Last week, Cloudflare thwarted the largest HTTPS DDoS attack ever recorded. The attack amassed 26 million HTTPS requests per second, breaking the previous record of 15.3 million requests for that protocol set earlier this year in April.
The attack targeted an unnamed Cloudflare customer and mainly originated from cloud service providers instead of local internet services vendors, which explains its size and indicates that hijacked virtual devices and powerful servers were exploited during the assault, Cloudflare Product Manager Omer Yoachimik disclosed in a blog post.
To deliver the malicious traffic, nearly 5,000 devices were employed with each endpoint generating roughly 5,200 RPS at peak. This demonstrates the true nature of virtual machines and servers when used for DDoS attacks, as other larger botnets aren’t capable of impersonating a fraction of this power.
For example, a botnet of 730,000 devices was spotted generating nearly 1 million RPS, which makes the botnet behind the 26 million RPS DDoS attack 4,000 times stronger.
"To contrast the size of this botnet, we've been tracking another much larger but less powerful botnet of over 730,000 devices," stated Omer Yoachimik. "The latter, larger botnet wasn't able to generate more than one million requests per second, i.e., roughly 1.3 requests per second on average per device. Putting it plainly, this botnet was, on average, 4,000 times stronger due to its use of virtual machines and servers.”
Thirty seconds into the assault, the botnet generated over 212 million HTTPS requests from more than 1,500 networks, located in 121 nations. Most requests came from Indonesia, the US, Brazil, and Russia with the French OVH (Autonomous System Number 16276), the Indonesian Telkomnet (ASN 7713), the US-based iboss (ASN 137922), and the Libyan Ajeel (ASN 37284) being the top source networks.
According to Cloudflare, the assault was over HTTPS, making it more expensive in terms of required computational resources, as establishing a secure TLS encrypted connection costs more. Consequently, it also costs more to mitigate it.
"HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection," Yoachimik explained. "Therefore, it costs the attacker more to launch the attack, and for the victim to mitigate it. We've seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale."
This is one of the multiple volumetric assaults identified by Cloudflare throughout the last several years. An HTTP DDoS attack that was discovered in August 2021 saw around 17.2 million requests per second being generated. More recently, a mitigated 15.3 million rps attack that occurred in April 2022 saw around 6,000 bots being employed in order to target a Cloudflare customer who was running a crypto launchpad.
Last year in November, Microsoft revealed that it thwarted a record-breaking 3.47 terabits per second (Tbps) DDoS attack that flooded servers used by an Azure customer from Asia with malicious packets.