Distributed Denial of Service (DDoS) attacks certainly come to mind when considering cyberattacks that can cause widespread outages and service disruptions. These insidious attacks are on the rise, especially targeting major hyperscale cloud environments.
Recently, Microsoft has seen an uptick in DDoS attacks targeting its cloud platforms. What is behind the rise of attacks, and how can organizations protect themselves?
Are DDoS attacksbecoming the norm?
Recently, the German Federal Financial Supervisory Authority (BaFin) was under a DDOS attack.
The attack disrupted BaFin’s website, which hosts critical consumer and regulatory information, documents related to investigations, a database of registered companies, job vacancies, and a whistleblowing platform.
This attack is just one of many DDoS attacks that have made headlines this year.
What are DDoS attacks and how do they work?
DDoS attacks are cyber threats aimed at disrupting online services by flooding them with excessive traffic.
These attacks leverage botnets—compromised computer networks—often spread across multiple countries to flood target systems like web servers.
DDoS attackers use network tools and open proxy infrastructures to direct vast amounts of traffic toward a target, overwhelming its resources and causing service disruptions. These attacks can vary in type, such as those targeting the DNS and other online resources.
Detailing the Microsoft DDoS attack
Microsoft experienced significant outages across its Azure, Outlook, and OneDrive web portals in early June 2023.
These service disruptions were not random but resulted from carefully orchestrated Layer 7 DDoS attacks.
Targeted Attacks on Microsoft Services
The series of outages kicked off with the web portal of Outlook.com being targeted on June 7th, followed by OneDrive on June 8th, and culminating with the Microsoft Azure Portal on June 9th.
At the time, Microsoft did not publicly admit to being under a DDoS attack, though they did give hints, mentioning “applying load balancing processes” as part of their mitigation efforts.
Their preliminary root cause report released later noted a sudden spike in network traffic as the cause of the Azure disruption.
When Microsoft’s Security Response Center post was released, the company explicitly confirmed that the outages resulted from a Layer 7 DDoS attack. This attack targets the application level, deluging services with such a high volume of requests that they can’t process them all, effectively causing them to crash.
Layer 7 DDoS attacks are a new breed of DDoS that allows attackers to do much more damage with fewer resources. They can deliver more “requests per second” and are more sophisticated since they are better at masquerading as legitimate traffic.
Detailing the threat of this new breed of DDoS attack, Akamai’s Advisory Chief Information Security Officer, Steve Winterfeld, noted when asked about the perception of DDoS: “It was interesting that last year, DDoS was low on the concern, and this year, it’s high on the concern. But then, when you go back and look at where people plan to spend money, it doesn’t correlate back to the perception of the threat.”
Since then, other tech giants had websites taken down by Anonymous Sudan, including OpenAI’s ChatGPT and even the DDoS protection company, CloudFlare.
With DDoS attacks up 200% from 2022, companies like Microsoft, Cloudflare, OpenAI, and others are having to adjust strategies to protect themselves from the threat of modern DDoS attacks.
Let’s look more at the attack mechanism used against Microsoft as it sheds light on the future of these types of attacks.
Attack mechanism used against Microsoft
Anonymous Sudan employed three distinct types of Layer 7 DDoS attacks on Microsoft’s services:
- HTTP (S) Flood Attacks: A method that inundates a server with HTTP requests.
- Cache Bypass: Targets the application by bypassing its cache.
- Slowloris: A tactic designed to keep as many connections to the target web server open as possible, eventually causing it to exhaust its resource pool.
These techniques can rapidly overwhelm a web service by using up all available connections, rendering the service unable to accept new requests.
Who is Anonymous Sudan?
While Microsoft refers to the threat actors as Storm-1359, they have made a name for themselves in the cybersecurity world as Anonymous Sudan. Since their inception in January 2023, this group has posed a formidable threat, declaring they would target any nation opposing Sudan. Their usual method of operation involves initiating DDoS attacks and leaking any data they steal.
The group’s ambitions became more evident in May 2023 when they began demanding ransoms from large organizations. Their initial target was Scandinavian Airlines (SAS), demanding $3,500 to cease the DDoS attack. However, their demands escalated in June when they shifted focus to Microsoft, demanding a whopping $1 million.
