when application-targeted attacks are undetected by Azure’s DDoS infrastructure-level protection offered to all Azure customers.

◉ Attack analytics, metrics, and logging—Monitor DDoS attacks near real-time and respond quickly to attacks with visibility into attack lifecycle, vectors, and mitigation. With DDoS IP Protection, customers can monitor when the attack is taking place, collect statistics on mitigation, and view the detection thresholds assigned by the adaptive tuning engine to make sure they align with expected traffic baselines. Diagnostic logs offer a deep-dive view on attack insights, allowing customers to investigate attack vectors, traffic flows, and mitigations to support them in their DDoS response strategy.

◉ Integration with Microsoft Sentinel and Microsoft Defender for Cloud– Strengthen your security posture with rich attack analytics and telemetry integrated with Microsoft Sentinel. We offer a Sentinel solution that includes comprehensive analytics and alert rules to support customers in their Security Orchestration, Automation, and Response (SOAR) strategy. Customers can setup and view security alerts and recommendations provided by Defender for Cloud.

Choosing the right Azure DDoS protection SKU for your needs

Azure DDoS protection is available in two SKUs:

◉ DDoS IP Protection is recommended for SMB customers with a few public IP resources who need a comprehensive DDoS protection solution that is fully managed, easy to deploy, and monitor.

◉ DDoS Network Protection is recommended for larger enterprises and organizations looking to protect their entire deployment that spans multiple virtual networks and includes many public IP addresses. It also offers additional features like cost protection, DDoS Rapid Response, and discounts on Azure Web Application Firewall.

Let’s see a detailed comparison between these two SKUs:

Get started

DDoS IP Protection can be enabled from the public IP address resource Overview blade.

Protection status in the Properties tab shows if the resource is DDoS protected, and what is the protection type (either Network or IP Protection).

Azure DDoS IP Protection pricing

With DDoS IP Protection, you only pay for the public IP resources protected. The cost is a fixed monthly amount for each public IP resource protected with no additional variable costs.

Source: microsoft.com

Continue reading

Azure DDoS Protection for virtual networks generally available

We are excited to announce the general availability of the Azure DDoS Protection Standard service in all public cloud regions. This service is integrated with Azure Virtual Networks (VNet) and provides protection and defense for Azure resources against the impacts of DDoS attacks.

Distributed Denial of Service (DDoS) attacks are intended to disrupt a service by exhausting its resources (e.g., bandwidth, memory). DDoS attacks are one of the top availability and security concerns voiced by customers moving their applications to the cloud. With extortion and hacktivism being the common motivations behind DDoS attacks, they have been consistently increasing in type, scale, and frequency of occurrence as they are relatively easy and cheap to launch.

These concerns are justified as the number of documented DDoS amplification attacks increased by more than 357 percent in the fourth quarter of 2017, compared to 2016 according to data from Nexusguard. Further, more than 56 percent of all attacks exploit multiple vector combinations. In February 2018, Github was attacked via a reflection exploit in Memcached generating 1.35 terabits of attack traffic, the largest DDoS attack ever recorded.

As the types and sophistication of network attacks increases, Azure is committed to providing our customers with solutions that continue to protect the security and availability of applications on Azure. Security and availability in the cloud is a shared responsibility. Azure provides platform level capabilities and design best practices for customers to adopt and apply into application designs that meet their business objectives.

Azure DDoS Protection Service offerings

Azure has two DDoS service offerings that provide protection from network attacks (Layer 3 and 4) - DDoS Protection Basic and DDoS Protection Standard.

Azure DDoS Protection Basic service

Basic protection is integrated into the Azure platform by default and at no additional cost. The full scale and capacity of Azure’s globally deployed network provides defense against common network layer attacks through always-on traffic monitoring and real-time mitigation. No user configuration or application changes are required to enable DDoS Protection Basic. Basic protection also defends against the most common, frequently occurring Layer 7 DNS Query Floods and volumetric attacks that target your Azure DNS zones. This service also has a proven track record in protecting Microsoft’s enterprise and consumer services from large scale attacks.

Azure DDoS Protection Standard Service

Azure DDoS Protection Standard provides enhanced DDoS mitigation capabilities for your application and resources deployed in your virtual networks. Protection is simple to enable on any new or existing virtual network and requires no application or resource changes. DDoS Protection Standard utilizes dedicated monitoring and machine learning to configure DDoS protection policies tuned to your virtual network traffic profiles. Attack telemetry is available through Azure Monitor, enabling alerting when your application is under attack. Integrated Layer 7 application protection can be provided by Application Gateway WAF.

Azure DDoS Protection Standard service features

Native platform integration and turn-key protection

DDoS Protection Standard is natively integrated into the Azure platform and includes configuration through the Azure portal and PowerShell when you create a DDoS Protection Plan and enable DDoS Standard on a virtual network. Simplified provisioning immediately protects all resources in a virtual network with no additional application changes required.

Always-on monitoring and adaptive tuning

When DDoS Protection Standard is enabled, your application traffic patterns are continuously monitored for indicators of attacks. DDoS Protection understands your resources and resource configuration and customizes the DDoS Protection policy to your virtual network. Machine learning algorithms set and adjust protection policies as traffic patterns change over time.

L7 protection with Application Gateway

Azure DDoS Protection service in combination with Application Gateway Web Application Firewall provides DDoS Protection for common web vulnerabilities and attacks.

◈ Request rate-limiting

◈ HTTP protocol violations

◈ HTTP protocol anomalies

◈ SQL injection

◈ Cross site scripting

DDoS Protection Standard enabled on a Web application firewall VNet

DDoS Protection telemetry, monitoring, and alerting

Rich telemetry is exposed via Azure Monitor including detailed metrics during the duration of a DDoS attack. Alerting can be configured for any of the Azure Monitor metrics exposed by DDoS Protection. Logging can be further integrated with Splunk (Azure Event Hubs), OMS Log Analytics, and Azure Storage for advanced analysis via the Azure Monitor Diagnostics interface.

SLA guarantee and cost protection

DDoS Protection Standard service is covered by 99.99% SLA, and cost protection will provide resource credits for scale out during a documented attack. 

Protection planning

Planning and preparing for a DDoS attack is crucial in understanding the availability and response of an application during an actual attack. Organizations should also establish a well vetted DDoS incident management response plan.

To assist in this planning we have published an end to end DDoS Protection - Best Practices & Reference Architecture guide and encourage all customers to apply those practices while designing applications for resiliency against DDoS attacks in Azure.

We have also partnered with BreakingPoint Cloud to offer tooling for Azure customers to generate traffic load against DDoS Protection enabled public endpoints to simulate attacks. BreakPoint Cloud simulation will allow you to:

◈ Validate how Microsoft Azure DDoS Protection protects your Azure resources from DDoS attacks

◈ Optimize your incident response process while under DDoS attack

◈ Document DDoS compliance

◈ Train your network security teams

Getting started

Continue reading