Co-author: Syed Pasha, Principal Cloud Network Engineering Manager
In the realm of cybersecurity, Distributed Denial-of-Service (DDoS) attacks are a significant concern. The recent holiday season has unveiled a complex and evolving threat landscape, marked by sophisticated tactics and diversification. From botnet delivery via misconfigured Docker API endpoints to the NKAbuse malware's exploitation of blockchain technology for DDoS attacks, the tactics and scale of these attacks have shown significant sophistication and diversification.
Understanding and staying abreast of recent DDoS trends and attack vectors is crucial for maintaining robust network security and ensuring the availability of services. One such example is the recent HTTP/2 Rapid Reset Attack, where Microsoft promptly provided fixes and recommendations to safeguard web applications. This vulnerability exploits the HTTP/2 protocol, allowing attackers to disrupt server connections by rapidly opening and closing connection streams. This can lead to denial of service (DoS) conditions, severely impacting the availability of critical services and potentially leading to significant downtime and financial losses. Another example we wrote about were reflected TCP attack vectors that recently emerged in ways that were not believed possible before.
By closely monitoring these emerging threats, security professionals can develop and implement timely and effective countermeasures to protect their networks. This proactive approach is essential for anticipating potential vulnerabilities and mitigating risks before they can be exploited by malicious actors. Furthermore, understanding the evolving landscape of DDoS attacks enables the development of more resilient security architectures and the enhancement of existing defense mechanisms, ensuring that networks remain secure against both current and future threats.
In this blog, we focus on the newly revealed Application Loop DDoS attack vector. Microsoft hasn’t witnessed this vulnerability translated to actual DDoS attacks yet. However, we believe it’s important to highlight the threat landscape we see in Azure for UDP reflected attacks, as they present a prevalent attack vector with similar base pattern as Loop attacks. We then discuss what protection strategies Microsoft employs to protect Azure platform, our online services, and customers from newly emerging threats.
The Emergence of Loop DDoS Attacks
The Loop attack vulnerability was disclosed last month by CISPA. The attack exploits application-layer protocols relying on User Datagram Protocol (UDP). CISPA researchers found ~300,000 application servers that may be vulnerable to this attack vector. The published advisory describes Loop attacks as a sophisticated DDoS vector, exploiting the interaction between application servers to create a never-ending (hence the term Loop) cycle of communication that can severely degrade or completely halt their functionality. This attack method uses spoofed attack sources to create a situation where two or more application servers get stuck in a continuous loop of messages, usually error responses, because each server is programmed to react to incoming error messages with an error message.
Amongst the vulnerable applications, TFTP, DNS, NTP as well as legacy protocols, such as Echo, Chargen, QOTD, are at risk. The researchers provided a practical example of this, when two DNS resolvers automatically reply to error messages with their own errors. An attacker can start a loop by sending one fake spoofed DNS error to one resolver. This makes it send an error to the spoofed resolver, which does the same, creating an endless cycle of errors between them. This wastes the DNS servers' resources and fills up the network links between them, with the potential to cause serious problems in service and network quality. Depending on the exact attack topology, Loop attacks may generate excessive amounts of traffic like other volumetric DDoS floods (e.g. DNS reflected amplified attacks).
How Loop DDoS differs from other volumetric DDoS attacks
The Loop attack is a kind of DDoS attack vector that targets applications and may manifest as a large-scale flood at the network layer as well. The cause is that attackers can set up multiple attack loops among multiple servers in a network or across networks in the peering links, overwhelming the servers and networks with traffic floods.
Like UDP reflected attacks, Loop attacks use a basic UDP weakness – the possibility to fake a source IP address to initiate the attack Loop. One of the most common attack vectors nowadays is the reflected UDP-based floods. It’s similar to Loop attack in that the malicious actor sends spoofed-source packets to an application server that replies to the spoofed IP, i.e. the victim. By generating many of these requests to an application server, the victim gets many of the responses they didn’t ask for. The impact of the reflected attack may be significantly more disastrous if the attacked application generates more traffic in response that it receives in the request. When this happens, it becomes a reflected amplified attack. Amplification is the secret sauce of why these attacks are dangerous. Loop attack is different than reflected amplified attacks in that the response may not necessarily be amplified. That is, for each spoofed packet sent to the application server, there may be a single response. However, Loop attacks are way more dangerous when the victim server who gets the response replies with its own response, which in turn is answered with another response in a loop that never ceases. For the malicious actor, it takes only a single well-crafted packet to create a Loop attack. If the attack is sent between multiple application servers, it is becoming a volumetric DDoS flood that may risk not only the application, but also the underline networks. Another interesting difference between reflected amplified UDP attacks and the Loop attack is that with Loop attack the malicious actor doesn’t control the attack lifecycle. Once the first packet is generated the Loop starts, and there’s no way for the attacker to stop it.
