Content delivery network provider Cloudflare Inc. has managed to detect and mitigate a 26 million request per second distributed denial of service attack, the largest HTTPS DDoS attack on record.
The attack took place last week and targeted a customer website using Cloudflare’s free plan. The attack originated from cloud service providers versus residential internet service providers. This indicates the use of hijacked virtual machines and servers to generate the attack, as opposed to Internet of Things devices.
The DDoS involved using a “small but powerful” botnet of 5,067 devices with each node generating approximately 5,200 requests per second at the attack’s peak. Omer Yoachimik, product manager at Cloudflare, notes that by contrast, the company has been tracking a much larger but less powerful botnet of over 730,000 devices that can generate no more than one million requests per second or 1.3 requests per second per device. “Putting it plainly, this botnet was, on average, 4,000 times stronger due to its use of virtual machines and servers,” Yoachimik writes.
It’s also noted that the attack was over HTTPS. While HTTPS attacks are not without precedent, they are somewhat rarer due to the expense involved. An HTTPS DDoS attack requires establishing a secure TLS encryption connection, costing the attacker more to launch the attack and for the victim to mitigate it.
While this was a record HTTPS DDoS attack, there have been much higher traditional DDoS attacks, including an attack peaking at 809 million packets per second in 2020.
The botnet attack generated more than 212 million HTTPS requests from over 1,500 networks in 121 countries. The top countries were Indonesia, the U.S., Brazil and Russia. 3% of the attacks came via Tor nodes.
Yoachimik said that it’s “important to understand the attack landscape when thinking about DDoS protection,” noting that “even small attacks can severely impact unprotected internet properties.”
“On the other hand, large attacks are growing in size and frequency — but remain short and rapid… attackers concentrate their botnet’s power to try and wreak havoc with a single quick knockout blow — trying to avoid detection.”
“It is recommended to protect your internet properties with an automated always-on protection service that does not rely on humans to detect and mitigate attacks,” Yoachimik concluded.