Microsoft Azure Mitigates 15.72 Tbps DDoS Attack, Highlighting Evolving Botnet Threat

Microsoft has disclosed that its Azure cloud platform successfully mitigated a distributed denial-of-service (DDoS) attack with a peak traffic volume of 15.72 terabits per second (Tbps), a significant escalation in the scale of such incidents¹. The attack, attributed to the Aisuru botnet, was launched from a massive pool of over 500,000 unique IP addresses, marking a substantial increase in the distributed nature of the assault compared to previous records. This event is the latest in a multi-year trend of increasingly powerful and complex DDoS campaigns targeting major cloud providers, forcing a continuous evolution in defensive strategies that now must account for not just raw bandwidth floods but also sophisticated application-layer attacks and the operational complexities of automated mitigation systems.

The Evolution of DDoS Scale: From 2.4 Tbps to 15.72 Tbps

The recently mitigated 15.72 Tbps attack represents a more than fivefold increase from the 2.4 Tbps attack Azure faced in August 2021, which itself was a record at the time⁹. That earlier attack originated from approximately 70,000 sources, primarily in the Asia-Pacific region and the United States. The November 2021 record of a 3.47 Tbps attack against an Azure customer in Asia, which also featured a packet rate of 340 million packets per second (pps), further illustrates the trend of growing volumetric scale¹. Microsoft’s defense against these massive floods relies on its Azure DDoS Protection platform, a globally scaled, automated system designed to absorb and scrub attack traffic. A key tactic in its distributed mitigation strategy involves neutralizing attack traffic “at the source countries” before it can converge on the target’s region, a method that proved effective during the 2021 incidents⁹. The jump to over 500,000 source IPs in the latest attack indicates botnet operators are amassing larger, more diffuse networks of compromised devices, increasing the challenge of filtering malicious traffic without impacting legitimate users.

The Pivot to Stealthy Application-Layer Assaults

While volumetric attacks capture headlines, a significant shift occurred in 2023 as threat actors began favoring more sophisticated, harder-to-detect application-layer (Layer 7) attacks. Microsoft began tracking such DDoS activity by a threat actor it designates as Storm-1359⁵. Unlike volumetric attacks that aim to consume bandwidth, these Layer 7 assaults target application resources directly. Techniques include HTTP(S) floods that generate high volumes of seemingly legitimate application requests, cache bypass attacks that force resource-intensive requests to origin servers, and Slowloris attacks that slowly tie up and exhaust server connections. The rise of novel methods like the “HTTP/2 Rapid Reset” exploit, which abuses the HTTP/2 protocol to overwhelm servers by rapidly canceling requests, demonstrates that attackers are continuously finding new ways to bypass traditional, threshold-based DDoS protections⁸. These Layer 7 attacks are often more effective and require fewer resources from the attacker’s perspective, making them an attractive alternative to brute-force methods.

Operational Impact and Mitigation Complexity

A critical lesson from a July 2024 Azure outage is that even successfully mitigated DDoS attacks can cause significant service disruption. An attack that month resulted in an eight-hour outage affecting the Azure portal, Microsoft 365, and Purview services⁴. An important finding from the incident was that Microsoft’s own automated response to the DDoS attack may have compounded the impact, highlighting the immense challenge of tuning mitigation systems within a hyperscale cloud environment⁴. This underscores a mature threat landscape where the success of an attack is not solely measured by its ability to bypass technical defenses, but also by its capacity to trigger defensive mechanisms that inadvertently cause service degradation. For cloud customers, this means resilience depends on the provider’s ability to manage the complex interplay between automated security systems and the availability of interconnected services.

The Foundational Role of Security Hygiene and Supply Chain Integrity

The effectiveness of specialized DDoS protections is maximized when deployed on a foundation of robust security fundamentals. According to the Microsoft Digital Defense Report 2023, basic security hygiene, such as enforcing multifactor authentication (MFA), can prevent 99% of attacks, with MFA alone reducing compromise risk by 99.2%⁷. Furthermore, the security of cloud platforms is intrinsically linked to the integrity of their software supply chains. Microsoft’s own products rely on over 83,000 unique open-source packages, used more than 13 million times⁷. The company advocates for the use of Software Bills of Materials (SBOM) to provide transparency and enable rapid response to vulnerabilities in dependencies, a practice that becomes critical during widespread events like the Log4j disclosure. This context reinforces that while advanced DDoS mitigation is essential, it is part of a broader security posture that must include Zero Trust principles and secure software consumption practices.

AI as a Force Multiplier in Cyber Defense

To counter the scale and speed of modern threats, Microsoft and other security vendors are increasingly turning to Artificial Intelligence (AI). AI is being deployed to automate and augment threat intelligence, incident response, and security monitoring. Tools like Microsoft Security Copilot act as an AI-powered assistant to human analysts, suggesting analyses and potential mitigations to accelerate response times⁷. This is particularly relevant given the global cybersecurity talent gap, which is projected to leave 3.5 million jobs unfilled. AI serves as a necessary force multiplier, enabling existing security teams to operate more effectively. However, this new frontier also introduces novel attack vectors, such as prompt injection attacks against AI-powered applications, requiring a new discipline of red teaming AI systems to identify and remediate security flaws before deployment⁷.

The 15.72 Tbps DDoS attack against Azure is a stark reminder of the persistent and evolving threat facing cloud infrastructure. The defensive landscape has progressed from a primary focus on absorbing massive volumetric floods to a layered model that must also defend against stealthy application-layer attacks and manage the operational risks of automated mitigation. This requires a combination of specialized services like Azure DDoS Protection and Web Application Firewall, built upon a foundation of strong security hygiene and a secure software supply chain. As AI becomes integrated into both offensive and defensive operations, the industry must continue to adapt its strategies, tools, and skills to maintain resilience in an increasingly complex threat environment.

References

1. “Azure DDoS Protection—2021 Q3 and Q4 DDoS Attack Trends,” Microsoft Azure Blog, Jan. 25, 2022.
2. “Microsoft says massive Azure outage was caused by DDoS attack,” Reddit, Aug. 4, 2024.
3. [Placeholder for any additional source not provided in the initial data]
4. “Microsoft confirms Azure, 365 outage linked to DDoS attack,” Cybersecurity Dive, Jul. 31, 2024.
5. “Microsoft Response to Layer 7 Distributed Denial of Service (DDoS) Attacks,” Microsoft Security Response Center, Jun. 16, 2023.
6. [Placeholder for any additional source not provided in the initial data]
7. “Microsoft Digital Defense Report 2023,” Microsoft, Oct. 3, 2023.
8. “Five Most Famous DDoS Attacks,” A10 Networks, Updated Aug. 2025.
9. “Business as usual for Azure customers despite 2.4 Tbps DDoS attack,” Microsoft Azure Blog, Oct. 11, 2021.