Reflected Amplified Attack Landscape in Azure
Since reflected amplified UDP attacks are similar to Loop attacks in their basic reflection pattern and their volumetric nature, we provide recent reflected attack landscape in Azure. As we see in the figure, UDP reflected amplification attacks account for 7% of all attacks in the first quarter of 2024.
Figure 1 - distribution of main attack vectors in Azure, January-March 2024
Out of the main attack vectors, we see reflected amplified UDP attacks, such as SSDP, DNS, NTP, CLDAP, Memcached and CharGEN as the top attack vectors.
Figure 2 - distribution of reflected amplified UDP attack vectors in Azure, January-March 2024
Azure’s Approach to DDoS Attacks
Azure employs multiple layers of DDoS protection across its network topology and OSI layers. From OSI layers perspective, DDoS attacks can manifest themselves as application and/or network layer attacks. Depending on the attacked application, different countermeasures are employed to protect against web attacks, DNS attacks, and attacks on gaming workloads. The common denominator for all protections is a DDoS network protection layer whose role is to safeguard our platform against volumetric floods, regardless of whether it’s an application attack that presents itself as a network flood, or a volumetric TCP or UDP attack.
Moreover, we apply the best mitigation at different places in the network to mitigate attacks in the most efficient manner and closest to the attack source as possible. Protections are employed at multiple rings in the network. The first ring aims to protect our peering links with other networks. When attacks risk our peering links, we mitigate them outside of our network, typically at the transit network. Multiple countermeasures are utilized to mitigate attacks outside of our network, and we select those that are most valuable for a specific scenario. The second ring is our network edge. We use inline and out-of-path DDoS pipelines to mitigate attacks that enter our network at the edge. We use various L3-L7 countermeasures to protect against network floods, web applications and DNS attacks, be it volumetric or low & slow. The next ring is our WAN network, at which we employ strategies to prevent our WAN network getting saturated by very large network floods. We employ various traffic engineering and machine learning models to detect and to deprioritize attack traffic when we need to throttle it. The last ring is in the region, where we employ an advanced mitigation pipeline who can mitigate attack vectors to protect our data centers’ infrastructure and customers’ workloads. In this ring we employ specific application and network-layer DDoS countermeasures to mitigate advanced attack vectors.
Figure 3 – Azure’s protection rings
Mitigating Loop attacks
CISPA researchers haven’t witnessed an exploited Loop attack in the wild yet. Moreover, the exact vulnerable payloads used to trigger the attacks in their research were not disclosed publicly. Yet, application vendors susceptible to Loop attacks should patch this vulnerability in their applications, and new application designs should account for this potential attack vendor in their development cycle.
As we’ve mentioned, Loop attacks may impact applications in two ways: (1) the endless loop of error messages from one application server to another may overwhelm the CPU and render it unavailable to serve legitimate client requests; (2) depending on the network topology of a Loop attack, it may become volumetric in nature hence saturate networks and network connections. Each of the protection rings described earlier will play an active role to defend against such attacks when they emerge.
We haven’t monitored Loop attacks in Azure up to date. However, we have built-in countermeasures that will mitigate Loop attacks once they become volumetric. Loop attacks are between servers, and our pipeline is able to detect spoofed sources, reflected attacks, and attacks between application servers. Specifically, for UDP-based applications, we can detect and mitigate Loop attacks for vulnerable applications, this includes DNS, Memcached, NTP, SSDP and more. We do it by monitoring communication between application servers and throttling volumetric floods. This ensures that Loop attacks, if happen, will not risk our platform, network and customers’ applications. To prevent Loop attacks from impacting application servers’ due to depleted CPU resources, application owners should patch their servers against this vulnerability.
Recommendations for Azure users
We recommend all customers with resources that are reachable from the Internet to onboard to Azure’s DDoS Protection offering. With this protection they ensure that their resources are protected against volumetric attacks, including Loop attacks. By onboarding to DDoS Protection SKUs, customers get protection tailored to their specific application footprint. This ensures we apply a DDoS policy that adheres to the exact application posture. Since each application is different, it’s crucial to apply a policy that best represents the protection for that application.
Next steps
- Enable DDoS protection for your resources.
- Simulate DDoS attacks to make sure your resources are protected.
- Enable telemetry and logging to monitor attacks.
- Utilize Microsoft Sentinel to integrate DDoS in your Security Orchestration and Response (SOAR) strategy and get alerts and recommendations from Microsoft Defender for Cloud.
