Last week, content delivery network Cloudflare reported that its systems had detected and prevented the largest HTTPS Distributed Denial of Service (DDoS) attack in history. The attack was launched by a “small but powerful” botnet and hit 26 million requests per second at its peak.
According to a blog post by Cloudflare product manager Omer Yoachimik, the attack “targeted a customer website using Cloudflare’s free plan.” Despite comprising just 5,067 devices, the botnet that launched the attack produced over 200 million HTTPS requests from over 1,500 networks in 121 countries—in under 30 seconds.
Cloudflare highlighted the botnet’s reliance on cloud service providers rather than residential internet service providers. This implies “the use of hijacked virtual machines and powerful servers to generate the attack” rather than “much weaker Internet of Things (IoT) devices,” according to Yoachimik.
This computing power made the botnet much more powerful than its relatively small size would suggest. “To contrast the size of this botnet, we’ve been tracking another much larger but less powerful botnet of over 730,000 devices,” Yoachimik said. “Putting it plainly, this botnet was, on average, 4,000 times stronger due to its use of virtual machines and servers.”
Yoachimik also emphasized that last week’s attack took place over HTTPS. Since HTTPS DDoS attacks require establishing an encrypted TLS connection, they consume more computational resources than DDoS attacks carried out over HTTP, making the enormous scope of this attack even more striking.
“We’ve seen very large attacks in the past over (unencrypted) HTTP,” Yoachimik said, “but this attack stands out because of the resources it required at its scale.”
Just two months ago, in April 2022, Cloudflare saw another massive DDoS attack, which it reports was also automatically detected and mitigated by Cloudflare’s systems. That attack targeted a crypto launchpad, a type of platform supporting cryptocurrency and blockchain projects.
Like last week’s attack, the April attack relied heavily on cloud computing power and was also carried out over HTTPS. At 15 million requests per second, most of which were generated by datacenters, it was previously the largest HTTPS DDoS attack to date, according to Cloudflare.
Last August, Cloudflare disclosed it had stopped another record-breaking DDoS attempt, which clocked in at over 17 million requests per second. At the time, that attack was nearly three times bigger than any other to date.
— Lev Craig is an editor at EC-Council.