Another common attack vector that has been used to attempt to adversely affect cloud and online services at Microsoft is Distributed Denial of Service (DDoS), including attacks that result from DNS amplification (a technique that involves using publicly accessible open DNS servers to flood the target system with DNS traffic). DNS amplification made headlines in March 2013, when attackers used the technique to attack the Spamhaus spam prevention service with as much as 300 gigabits per second (Gbps) of traffic.4
On a daily basis, Microsoftâ€™s DDoS protective measures apply mitigations to prevent impact from DoS and DDoS attacks to ensure uptime and availability for services and customers. Common types of attack include SYN floods, DNS amplification, malformed packets (TCP and UDP), and application layer abuses specific to HTTP and DNS. One common attack technique used by a number of freely available DDoS toolkits involves using fragmented IP packets with a fixed payload, as described below.
A DDoS attack in progress quickly shows up on monitoring telemetry as a significant elevation of both packets-per-second and bits-per-second traffic, as seen in Figure 4. The 30 Mbps attack shown here is nominal, but if left unchecked could impact the availability of the service.
Figure 4. Flow monitoring telemetry during a DDoS attack
Click to enlarge
A typical attack involving IP fragments might consist of a padded payload consisting of a single ASCII letter, such as A (0x41 in hexadecimal), repeated many times, and transmitted using multiple communications protocols, including User Datagram Protocol (UDP), Transmission Control Protocol (TCP), Internet Control Message Protocol (ICMP), KRYPTOLAN, Versatile Message Transaction Protocol (VMTP), Internet Protocol version 6 (IPv6), Extensible Name Service (XNS), and others. Packets often include full 1,518-byte payloads, and the UDP fragments are directed to multiple destination ports.
Figure 5 represents a UDP fragment that was captured during an attack.
Figure 5. A UDP fragment from a DDoS attack
During one 60-second window, Microsoft detected more than 8,985 unique IP addresses sending fragmented traffic during the attack. As the service was forced to drop incoming packets during the attacks, it is believed that the actual volume of the attack may have been considerably greater than what Microsoft was able to analyze.
An investigation of a host known to have participated in a recent attack, acquired via appropriate legal means by the Microsoft Digital Crimes Unit (DCU), revealed a common attack tool (currently detected as Backdoor:Perl/IRCbot.E ) that was used for UDP flooding.
Figure 6. Perl code from a UDP flooding trojan
Click to enlarge
Tools such as this IRCbot provide even the most unsophisticated attackers a platform from which to launch potentially damaging attacks on cloud services. Although the defensive measures and tactics employed by Microsoft help mitigate such attacks, it can nonetheless be burdensome and resource intensive to do so.
4 Michael McNally, â€œWhat is a DNS Amplification Attack?â€, ISC Knowledge Base, April 1, 2013, https://deepthought.isc.org/article/AA-00897/0/What-is-a-DNS-Amplification-Attack.html.