Content delivery network provider Cloudflare Inc. revealed today that it has managed to detect and mitigate a 26 million-request-per-second distributed denial-of-service attack, the largest such attack on record for HTTPS, a secure way to send a web server and a browser.
The strike, which took place last week, targeted a customer website using Cloudflare’s free plan. It originated from cloud service providers rather than residential internet service providers, indicating the use of hijacked virtual machines and servers to generate the attack, as opposed to “internet of things” devices.
The DDoS involved using a “small but powerful” botnet of 5,067 devices, with each node generating about 5,200 requests per second at the attack’s peak. Omer Yoachimik, product manager at Cloudflare, notes that by contrast, the company has been tracking a much larger but less powerful botnet of more than 730,000 devices that can generate no more than 1 million requests per second or 1.3 requests per second per device. “Putting it plainly, this botnet was, on average, 4,000 times stronger due to its use of virtual machines and servers,” Yoachimik wrote.
It’s also noted that the attack was over HTTPS. Although HTTPS attacks are not without precedent, they are somewhat rarer because of the expense involved. An HTTPS DDoS attack requires establishing a secure so-called TLS encryption connection, costing the attacker more to launch the attack and for the victim to mitigate it.
Although this was a record HTTPS DDoS attack, there have been much higher traditional DDoS attacks, including an attack peaking at 809 million packets per second in 2020.
The botnet attack generated more than 212 million HTTPS requests from more than 1,500 networks in 121 countries. The top countries were Indonesia, the U.S., Brazil and Russia. Some 3% of the attacks came via Tor nodes that are used to conceal a user’s location from a destination such as a website or web server.
Yoachimik said that it’s important to understand the attack landscape when thinking about DDoS protection, noting that even small attacks can severely hurt unprotected internet properties.
“On the other hand, large attacks are growing in size and frequency — but remain short and rapid. — and attackers concentrate their botnet’s power to try and wreak havoc with a single quick knockout blow, trying to avoid detection,” he added. “It is recommended to protect your internet properties with an automated always-on protection service that does not rely on humans to detect and mitigate attacks.”