Cloudflare says it recently stopped the biggest HTTPS DDoS attack ever seen.
Product manager Omer Yoachimik revealed in a blog post (opens in new tab) that the company automatically detected and mitigated a 26 million requests per second (RPS) attack against a customer site using the company’s Free plan.
Such a powerful attack was made possible by threat actors using hijacked virtual machines and servers rather than Internet of Things (IoT) devices to send malicious traffic. (opens in new tab), said the company. In total, around 5,000 devices were used for the attack, with each endpoint (opens in new tab) generating about 5,200 RPS at peak.
This shows just how dangerous virtual machines and servers are when used for DDoS attacks, the company says, as other larger botnets are not able to mimic a fraction of that power.
Thirty seconds after the attack, the botnet generated over 212 million HTTPS requests from over 1,500 networks located in 121 countries. Most orders came from Indonesia, the United States, Brazil and Russia. About 3% of the attack came through Tor nodes.
The main networks of origin include the French OVH (Autonomous System Number 16276), the Indonesian Telkomnet (ASN 7713), the North American iboss (ASN 137922) and the Libyan Ajeel (ASN 37284), the blog adds.
Cloudflare also said the attack was over HTTPS, making it more expensive in terms of computing resources required, as establishing a secure TLS encrypted connection costs more. Consequently, it also costs more to mitigate it, Cloudflare said. “We’ve seen very large attacks in the past over HTTP (unencrypted), but this attack stands out because of the features required at its scale,” the blog reads.
Large attacks are growing, both in size and frequency, Cloudflare warns. Still, they remain short and fast as threat actors try to wreak as much havoc as possible without being detected.