26 Million Requests Per Second Attack Targets Cloudflare Customer Website
A small but mighty botnet set a new distributed denial-of-service attack record, suggesting hackers are honing techniques that threaten ever larger volumes of malicious internet traffic.
Internet infrastructure company Cloudflare says it detected and mitigated a 26 million request per second flood of encrypted HTML requests sent to an unidentified customer.
See Also: Fireside Chat | Zero Tolerance: Controlling The Landscape Where You’ll Meet Your Adversaries
The attack originated from a botnet of just 5,607 devices each generating 5,200 requests per second at its peak.
Because the traffic originated with cloud service providers, Cloudflare suspects the devices used in the attack were compromised virtual machines and servers – not the internet of things appliances typically pressed into service by bot herders. The bandwidth available to cloud-hosted infrastructure is far greater than residential networks in which IoT devices often operate.
By way of contrast, a more traditional botnet of compromised devices on Cloudflare’s radar consisting of 730,000 devices generates a relatively paltry flood of 1 million requests per second, the company says.
“Putting it plainly, this botnet was, on average, 4,000 times stronger due to its use of virtual machines and servers,” writes Cloudflare executive Omer Yoachimik in a blog post.
Launched in a burst lasting 30 seconds, the attack generated more than 212 million HTTPS requests from more than 1,500 networks in 121 countries. The top countries were Indonesia, the United States, Brazil and Russia. About 3% of the attacks came through Tor nodes.
A DDoS attack causes online resources to become inaccessible to users by overwhelming available resources, a task aided when the malicious traffic requires the victim to handle computationally intensive HTTPS requests, which a majority of websites now process.
Although HTTPS encrypts traffic as it crosses the internet as protection against man-in-the-middle attacks and surveillance, its widespread use is being turned into a tool to bump up DDoS volumes. This most recent attack come just weeks after Cloudflare announced a then-record-breaking DDoS attack involving encrypted web traffic that reached 15 million requests per second.
Mitigating DDoS Attacks
In an email to Information Security Media Group, Cloudflare pitched mitigation as a fight best undertaken machine-to-machine rather than by human beings.
Real-life people obviously are responsible for launching the attack, but once triggered, intense bursts of overwhelming internet traffic leaves little leeway for manual detection, activation and mitigation using on-demand or security operations center-based solutions, the company said.
Cloudflare, which sells mitigation services, advises users to find automated solutions that can detect and filter malicious floods of traffic.