Microsoft’s headaches continued this week, with outages hitting several of its services – including Azure, Microsoft 365, and Oulook – Tuesday, less than two weeks after the global outage caused by the faulty software update by cybersecurity CrowdStrike.

It turns out that the most recent problems were caused by a distributed denial-of-service (DDoS) attack on its Azure Front Door and Azure Content Delivery Network on July 30. The attack itself created an unexpected spike in internet traffic to the services that caused their performances to degrade, which led to intermittent errors, timeouts, and latency issues.

However, the situation got worse when the tech giant’s defenses kicked in to respond to the DDoS attack, according to a note on Microsoft’s Azure status page.

“While the initial trigger event was a Distributed Denial-of-Service (DDoS) attack, which activated our DDoS protection mechanisms, initial investigations suggest that an error in the implementation of our defenses amplified the impact of the attack rather than mitigating it,” the company wrote.

The outages and performance problems with the Azure services began at about 7:45 a.m. ET and once investigators understood what was causing them, they changed network configurations to support the company’s DDoS protection initiatives, failing over to other networking paths to relieve the traffic congestions.

Lingering Problems After Initial Mitigation

Microsoft’s Azure Front Door is a cloud content delivery network service for delivering performance, scalability, and security for users’ content and applications. The moves mitigated most of the issues in fewer than three hours. However, though some customers still reported less than 100% availability, which Microsoft engineers began mitigating at around 2 p.m. ET.

“We proceeded with an updated mitigation approach, first rolling this out across regions in Asia Pacific and Europe,” they wrote. “After validating that this revised approach successfully eliminated the side effect impacts of the initial mitigation, we rolled it out to regions in the Americas.”

They finally got the failure rates back to normal by 3:45 p.m. ET, though “some downstream services took longer to recover, depending on how they were configured to use AFD and/or CDN.”

Though the Azure service outages didn’t have the same global impacts as those caused by the CrowdStrike update, it did distress the affected users. There’s no indication who launched the DDoS attack, though two hacktivist groups have put in claims. LulzSec wrote on its Telegram page that it was responsible, while SN_Blackmeta listed Azure among a number of targets, which also included the United States, France, and Shopify.

SN_Blackmeta a Rising Threat

Threat researchers with cybersecurity firm Radware earlier this month reported on a large and sustained DDoS attack on a financial institution in the Middle East that they attributed to SN_Blackmeta, which they described as a pro-Palestinian hacktivist group with potential ties to Sudan and possibility operating out of Russia.

The attack lasted six days, with the organization under attack for 70% of that time. There were multiple DDoS attack waves that lasted anywhere from four to 20 hours, adding up to 100 hours of attack time with an average of 4.5 million requests per second and a peak of 14.7 million RPS.

In May, the group claimed to be behind a reported three-day DDoS attack on the nonprofit digital library Internet Archive, which is based in San Francisco.

In a report earlier this month, F5 Networks said DDoS attacks are a growing problem, from their increasing complexity and frequency to the average peak bandwidth. There were 112% attacks in 2023 than the previous year, with the size of attacks consistently running above 100Gb/s, with many more than 500Gb/s.

DDoS-as-a-service is helping to drive the growth in such attacks, and hacktivism also played a key role, according to the company.

“Notably, America, France, and the UK, saw significant spikes in DDoS activity which align closely to geopolitical events playing out on the global stage,” the researchers wrote. “This reinforces the understanding that unskilled but politically motivated individuals are increasingly making use of DDoS servers (stressors) and botnets in an attempt to make their voice heard.”

A Warning About Elections

Also, the FBI and CISA issued an advisory Wednesday that with the high-profile U.S. elections fewer than 100 days away, there could be DDoS attacks on the infrastructure used to run the elections, but added that while such attacks could hinder voter access to election information, they wouldn’t prevent voting.

“Given the prevalence of false claims about DDoS attacks in prior U.S. and foreign elections, we are warning that DDoS attacks against election-related websites could temporarily disrupt access to some online election functions, like voter look-up tools, but would not prevent voting or compromise the integrity of voting systems,” FBI Deputy Assistant Director Cynthia Kaiser said.