June 2023: Microsoft identified a major surge in traffic on its servers. The flood of traffic caused its servers to temporally go down. At first glance, the abnormally high traffic looked like legitimate consumer interest. But as Microsoft investigated the event further, the access requests looked more and more suspicious. It turns out that the company was hit by a Distributed Denial of Service (DDoS) attack.
Thankfully Microsoft responded quickly, identified the threat, and took the necessary remediating steps. No customer data was compromised. But if Microsoft hadn’t responded so efficiently, the attack could have been much more consequential.
But what are DDoS attacks?
The Microsoft attack is a classic example of DDoS. Using an army of compromised computers, the attackers spammed and overwhelmed Microsoft’s servers, causing them to shut down and block regular user access.
While it wasn’t immediately clear what the motive for hitting Microsoft was, there are varied reasons why attackers may choose to DDoS. These reasons include holding digital infrastructure hostage in exchange for money, bringing down competitors, or as a tactic in cyber warfare. In all cases, the steps used to carry out a DDoS attack are generally the same.
Step 1: The Botnet
After the target is identified (often chosen based on the motivation behind the attack), attackers create a “botnet”. A botnet is created by infesting a group of computers with malware, allowing the attackers to control the computers from their remote point of access. Attackers maintain control of the botnet through centralized “command and control” servers or sometimes through peer-to-peer networks. The command and control servers send instructions to the botnet.
Step 2: Spamming the network
With the group of computers or “botnets” at their service, attackers direct the computers to send access requests to the target’s IP, creating such high traffic that prevents the servers from functioning. With a large number of computers requesting access at the same time, the idea is that the target’s bandwidth will fail to handle such a flood of requests and will either operate at a snail’s pace or completely shut down. Those that actually want to make legitimate use of the target’s website, application, or service are denied access. Hence the name “distributed denial of service”. With legitimate server access denied, the attackers can hold the servers, hostage, until a ransom is paid.
Types of attacks
The most common DDoS attacks include the following:
Volumetric attacks make extensive use of botnets. While all DDoS attacks flood servers with high amounts of traffic, volumetric attacks take the high amount of traffic to the next level. The goal is to consume the network’s bandwidth to shut it down and prevent user access.
Application Layer Attacks are another common type of DDoS attack. These attacks exploit the application layer and exhaust server resources. The difference between volumetric and application layer attacks is that application layer attacks target applications rather than network resources. By targeting applications, application layer attacks seek to consume the target’s processing power, memory, or database resources. The attacks exploit weaknesses in the handling of applications and server requests to deny access.
Most commonly, application layer attacks use HTTP requests to overload the functioning of the target’s applications. The Microsoft attack was an example of an application layer attack, where hackers targeted the servers with a high volume of HTTP(S) requests in an attempt to bypass the CDN layer and overwhelm the servers.
The goal of protocol attacks is to overwhelm the network’s critical infrastructure, such as firewalls and load balancers. Unlike other DDoS attacks that target IP addresses, protocol attacks exploit vulnerabilities in the network’s protocol.
Identification and Mitigation
DDoS attacks are problematic. An unresponsive or unavailable server can be costly. A disabled server may lead to missed revenue and customer retention. To avoid such consequences, the threat investigation and remediation process should commence as soon as possible.
The first step is to identify the attack. Identification is done by monitoring servers for unusually high traffic. Now, of course, high traffic may simply be a result of legitimate user interest. This is partly why DDoS can be difficult to identify: it’s not easy to distinguish bots from real users as botnets are often comprised of malware-infested, real consumer devices. So they appear to be legitimate consumers but in reality, they are controlled by bots. That said, here are a few guidelines to follow when identifying attacks:
- Look for suspicious amounts of traffic, such as traffic requests from a single endpoint.
- Look for traffic originating from a single IP address or that shares a singular profile.
DDoS attacks that are single-sourced are easier to identify than multi-vector attacks. Multiple vector attacks combine different attack methods such as volumetric, application layer, and protocol to maximize damage. Multiple vector attacks can be complex to mitigate as it is not as simple as shutting down a single traffic source. If the security team manages to shut down one attack vector, multivector attacks can switch to another vector.
Though they may be hard to control, there are solutions to mitigate DDoS attacks.
Rate-limiting: One strategy is what is commonly referred to as “rate limiting”. The goal here is to only accept as much traffic as the host servers can handle. If traffic exceeds the designed rate that the server can handle, access is blocked temporarily.
Effective rate limiting hinges on the ability to separate legitimate traffic from abnormal traffic. To only provide access to legitimate traffic, it’s necessary to understand the normal baseline traffic, so as to know the characteristics of normal traffic and detect any abnormalities that signal illegitimate traffic.
Web Application Firewalls: Another strategy is to deploy Web Application Firewalls (WAF). WAFs ensure that access requests are safe before they are sent to web servers. Firewalls are particularly useful against application layer attacks as they filter access requests based on customized rules used to identify DDoS tools.
Finally, we find SIEMs to be a particularly potent option. Through log management and data-fueled insights, SIEMs are useful for detecting and intercepting DDoS attacks early on. SIEMs monitor connected devices and IP traffic and with the use of relevant data can identify any abnormal behavior (such as illegitimate connection requests). Security teams can then act on the threat. You can even attach integrated software to your SIEM to improve its capabilities and get automated insights and recommendations to help you respond faster.
Take action against DDoS attacks
Microsoft was able to quickly put an end to the DDoS attack. However, mitigation efforts are not always so effective. DDoS attacks can be malicious and persistent. They can be hard to identify and costly. But as we have covered in this blog post, there are steps that you can take to mitigate the damage. We highly recommend using Microsoft Sentinel (we believe it’s the best SIEM on the market) to mitigate DDoS attacks. Combining SIEM with integrated software, like Seculyze, results in an even more powerful response to DDoS attacks.
If you want to improve your mitigation efforts against DDoS attacks, Seculyze will automate analysis tasks such as log analysis and SIEM alert rule tuning to improve detection mechanisms. An improved SIEM optimizes DDoS detection and mitigation.