back to article Microsoft says Azure fended off what might just be the world's biggest-ever DDoS attack

Microsoft claims its Azure cloud has fended off the largest DDOS attack it's detected, which clocked in at 2.4Tbit/sec. The software giant has disclosed the attack, which Azure networking senior program manager Amir Dahan wrote was detected in late August. "The attack traffic originated from approximately 70,000 sources and …

  1. Roger Kynaston

    Europe you say

    My bets are on Lord Frost as a negotiating tactic.

    1. Marc 13

      Re: Europe you say

      Ah, that's how they mitigated it... they inspect packets from 3rd countries at the boarder

  2. Anonymous Coward
    Anonymous Coward

    Time for wild and uninformed guesses as to the target!

    I'm going to hazard a wild and uninformed guess that the target was Euro Disney, based on a rumour that they were thinking about launching a new Winnie the Pooh ride.

    Start the uninformed rumour mill now! :p

  3. W.S.Gosset Silver badge


    Gotta say -- I'm impressed by Microsoft. That's one serious DDoS to be able to just absorb with no apparent consequences for the target (or others).

    1. Charlie Clark Silver badge

      Re: Impressed

      Maybe, but as I understand it, this just means they've got the same kind of poisoned UDP packet detection and dev/null that Akamai and CloudFlare have been touting for years: this is mainly a job for properly configured firewalls.

      1. katrinab Silver badge

        Re: Impressed

        The problem is that no matter how good your firewall is at blocking packets, it can't stop them arriving at the network port in the first place and preventing the packets you do want arriving from getting through.

  4. Flak

    Mine is bigger than yours

    Azure, AWS, Akamai and Cloudflare are all claiming the 'biggest DDOS' crown - a bit like superyachts - is it length, is it displacement, is it internal volume?

    Regardless of whose is the biggest - these are all serious and likely to only get worse. Makes it very clear that CPE based DDOS protection for on prem or dedicated data centre infrastructure would never be able to fend off a volumetric attack (but may clearly still be very relevant to application layer DDOS mitigation). Volumetric DDOS mitigation requires a network and collaborative mitigation strategy.

    1. TeeCee Gold badge

      Re: Mine is bigger than yours

      Obviously it's length and girth, the only metrics that matter in a willy-waving contest.

    2. Chairman of the Bored

      Re: Mine is bigger than yours

      No, it's a communication network contest, so the real metric is how far you can shoot your comm.

    3. dirkjumpertz

      Re: Mine is bigger than yours

      "a network and collaborative mitigation strategy"

      Nope... regulation and BCP38 but as long as DDOS attacks are a source of revenue and carriers, ISP, IXP and all in between claim that BCP38 is too costly/complex or any other nonsense...

  5. Steve 39

    Yet they can't keep their VMs up and running

    On the day that their Azure VMs fail to start...

  6. Anonymous Coward
    Anonymous Coward

    Yeah, but....

    This is all well and good, and kudos to all involved etc.

    Now all Microsoft have left to sort out is their own Azure / Office 365 DDoS activities, which typically go something like:

    1) You noticed something's broke...we're on it.

    2) Yeah, it's broke...investigating.

    3) Um, yeah, we just applied a patch / update and we're rolling it back.

    4) Aren't we great, we fixed it!

    5) ??

    6) Rinse, repeat.

    7) Still profit.

    1. Anonymous Coward
      Anonymous Coward

      For the thumbs-downers (downer!), you must like this stuff then:

      Microsoft 365 Status


      Oct 7

      We've determined that a recent update contained a misconfiguration for PSTN requests. We're reverting the update to remediate impact. More information is available under TM289868 in the admin center.

      Jun 11

      We've isolated a recent change that has caused portions of infrastructure to send some Microsoft Teams calls straight to voicemail. We're preparing to rollback the change. More details will be provided under TM261472 in the admin center.

      Jun 10

      We reverted a recent update that caused this issue and have validated that service has been restored. Additional information can be found in the admin center under TM261228.

