Understand how Microsoft defends from DoS attacks

Completed

Denial-of-Service (DoS) refers to a category of network-based attacks in which an attacker consumes all the resources of a victim system with the goal of preventing legitimate activity. Because identifying and blocking traffic from a single problem source is trivial, the most threatening form of DoS attacks is distributed denial-of-service (DDoS). DDoS attacks utilize many compromised intermediary systems controlled by an attacker to overwhelm the target system. The variety and number of attack sources make DDoS attacks more difficult to detect and block.

Three primary factors dictate the effectiveness of a DDoS defense system: absorption, detection, and mitigation. Absorption of the initial DoS attack without loss of availability is necessary to enable enough time for detection and mitigation. Without appropriate absorption capacity, there may not be enough time to respond to a DDoS attack before the system is overwhelmed. For this reason, successful DDoS defense relies on a combination of increased capacity and robust monitoring systems to decrease detection time.

Microsoft uses its uniquely massive scale and global footprint to bolster its absorption capabilities. Our globally distributed network presence allows for the implementation of equal-cost multi-path (ECMP) routing, providing network path redundancy for access to Microsoft 365 services and isolation of DDoS attacks to the region in which they occur. Additionally, services and customer data are replicated between datacenters with the ability to failover if the primary datacenter becomes unavailable. This approach means individual DDoS attacks at a particular edge point do not pose a significant risk to the availability of Microsoft 365 services.

To better handle the risk of multiple simultaneous DDoS attacks, Microsoft has separated its multi-tiered detection system from its globally distributed mitigation components at the network edge. Flow data and performance information from various points on the Microsoft network are used to develop and improve the DDoS correlation and detection systems. Microsoft's principle of implicit deny for network traffic ensures unwanted communication is dropped at the network edge, decreasing service attack surfaces and the burden of analysis.

Once detected, DDoS attacks are handled using standard mitigation techniques such as SYN cookies, rate limiting, and connection limits. DDoS attacks most often target the Network (L3) and Transport (L4) layers of the Open System Interconnection (OSI) model, saturating network lines and device resources. Microsoft designed a solution focused on protecting these layers to ensure attack traffic does not interfere with or cause damage to legitimate customer traffic. Traffic sampling data from datacenter routers is ingested and analyzed by Microsoft's monitoring systems, equipping automated defense mechanisms to activate if a DDoS attack on these high-risk layers is detected.

As part of a multi-tiered approach to DDoS defense, applications such as Exchange Online and SharePoint Online can throttle users based on the resources they consume. A common example is throttling a user or service performing too many actions in a short amount of time. This provides an additional layer of defense against DDoS attacks.

Learn more