Large-scale-cloud-service-outage-due-to-ddos-excessive-defense

 Microsoft, the world's largest cybersecurity company, is continually reshaping people's understanding of "security threats" following recent incidents. On Wednesday evening, Microsoft announced that widespread and prolonged outages affecting multiple Microsoft 365 and Azure cloud services on Tuesday were caused by an overzealous reaction from Microsoft's DDoS protection mechanism triggered by a DDoS attack.

The outage affected various Microsoft services, including Xbox, Microsoft Entra, Microsoft 365, Microsoft Purview (including Intune, Power BI, and Power Platform), Azure App Service, Azure IoT Central, Azure Log Search Alerts, Azure Policies, and Azure Portal.

In a mitigation statement released on Wednesday, Microsoft acknowledged that the triggering factor for the outage was a DDoS attack, although the specific threat actor responsible has not yet been identified.

According to security research firm CyberKnow, the hacker group SN_blackmeta provided evidence on their Telegram channel early Thursday morning of their involvement in the Microsoft DDoS attack. Other hackers also participated in DDoS attacks targeting Microsoft cloud services.

SN_blackmeta, akin to Anonymous Sudan, is a pro-Palestinian hacker group primarily targeting infrastructure and enterprises supporting Israel by the United States and its allies, possessing both capability and motive to attack Microsoft. A week prior, Radware reported that SN_blackmeta conducted a six-day DDoS attack peaking at 14.7 million RPS against a financial institution in the Middle East.

However, according to Microsoft's statement on Wednesday, the primary cause of the widespread and prolonged outage of Microsoft cloud services was their own DDoS protection mechanism. Microsoft stated, "Preliminary investigation indicates that a DDoS attack triggered our DDoS protection mechanisms, which, due to an error in our defensive measures such as failover, exacerbated rather than mitigated the impact of the attack."

Previously, Microsoft attributed similar incidents to "unexpected usage peaks," affecting Azure Front Door (AFD) and Azure Content Delivery Network (CDN) components, resulting in intermittent errors, timeouts, and latency spikes.

Microsoft plans to release a Preliminary Incident Report (PIR) within 72 hours and a Final Incident Report within the following two weeks, providing more details and lessons learned from this week's outage.

Microsoft's cloud services have faced numerous challenges over the past year, with frequent incidents of outages. Earlier this July, Microsoft attributed widespread outages for thousands of Microsoft 365 customers to Azure configuration changes.

In mid-July, a CrowdStrike erroneous update caused global blue screens affecting 8.5 million Windows devices, deemed the largest-scale system crash in history. Microsoft's Azure region data centers in the central United States were impacted, causing disruptions to services including Microsoft 365, extending from Office applications to Xbox services.

Previously, in June 2023, Microsoft confirmed a Layer 7 DDoS attack by the group Anonymous Sudan (also known as Storm-1359), rendering its Azure, Outlook, and OneDrive portals inaccessible. This group, with purported ties to Russia, shares ideological and behavioral similarities with SN_blackmeta, claimed responsible for the recent DDoS attack on Microsoft.

In July 2022 and January 2023, Microsoft 365 services were significantly impacted due to Enterprise Configuration Service (ECS) deployment failures and wide-area network IP changes, respectively.