      May 26

      We're reverting a change that has caused inbound email to be incorrectly routed to the junk folder. Additional information can be found in the admin center under EX258373.

      1. Sandtitz Silver badge

        @ AC

        For the thumbs-downers (downer!), you must like this stuff then:


        It's not relevant here, your message didn't bring anything new to the conversation about the DDoS attack - we all know Microsoft and all other cloud peddlers fail from time to time.

        How would you feel if Linux/Apple/(whatever your fancy) were reported to have done something positive - comparable to this fending off 2Tb/s DDoS attack - and an Anonymous Coward comes only up with something like "yeah, but how about them 140 Linux kernel vulnerabilities in 2021 and counting!! What a bunch of nincompoop coders!

        Sure, bashing Micros~1 in every article is going to get you upvotes from haters, because...Microsoft. I can only hope that these forums don't degenerate into more vicious state than they already are.

        1. sten2012

          Re: @ AC

          Fair - I can say with near (handwavy) certainty what operating system that wound up directly involved in mitigating this was not, if bashing MS is fair game! (from a traffic management perspective, when I say directly. Not the traffic management management workstations!)

          I'd pay to watch this happening on RRAS or "Internet connection sharing" though.

          I don't see anything in this chain as vicious personally, and cloud services going down is a big deal, and rightfully people are annoyed when it happens. It's the big sell of going managed cloud. It's about Azure, so they get the flak here. They can repel malicious outsiders but don't always succeed at testing internally as the previous posters timeline shows.

      2. Anonymous Coward
        Anonymous Coward


        "For the thumbs-downers (downer!), you must like this stuff then:"

        Don't feel bad! My joke about it being 70,000 compromised windows computers has gotten 17 downvotes to 4 upvotes. Tough crowd, tough crowd.

  7. Anonymous Coward
    Anonymous Coward

    "The attack traffic originated from approximately 70,000 COMPROMISED WINDOWS COMPUTERS and from multiple countries..."


    1. Wexford

      Windows computers? Got some sauce on that?

    2. arachnoid2

      70,000 Unlicensed windows computers


  8. Paul 87

    Well our North European based instances haven't been able to be accessed until around 12pm today, so as for "fending off" I'm not entirely convinced that it's been working as planned....

    1. Antonius_Prime

      RE: "working as planned"

      Have you been attempting to connect from Asia though?

  9. Skiron

    App store

    I bet this was someone trying to install solitaire on their kids computers.

    1. marcellothearcane

      Re: App store

      Doesn't it come preinstalled? (Along with candy something and myriad other nonsense apps)

  10. Anonymous Coward
    Anonymous Coward

    So that's a DDoS on a DDoS?

    I mean, Azure is already..

    (I'm just here for the downvotes :) ).

    1. Roger Kynaston

      Re: So that's a DDoS on a DDoS?

      You have put me in a quandry. should I downvote you since you want downvotes or upvote you for a good observation/joke.

      1. Anonymous Coward
        Anonymous Coward

        Re: So that's a DDoS on a DDoS?

        So the end result is something like UK's usual Eurovision score?


  11. elaar

    70,000 sources... Do ISPs in these countries have no packet filtering/inspection on their edge routers?

    1. Anonymous Coward
      Anonymous Coward

      Only the attacker's system(s) need to evade source filtering.

      At the other 70,000 locations, their ISPs will happily pass incoming traffic with source address X and destination address Y (inside the network), and pass outgoing traffic with source address Y (inside the network) and destination address X. They can't tell that X is spoofed.

  12. sten2012

    Impressive but...

    ... Who pays?

    This is the thing that terrifies me about cloud. Is the targetted party in this, rather than a few minutes of downtime going to get landed with a 30 petabyte data transfer bill instead?

    Not a single page timeout, unfortunately your personal CV page blog with a single visitor owes use £360,000 for the month and counting.

    (yes I'm genuinely this ignorant, but believe it's transfer out that counts? But I wouldn't want to bet my house on it). I'll take the DoS, please.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like