In response to a series of distributed Level 7 DDoS attacks, Microsoft has taken swift steps to strengthen its security measures and protect its customers. Launched by a threat known as Storm-1359, these attacks targeted Microsoft services, causing temporary interruptions in availability. However, there is no evidence that customer data has been compromised.

Microsoft’s research revealed that Storm-1359 uses a combination of tactics, including access to multiple virtual private servers (VPS), leased cloud infrastructure, open proxies, and DDoS tools. Unlike traditional DDoS attacks that focus on layer 3 or 4, these latest attacks specifically target layer 7, creating a greater mitigation issue.

To counter this new wave of attacks, Microsoft strengthened Layer 7 protection by configuring the Azure Web Application Firewall (WAF). This preventive measure aims to protect customers from the impact of similar DDoS attacks. While existing tools and techniques have proven to be extremely effective at reducing outages, Microsoft continues to evolve.

To help customers protect their environments against such attacks, Microsoft encourages customers to review the provided technical details and recommended actions. By implementing the recommended measures, customers can increase the resilience of their systems and minimize the potential impact of Level 7 DDoS attacks.

Microsoft’s analysis of Storm-1359 revealed that the attacker possessed a number of botnets and tools capable of launching DDoS attacks from various cloud services and open proxy infrastructures. Storm-1359 appears to be primarily motivated by destruction and seeks publicity for its activities.

Attacks launched by Storm-1359 include a variety of Layer 7 DDoS attacks. These include SSL/TLS handshakes and an HTTP(S) flood attack that exceeds system resources by overloading HTTP(S) requests. Additionally, Storm-1359 uses cache-hopping techniques to overload origin servers by sending requests to generated URLs, effectively bypassing the CDN layer. Another attack method used is Slowloris, where an attacker opens a connection to a web server, requests a resource, and then deliberately disapproves or accepts the download. This causes the server to keep the connection and the requested resource in memory and run out of resources.

To mitigate the impact of Layer 7 DDoS attacks, Microsoft recommends customers use Layer 7 protection services such as Azure Web Application Firewall (WAF) provided with Azure Front Door and Azure Application Gateway. Customers should also block IP addresses and ranges identified as malicious and consider implementing speed limiting or redirecting traffic from certain regions or outside. Organizations can further strengthen their defenses against Layer 7 DDoS attacks by creating custom WAF rules to automatically block and rate limit HTTP or HTTPS attacks with known signatures.