Cloudflare said it this month staved off another record-breaking HTTPS-based distributed denial-of-service attack, this one significantly larger than the previous largest DDoS attack that occurred only two months ago.
In April, the biz said it mitigated an HTTPS DDoS attack that reached a peak of 15.3 million requests-per-second (rps). The flood last week hit a peak of 26 million rps, with the target being the website of a company using Cloudflare’s free plan, according to Omer Yoachimik, product manager at Cloudflare.
Like the attack in April, the most recent one not only was unusual because of its size, but also because it involved using junk HTTPS requests to overwhelm a website, preventing it from servicing legit visitors and thus effectively falling off the ‘net.
And also because this tsunami of network traffic originated from cloud service providers rather than residential internet service providers (ISPs), which means the cybercriminal needed to hijack virtual machines to pull off the attack rather than easier Internet of Things (IoT) devices and home gateways, Yoachimik wrote in a blog post.
“HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection,” he wrote. “Therefore, it costs the attacker more to launch the attack, and for the victim to mitigate it. We’ve seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale.”
The latest attack came from a small but powerful botnet comprising 5,067 compromised devices, with these systems each generating about 5,200 rps on average at peak.
By comparison, Cloudflare is tracking a botnet of more than 730,000 devices, a much larger operation but one that couldn’t generate more than 1 million rps, or about an average of 1.3 rps per device, Yoachimik wrote. On average, the record-setting botnet, though significantly smaller, was 4,000 times stronger because it used virtual machines and servers.
“Within less than 30 seconds, this botnet generated more than 212 million HTTPS requests from over 1,500 networks in 121 countries,” he wrote.
More than 15 percent of the requests were generated in Indonesia, followed by the USs, Brazil, Russia and India. The top source networks were OVH in France, Telkomnet in Indonesia, jboss in the United States and Ajeel in Libya.
The number of DDoS floods jumped in the first quarter this year, in large part due to attacks associated with Russia’s invasion of Ukraine. Cybersecurity outfit Kaspersky said this type of assault was up 46 percent year-over-year.
In its own report in April, Cloudflare officials said there was a huge spike in application-layer DDoS attacks in the first quarter (164 percent year-over-year) and a smaller jump in the number of network-layer attacks (71 percent). That said, volumetric DDoS attacks jumped 645 percent quarter-over-quarter.
Application-layer denial-of-service attacks disrupt web servers and other kinds of networked software by making them unable to process legitimate requests by flooding them with more requests than it can handle. Network-layer attacks hit lower down the stack, disrupting a system’s ability to process incoming network packets, typically.
“Most of the attacks are small, e.g. cyber vandalism,” Yoachimik wrote. “However, even small attacks can severely impact unprotected Internet properties. On the other hand, large attacks are growing in size and frequency — but remain short and rapid. Attackers concentrate their botnet’s power to try and wreak havoc with a single quick knockout blow — trying to avoid detection.”
Microsoft over the past year twice reported that it mitigated the largest recorded DDoS attacks in history, with the most recent one occurring in November 2021 that hit 3.47 terabits-per-second and targeted a customer on Azure.
Yoahimik wrote that given the speed of the attacks, the key to mitigating them is automation.
“DDoS attacks might be initiated by humans, but they are generated by machines,” he wrote. “By the time humans can respond to the attack, it may be over. And even if the attack was quick, the network and application failure events can extend long after the attack is over — costing you revenue and reputation.” ®