[HN Gopher] Microsoft's Azure portal down following new claims o...
___________________________________________________________________
Microsoft's Azure portal down following new claims of DDoS attacks
Author : donutshop
Score : 83 points
Date : 2023-06-09 15:54 UTC (7 hours ago)
(HTM) web link (www.bleepingcomputer.com)
(TXT) w3m dump (www.bleepingcomputer.com)
| AtNightWeCode wrote:
| I don't really understand how a DDoS can happen when the portal
| is using MS routing. Should be a simple fix. More likely some
| misconfiguration.
| MuffinFlavored wrote:
| i wonder how much traffic it would take to DDoS Azure's Web UI.
| You're talking about like 1,000,000+ orchestrated/coordinated
| silently hijacked machines all... what? curl'ing in a loop some
| API of theirs?
| AtNightWeCode wrote:
| One problem could be JWT. Anybody can use the bearer tokens
| from the portal and then use K6 to flood any endpoint. If you
| are willing to pay for the attack which states often do.
| re-thc wrote:
| Most people over-estimate what DDoS protection provides.
| There are all sorts of tricky attacks.
|
| The APIs are now so complex there are lots of layers - load
| balancers, gateways, kubernetes, etc etc. The attackers can
| exploit any amount of them until they find it. It could be a
| bug e.g. integer overflow on a specific header or the lower
| TCP layers, etc.
|
| It can also be very tricky to detect and stop. You may
| imagine the attacks to be constant but they are not. They do
| enough to deny service but not enough to be detected. It
| makes it very hard to differentiate from real traffic.
| jakedata wrote:
| Flawless instant access for me. Clearly not a total impact.
| Didn't even notice until I saw the headline.
| AtNightWeCode wrote:
| You are too late to the party. The problem was between 15:10
| UTC and 17:30 UTC on 9 Jun 2023.
| NicoJuicy wrote:
| It was fixed an hour ago :)
| tatersolid wrote:
| Can confirm the impact appears total for the Azure portal;
| Microsoft sells DDoS protection as part of Front Door and other
| Azure services. Do they not use it themselves?
| re-thc wrote:
| > Microsoft sells DDoS protection as part of Front Door
|
| They got in via a Back Door.
|
| A lot of places sell DDoS protection. Most of it only ever
| cover the basics. With the size of botnets, hacked computers,
| etc that are easily and cheaply available for rent - a lot of
| so called DDoS protection services can't compete.
|
| You really need to dig deep into what they mean by DDoS
| protection.
|
| What layers are covered? What type of services are covered?
|
| Also e.g. when they mention they cover volumetric attacks, it's
| often marketing more than the real deal.
|
| E.g. a provider sells $x of total protection (that number means
| across all PoPs, so usually $x / 30 or less). It can still go
| down if you focus all your attacks on a few PoPs that matter.
| MrOwnPut wrote:
| It's also important whether it's active or passive.
|
| Really important for game servers to have active DDoS
| protection, like what OVH offers. Not one that kicks in after
| the attack is detected, otherwise your players get booted,
| which is the goal of the attacker.
| re-thc wrote:
| > Not one that kicks in after the attack is detected
|
| You can't even detect the attack. I've seen 1s that are
| well disguised or the patterns are so short there's not
| enough data to tell if it's an attack or real traffic. And
| yet it's enough to crash your connection or the service
| itself.
| donutshop wrote:
| Am wondering the same thing. I have yet to meet anybody that
| does aside from Microsoft themselves.
| tatersolid wrote:
| We used Front Door for a while for our SaaS application, but
| actually had to turn it off because of a large customer whose
| janky internal IDP broke because of the mere presence of IPv6
| on the Azure Front Door CNAME records. It worked well for
| about a week for everyone else.
| nullindividual wrote:
| I use it for a number of web properties.
| nwah1 wrote:
| I worked at a commodities brokerage that used it. No
| problems.
| nullindividual wrote:
| You can tell the error on the Portal is coming from AFD thanks
| to the style/format of it.
| soco wrote:
| I'm working on it right now, 45 minutes after the submission.
| Maybe not everywhere? Maybe fixed already?
| ojintoad wrote:
| It's very odd because it's only new page loads. Existing metrics
| pages I've been refreshing keep showing new data.
| tatersolid wrote:
| We see the same thing. One of my team is sailing around in the
| portal, even opening new tabs and it all is just working.
|
| But I can't create a new session, even when remoted into an
| Azure-hosted VM. All our servers and services seem to be
| running fine; it just seems to be the portal.azure.com website
| that is impacted.
| Izikiel43 wrote:
| Probably because the actual portal service call happens at new
| page load. Metric pages and everything else are data
| plane/control plane info most likely, which is coming from
| other services.
|
| An easy way to validate this would be using fidler or similar
| to analyze the traffic that happens in the loaded page.
| mynameisvlad wrote:
| That would be hitting separate API endpoints which are not
| hosted in the same place as the portal itself.
| error9348 wrote:
| Interestingly, https://preview.portal.azure.com/ is up.
___________________________________________________________________
(page generated 2023-06-09 23:02 UTC)