Cloudflare Fends Off Record-Breaking HTTPS DDoS Attack

pcmag.com:

Last week, a hacker generated a record-breaking DDoS attack that leveraged browser-based HTTPS requests to try and take down a website. 

Internet infrastructure provider Cloudflare reported(Opens in a new window) the incident today, and described it as the largest HTTPS DDoS attack on record at 26 million requests per second (rps). The goal was to overwhelm a customer website with internet traffic and force it offline. However, Cloudflare says it successfully detected and mitigated the attack, which seems to have last for only 30 seconds. 

For perspective, the previous record holder was a 17.2 million rps bombardment that Cloudflare detected last August targeting a financial website. At the time, the company also noted it usually serves over 25 million HTTP requests per second on average for the entire Cloudflare network.   

Last week’s attack hit an unnamed customer website enrolled in Cloudflare’s free plan. Interestingly, the hacker avoided using hacked IoT/smart home devices to generate the attack traffic. Instead, Cloudflare says the culprit mostly relied on hijacked access to cloud service providers to bombard the website. 

“The 26M rps DDoS attack originated from a small but powerful botnet of 5,067 devices. On average, each node generated approximately 5,200 rps at peak,” the company added. “To contrast the size of this botnet, we’ve been tracking another much larger but less powerful botnet of over 730,000 devices. The latter, larger botnet wasn’t able to generate more than one million requests per second.”

The attack was far stronger because it used virtual machines and powerful servers at the cloud service providers, which have more computing power and better access to the internet. “Within less than 30