The largest HTTPS distributed denial-of-service (DDoS) attack in history materialized last week, Cloudflare has confirmed.
Cloudflare, which specializes in DDoS mitigation, announced that it successfully prevented the record-breaking onslaught before it could inflict any real damage.
As reported by Bleeping Computer, the company revealed that it recorded a 26 million requests per second distributed denial-of-service (DDoS) attack.
It should be stressed that this is an HTTPS-based DDoS attempt as opposed to the more traditional, standard DDoS attacks. In any case, the intended target was a Cloudflare client utilizing the service’s Free plan.
Bleeping Computer explains that the perpetrator probably relied on hijacked servers and virtual machines due to the fact that the attack stemmed from Cloud Service Providers.
Interestingly, whoever was behind the attack managed to concentrate all its firepower with a botnet of 5,067 devices, which is a relatively small number considering the scale of the assault. Every single device was capable of delivering around 5,200 requests per second (rps) at its peak.
“To contrast the size of this botnet, we’ve been tracking another much larger but less powerful botnet of over 730,000 devices,” said Cloudflare product manager Omer Yoachimik. “The latter, larger botnet wasn’t able to generate more than one million requests per second, i.e., roughly 1.3 requests per second on average per device. Putting it plainly, this botnet was, on average, 4,000 times stronger due to its use of virtual machines and servers.
A HTTP DDoS attack that was recorded during August 2021 saw around 17.2 million requests per second being generated. More recently, a mitigated 15.3 million rps attack that occurred in April 2022 saw around 6,000 bots being used in order to infiltrate a Cloudflare client who was running a crypto launchpad.
“HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection,” Yoachimik added. “Therefore, it costs the attacker more to launch the attack, and for the victim to mitigate it. We’ve seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale.”
Specifically, the botnet that was put to work in the unprecedented 26 million rps DDoS attack managed to deliver over an astronomical 212 million HTTPS requests within a period of just 30 seconds. This was achieved due to requests stemming from more than 1,500 networks located in 121 countries around the globe.
2022 in particular has seen hackers and threat actors intensify their DDoS attack efforts. Microsoft, for example, halted the largest DDoS attack ever recorded (3.47 terabits per second), while Cloudflare itself stated that this category of cybercrime is aggressively progressing.
Cyber criminal activity in general is on the rise across the board — ransomware gangs have found new ways to evolve their operations, zero-day hacks (described as “one of the most advanced attack methods”) are showing no signs of slowing down, and sensitive information is easily exposed and sold.
Microsoft has even launched an initiative as a response to the increasingly growing threat of cybercrime by offering its in-house security services to businesses.