Cloudflare, a provider of the internet infrastructure, said today that it successfully repelled a 26 million request per second distributed denial-of-service (DDoS) attack, the greatest HTTPS DDoS attack to date. Last week, a record-breaking attack was launched against one of Cloudflare’s Free plan clients.
Because the attack came from Cloud Service Providers rather than weaker Internet of Things (IoT) devices from hacked Residential Internet Service Providers, the threat actor behind it most likely exploited hijacked servers and virtual machines. According to Cloudflare, the perpetrator also employed a small but strong botnet of 5,067 devices, each capable of generating about 5,200 rps at peak.
“To contrast the size of this botnet, we’ve been tracking another much larger but less powerful botnet of over 730,000 devices,” Cloudflare’s Product Manager Omer Yoachimik revealed. “The latter, larger botnet wasn’t able to generate more than one million requests per second, i.e., roughly 1.3 requests per second on average per device. Putting it plainly, this botnet was, on average, 4,000 times stronger due to its use of virtual machines and servers.”
This incident is one of the numerous large-scale volumetric attacks discovered by Cloudflare in recent years, including a short-lived HTTP DDoS attack in August 2021 that reached 17.2 million requests per second (rps). In April 2022, the business also halted a 15.3 million rps attack that deployed 6,000 bots to target a Cloudflare customer running a crypto launchpad. The June and April attacks were both volumetric attacks that employed massive garbage requests to deplete the targeted server’s resources (CPU and RAM), and they were both conducted via HTTPS.
According to Yoachimik, HTTPS DDoS attacks are more expensive in terms of necessary computing resources because of the increased cost of establishing a secure TLS encrypted connection. As a result, the attacker pays more to launch the attack, and the victim pays more to mitigate it. They’ve seen large-scale attacks over (unencrypted) HTTP before, but this one stands out because of the resources it took.
In 30 seconds, the botnet employed in this month’s record-breaking 26 million rps DDoS attack generated more than 212 million HTTPS requests from over 1,500 networks in 121 countries around the world. Microsoft also revealed that it stopped another big and record-breaking 3.47 terabits per second (Tbps) DDoS assault in November, which inundated servers used by an Azure client in Asia with fraudulent packets.
