Major Azure outage was caused by a DDoS attack at Microsoft

The outage lasted almost 10 hours

Major Azure outage was caused by a DDoS attack at Microsoft

On a recent Tuesday, Microsoft faced a significant outage that lasted nearly ten hours, affecting many of its services, including Microsoft 365 and Azure.[1] The company confirmed that this disruption was due to a distributed denial-of-service (DDoS) attack.[2] Services like Azure App Services, Application Insights, Azure IoT Central, and the Azure portal were among those impacted.

The outage led to errors, timeouts, and latency spikes, disrupting users worldwide. Businesses relying on Microsoft’s cloud services faced significant issues, with their operations coming to a halt. This incident affected not just Microsoft’s services but also those of its clients.

For instance, Cambridge Water, HM Courts and Tribunals Service, and NatWest Bank reported issues due to the outage. Even FC Twente, a Dutch football team, experienced disruptions with their ticketing website and club app:[3]

Due to a (global) disruption to the Microsoft Azure platform, some services are unavailable. For FC Twente supporters, this means that you cannot log in to the ticket sales website and/or in the FC Twente app. We keep an eye on Microsoft's reporting, as soon as there is more information we will inform you via our social media channels.

This incident highlighted the vulnerabilities even large tech companies can face. The impact was felt across various sectors, showing how deeply integrated Microsoft services are in daily operations worldwide.

Microsoft says that the DDoS attack was caused by gaps within its implemented security infrastructure

Microsoft’s further investigations revealed that a DDoS attack triggered the outage. This attack overwhelmed the system, causing an unexpected usage spike that led to Azure Front Door (AFD) and Azure Content Delivery Network (CDN) components performing below acceptable thresholds. This resulted in intermittent errors, timeout, and latency spikes across multiple services.

However, a critical error in the implementation of Microsoft’s DDoS defenses amplified the impact instead of mitigating it. The company's DDoS protection mechanisms were activated, but the initial response to the attack inadvertently worsened the situation. Microsoft explained that their defenses did not perform as expected, leading to a more significant disruption.

In response to the attack, Microsoft took several steps to address the issues. The company implemented networking configuration changes to support their DDoS protection efforts and performed failovers to alternate networking paths to provide relief. These actions included rerouting user requests to reduce the load on affected components and ensure continued service availability. By 14:10 UTC, Microsoft had managed to mitigate most of the impact, although some residual issues persisted.

Microsoft communicated continuously with affected users, providing updates on the situation through their service status website and social media channels. The company also acknowledged the failure of their defenses and committed to a thorough investigation to understand the root cause and prevent future occurrences.

The confirmation of the DDoS attack came after initial reports of an “unexpected usage spike,” which led to speculation and inquiries from various stakeholders. Microsoft plans to release a Preliminary Post-Incident Review (PIR) within 72 hours and a Final Post-Incident Review within the next two weeks, providing additional details and lessons learned from the outage.

The incident underscores the complexities involved in defending against DDoS attacks and the need for robust, well-tested security measures. Despite the challenges, Microsoft’s swift response and transparency helped mitigate the impact and restore services to affected users.

Not the first time Microsoft was targeted, and probably not the last

Industry experts have pointed out that this incident is a wake-up call for better cybersecurity practices. Adam Gavish from DoControl emphasized the need for robust, well-tested defenses.[4] He compared the situation to having a high-end security system that fails, locking you out of your own house. David Higgins from CyberArk noted the critical impact such outages can have, especially for customer-facing applications.[4]

This isn’t the first time Microsoft has been hit by a DDoS attack. Previous incidents, such as one involving the hacktivist group Anonymous Sudan in June 2023, have also shown how reliant businesses worldwide are on Microsoft's IT services.[5]

Microsoft has promised to release detailed reviews of the incident to learn and improve from this experience. The company aims to strengthen its defenses and prevent future disruptions, ensuring a more resilient infrastructure for its global user base. Time will tell if this is going to work out as well as Microsoft wants.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References
Files
Software
Compare