Interestingly, their motivation seemed two-fold. On one hand, they claimed their attacks were protests against the USA’s involvement in Sudanese politics.
On the other, there are speculations that Anonymous Sudan may have ties to Russia, given their recent announcement about forming a “DARKNET parliament” with other pro-Russian groups, hinting at impending attacks on European banking systems.
While no such attacks on the European banking infrastructure have been confirmed, Anonymous Sudan has showcased the capability and resources to carry out their threats, suggesting financial institutions should be on high alert for future disruptions.
Where password hygiene fits into DDoS attacks
DDoS attacks, which aim to overwhelm a server or network resource with enormous traffic, are a mounting threat in the cyber landscape.
While the nature of these attacks centers on traffic inundation, the mechanisms by which attackers amplify these threats often relate to the vulnerabilities of common internet-connected devices.
This is where password hygiene becomes crucial.
- Botnets and DDoS attacks: One of the primary weapons in a DDoS attacker’s arsenal is a botnet – a network of compromised devices. These zombie devices participate in a coordinated attack to flood targets with malicious traffic. But how do devices become part of a botnet in the first place?
- Compromise through malware: One common method attackers employ is tricking users into downloading malicious files and turning their devices into bots. Once a device is compromised, it can be remotely controlled by the attacker and can participate in large-scale DDoS attacks.
- Default passwords and device compromise: Beyond malware, cybercriminals often exploit the inadequate password habits of users. Many devices, especially IoT devices, come with default factory settings, which can include easily guessable usernames and passwords (like “admin” or “password”). By scanning the internet for such vulnerable devices, attackers can gain unauthorized access, modify settings, and recruit the device into their botnet army.
- The role of password hygiene: Strong password hygiene helps prevent devices from being compromised and leading to DDoS. Here’s how:
- Routers: As the primary gateway to your internet connection, routers are prime targets. Changing default credentials and updating the router’s firmware can shield your network from unauthorized access.
- IoT devices: Devices connected to the internet, from smart fridges to security cameras, should never retain their default credentials. Always change these upon setting up the device.
- Regularly check passwords against compromise: Block the use of stolen or compromised passwords from your Active Directory environment as they can be used to gain a foothold in targeted attacks.
- The bigger picture: While DDoS attacks aim to disrupt rather than breach, compromised devices due to poor password practices can lead to other threats, such as data theft or malware spread. Sometimes, DDoS attacks can even act as smokescreens for an underlying breach.
Improving Password Hygiene with Specops Password Policy to protect against credential-based attacks
Credential-based attacks, a primary mode of cyber breaches, leverage weak or compromised passwords.
Specops Password Policy Specops Password Policy provides a robust framework to combat these threats, offering multiple layers of protection.
- Block weak passwords: Specops Password Policy actively prevents the use of weak passwords in your Active Directory. Employing a password dictionary containing commonly used or weak passwords it ensures users don’t set passwords that can be easily guessed o. The custom dictionary feature allows organizations to block passwords specific to their details, such as the company name, acronyms, location and more.
- Compliant password policies: Ensuring compliance with global password standards addresses regulatory demands and ensures higher security. Specops Password Policy provides templates adhering to regulations from NIST, CJIS, and others, ensuring passwords match or exceed specific industry compliance standards.
- Password entropy: Going beyond simple password lengths, Specops Password Policy enforces complexity. It prohibits common character patterns, like repetitions or using the same characters at the beginning or end. The system promotes the use of passphrases, helping users select robust passwords without sacrificing recall.
- Real-time feedback: As end-users change or set passwords with Specops Password Policy, they receive real-time feedback. It assists users in selecting secure passwords on the first attempt, reducing the number of calls to helpdesks due to failed password changes.
- Breached password protection: Blocks over 4 billion compromised passwords using a dynamic list that includes those found on known breached lists and those currently being used in attacks. Additionally, the system can identify and help eliminate compromised passwords already used within an organization.
Click here to get a free trial of Specops Password Policy and see how it can help strengthen password security.
Sponsored and written by Specops Software.