Microsoft recently reported and responded to a surge in Layer 7 Distributed Denial of Service (DDoS) attacks. These DDoS attacks impacted different services of Microsoft, as a result, the company revealed recommendations for businesses worldwide.

In early June 2023, Microsoft began investigating an influx of traffic that affected service availability. The company tracked the ongoing DDoS activity back to a threat actor, labelled Storm-1359. The attackers appear to be leveraging multiple virtual private servers (VPS), rented cloud infrastructure, open proxies, and DDoS tools to execute these attacks.

Microsoft Reveals Recommendations to Counter Layer 7 Storm-1359 DDoS Attacks

Storm-1359’s attacks brought disruption and temporary outages to numerous Microsoft services. These include Azure, Outlook, OneDrive, Teams, and other Microsoft 365 software suites. While this caused inconvenience, Microsoft reassured customers that no evidence suggested any customer data leakage.

Given the increasing sophistication of these attacks, Microsoft has outlined recommendations to enhance layer 7 DDoS protection:

Use layer 7 protection services: Services such as Azure's Web Application Firewall (WAF), available with Azure Front Door and Azure Application Gateway, can be used to protect web applications.

Leverage bot protection: For Azure WAF users, Microsoft recommends using the bot protection managed rule set. This offers protection against known malicious bots.

Block suspicious IP addresses: Microsoft suggests that IP addresses and ranges identified as malicious should be blocked.

Geofencing: Users should block or redirect the traffic from outside a defined geographic region, or even within a defined region to a static webpage.

Create custom WAF rules: Microsoft advises creating custom WAF rules to automatically block and rate limit HTTP or HTTPS attacks with known signatures.

