Microsoft Azure successfully defended against a 15.3 terabits per second (Tbps) distributed denial-of-service (DDoS) attack, an event described as the largest volumetric DDoS attack reported in history. The attack targeted an unnamed Azure customer located in Asia.

The assault lasted for more than 15 minutes and was characterized by short-lived bursts of traffic. This event highlights the increasing power and sophistication of large-scale botnets composed of compromised Internet of Things (IoT) devices.

Anatomy of the 15 Tbps Attack

The record-setting attack was orchestrated by a botnet comprising approximately 10,000 compromised IoT devices. These devices were distributed globally, with significant numbers located in Taiwan, Vietnam, Russia, China, and the United States. The attackers employed a UDP reflection attack technique, a common method used to amplify the volume of traffic directed at a target.

Specifically, the botnet leveraged the Connection-less Lightweight Directory Access Protocol (CLDAP) to generate the massive flood of traffic. Microsoft’s Azure DDoS Protection platform was able to absorb the attack, which never impacted the availability of the targeted customer’s services.

The ‘Knotify’ Botnet Emerges

The botnet responsible for this incident is referred to by Microsoft as “Knotify.” First observed in the summer of 2021, Knotify has been linked to several other massive DDoS attacks. These include a 2.4 Tbps attack against a European Azure customer in August 2021 and another significant 3.47 Tbps attack in November 2021.

Microsoft’s successful mitigation of the 15.3 Tbps attack was attributed to its distributed DDoS detection and mitigation pipeline, which has an absorption capacity of over 100 Tbps. The incident underscores the growing trend of large-scale attacks and the critical role of robust defense platforms in maintaining service availability.