It is already the largest DDoS attack on an Azure cloud customer, bigger than the previous high, the Azure 1 Tbps attack in 2020, and Microsoft said it was “higher than any network volumetric event previously detected on Azure.”
The attack came from more than 70,000 sources from several Asia-Pacific countries, including Malaysia, Vietnam, Taiwan, Japan and China, as well as the U.S.
The attack vector was a User Datagram Protocol (UDP) reflection attack and lasted over 10 minutes with very short-lived bursts. Each burst increased to terabit volume in seconds. Microsoft reported three major spikes, the first at 2.4 Tbps, the second at 0.55 Tbps and the third at 1.7 Tbps.
In a UDP reflection attack, the attacker takes advantage of the fact that UDP is a stateless protocol, which means that the attackers can create a valid UDP request packet that lists the IP address of the target as the UDP source IP address.
The name is derived from the type of attack reflected back and forth in the local network, and the UDP packet contains the spoofed source IP and is sent by the attacker to a middleman server.
The middleman machine helps amplify the attack by generating network traffic many times larger than the request packet, which increases the attack traffic.
The actual gain depends on the misuse of the attack protocol. The worst of these is memcached, an open-source, high-performance, distributed object caching system often used by social networks such as Facebook and its creator LiveJournal to store tiny bits of arbitrary data.
But when it comes to abuse, Cloudflare, the web performance and security company, has found that 15 bytes of requests can lead to 750KB of attack traffic – a 51,200x gain.
Attacks that exploit DNS, such as this attack, can reach 28 to 54 times as many bytes as they originally did.
Some DDoS protection is provided for all Azure users. Microsoft recommends subscribing to the Azure DDoS Protection Standard for more comprehensive protection, as it also provides cost protection.