Deep dive into Azure’s DDoS attacks landscape for 2023

Examining Microsoft Azure’s DDoS attack environment in depth

Together with joy and festivities, the 2023 holiday season also brought with it a spike in Distributed Denial-of-Service (DDoS) attacks. The patterns of DDoS attacks this year point to a dynamic and intricate threat environment. These attacks have become increasingly sophisticated and diverse in terms of their tactics and scale, ranging from botnet delivery enabled by misconfigured Docker API endpoints to the appearance of NKAbuse malware that uses blockchain technology to launch denial-of-service attacks.

Azure’s holiday attack landscape for 2023

During the holiday season, Azure monitored the attack landscape and noticed a significant change in some of the attack patterns when compared to the previous year. This modification highlights the persistent attempts by malevolent entities to enhance their methods of posing a threat and try to get around DDoS defenses.

Daily Attack Volume: A maximum of 3,500 attacks per day were automatically mitigated by Azure’s strong security infrastructure. Remarkably, 15%–20% of these incidents were large-scale attacks, defined as those that sent more than one million packets per second (pps).

Geographic origins: Attack origins showed a shift, with 18% coming from the USA and 43% coming from China. Compared to the previous year, when both nations were equally represented as regional sources, this represents a shift.

Protocols for attacks: UDP-based attacks, which accounted for 78% of the attacks during the 2023 holiday season, were primarily directed towards web applications and gaming workloads. These include UDP reflected/amplified attacks, which primarily use quick UDP internet connections (QUIC) for reflection and domain name system (DNS) and simple service discovery protocol (SSDP) in their attacks. Interestingly, QUIC is becoming a more popular attack vector due to reflection or DDoS stressors that sporadically use UDP port 443. The attack patterns during the holiday season this year are very different from those of the previous year, when TCP-based attacks accounted for 65% of all attacks.

Attack that broke all previous records: An astounding UDP attack that peaked at 1.5 terabits per second (Tbps) was directed towards an Asian gaming client. This highly randomized attack, which involved multiple source IP addresses and ports and originated in China, Japan, the USA, and Brazil, was completely neutralized by Azure’s defenses.

Botnet evolution: Over the past year, more and more cybercriminals have used cloud resources- virtual machines in particular for DDoS attacks. Throughout the holiday season, attackers continued to try to take advantage of discounted Azure subscriptions all over the world. Azure tracked compromised account attempts in 39 Azure regions from mid-November 2023 to the end of the year. The main targets of these incidents were the USA and Europe, which accounted for roughly 67% of the total. These threats were successfully neutralized by Azure’s defense mechanisms.

DDoS attack on Azure

Setting the Threat in Context

Global trends are mirrored in Azure’s DDoS attack trends for 2023. As Azure noted earlier in the year, attacks are becoming more politically motivated as a result of geopolitical tensions.

Attackers continue to be drawn to the rise of DDoS-for-hire services, also referred to as “stressor’s” and “booters.” These platforms have democratized the ability to launch potent DDoS attacks, making them affordable for less experienced criminals and easily accessible on forums frequented by cybercriminals. International law enforcement agencies have confirmed that there has been a surge in the availability and use of these services in recent years through operations such as Operation Power OFF, which last May targeted 13 domains linked to DDoS-for-hire platforms. Stressor’s are still in demand despite these efforts because they provide a variety of attack techniques and power, with some being able to launch attacks as fast as 1.5 Tbps.

Cloud power: Defending against the dynamic DDoS attacks

The proliferation of large-scale botnets and DDoS-for-hire services presents a serious threat to online services and corporate operations. More cloud computing capacity is required to counter these threats in order to absorb the attack’s initial wave, divert erroneous traffic, and preserve legitimate traffic until patterns can be found. The cloud is our best defense when an attack involves tens of thousands of devices because it has the scale necessary to mitigate the largest attacks. Furthermore, because the cloud is distributed globally, being closer together aids in thwarting attacks that are directed towards the sources.

Providing strong defense to DDoS Attacks

It is more important than ever to have strong defenses against DDoS attacks in a time when cyber threats are always changing. This is how Azure’s all-inclusive security solutions are made to protect your online data.

Due to the increased risk of DDoS attacks, a DDoS protection service like Azure DDoS Protection is essential. Real-time telemetry, monitoring, alerts, automatic attack mitigation, adaptive real-time tuning, and always-on traffic monitoring give this service full visibility on DDoS attacks.

Multi-Layered Defense: Use Azure Web Application Firewall (WAF) in conjunction with Azure DDoS Protection to set up a multi-layered defense for complete protection. Layers 3 and 4 of the network are protected by Azure DDoS Protection, and Layer 7 of the application layer is protected by Azure WAF. This combination offers defense against different kinds of DDoS attacks.

Alert Configuration: Without user input, Azure DDoS Protection is able to recognize and stop attacks. You can be informed about the state of public intellectual property resources that are protected by configuring alerts for active mitigations.

2024: Taking action against DDoS attacks

The Christmas season of 2023 has brought to light the DDoS attacks’ constant and changing threat to the cyberspace. It is imperative that businesses improve and modify their cybersecurity plans as the new year approaches. This should be a period of learning, with an emphasis on strengthening defenses against DDoS attacks and remaining watchful for emerging strategies. Azure’s ability to withstand these advanced DDoS attacks demonstrates how important it is to have strong and flexible security measures in place to safeguard digital assets and maintain business continuity.