Cloudflare thwarted the biggest volumetric distributed denial-of-service (DDoS) attempt to date over the weekend. The business said that during the weekend, it discovered and stopped many hyper-volumetric DDoS attacks directed at its clients.
“The majority of attacks peaked in the ballpark of 50-70 million requests per second (rps) with the largest exceeding 71 million rps,” Cloudflare’s Julien Desgats, Alex Forster, and Omer Yoachimik said. “This is the largest reported HTTP DDoS attack on record, more than 35% higher than the previous reported record of 46M rps in June 2022.”
Over 30,000 IP addresses from various cloud providers were used to conduct the cyberattacks against a variety of targets, including gaming companies, cloud computing platforms, cryptocurrency businesses, and hosting providers. DDoS attacks are becoming more potent and frequent, and Cloudflare’s new DDoS threat report portrays a bleak picture:
- HTTP DDoS attacks grew 79% year-over-year
- the number of volumetric attacks over 100 Gbps increased by 67% from one quarter to the next
- there were 87% more attacks lasting longer than three hours
Tish news follows Google’s declaration in August 2022 that it had successfully stopped a record DDoS assault against a Google Cloud Armor client that had reached 46 million RPS via the HTTPS protocol. That was an increase of over 80% above the previous record, a 26 million RPS HTTPS DDoS that Cloudflare handled in June. Since 2021, when some botnets started using potent devices to strike targets with millions of requests per second, volumetric DDoS attacks have gradually increased in magnitude.
For example, the Mris botnet attacked Yandex in September 2021 with a 21.8 million RPS attack, while it previously targeted a Cloudflare client with a 17.2 million RPS attack. The FBI indicted six people for their role in hosting “Booter” or “Stresser” platforms that anybody may use to commit DDoS attacks in response to this constant stream of strikes. The action was part of Operation PowerOFF, a more extensive, coordinated global law enforcement operation targeting DDoS-for-hire services.
The FBI is collaborating with the UK’s National Crime Agency and the Netherlands Police to display adverts in search engines to persons looking for DDoS services in addition to seizing the domains of such platforms and (where possible) taking over their infrastructure. For example, when someone searches for “booter service,” Google might display a message like this “Looking for DDoS tools? Booting is illegal.”
