Cloudflare says it thwarted record-breaking HTTPS DDoS flood

26m requests a second? Not legit traffic, not even Bill Gates doing $1m giveaways could manage that

Cloudflare said it this month staved off another record-breaking HTTPS-based distributed denial-of-service attack, this one significantly larger than the previous largest DDoS attack that occurred only two months ago.

In April, the biz said it mitigated an HTTPS DDoS attack that reached a peak of 15.3 million requests-per-second (rps). The flood last week hit a peak of 26 million rps, with the target being the website of a company using Cloudflare's free plan, according to Omer Yoachimik, product manager at Cloudflare.

Like the attack in April, the most recent one not only was unusual because of its size, but also because it involved using junk HTTPS requests to overwhelm a website, preventing it from servicing legit visitors and thus effectively falling off the 'net.

And also because this tsunami of network traffic originated from cloud service providers rather than residential internet service providers (ISPs), which means the cybercriminal needed to hijack virtual machines to pull off the attack rather than easier Internet of Things (IoT) devices and home gateways, Yoachimik wrote in a blog post.

"HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection," he wrote. "Therefore, it costs the attacker more to launch the attack, and for the victim to mitigate it. We've seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale."

The latest attack came from a small but powerful botnet comprising 5,067 compromised devices, with these systems each generating about 5,200 rps on average at peak.

By comparison, Cloudflare is tracking a botnet of more than 730,000 devices, a much larger operation but one that couldn't generate more than 1 million rps, or about an average of 1.3 rps per device, Yoachimik wrote. On average, the record-setting botnet, though significantly smaller, was 4,000 times stronger because it used virtual machines and servers.

"Within less than 30 seconds, this botnet generated more than 212 million HTTPS requests from over 1,500 networks in 121 countries," he wrote.

More than 15 percent of the requests were generated in Indonesia, followed by the USs, Brazil, Russia and India. The top source networks were OVH in France, Telkomnet in Indonesia, jboss in the United States and Ajeel in Libya.

The number of DDoS floods jumped in the first quarter this year, in large part due to attacks associated with Russia's invasion of Ukraine. Cybersecurity outfit Kaspersky said this type of assault was up 46 percent year-over-year.

In its own report in April, Cloudflare officials said there was a huge spike in application-layer DDoS attacks in the first quarter (164 percent year-over-year) and a smaller jump in the number of network-layer attacks (71 percent). That said, volumetric DDoS attacks jumped 645 percent quarter-over-quarter.

Application-layer denial-of-service attacks disrupt web servers and other kinds of networked software by making them unable to process legitimate requests by flooding them with more requests than it can handle. Network-layer attacks hit lower down the stack, disrupting a system's ability to process incoming network packets, typically.

"Most of the attacks are small, e.g. cyber vandalism," Yoachimik wrote. "However, even small attacks can severely impact unprotected Internet properties. On the other hand, large attacks are growing in size and frequency — but remain short and rapid. Attackers concentrate their botnet's power to try and wreak havoc with a single quick knockout blow — trying to avoid detection."

Microsoft over the past year twice reported that it mitigated the largest recorded DDoS attacks in history, with the most recent one occurring in November 2021 that hit 3.47 terabits-per-second and targeted a customer on Azure.

Yoahimik wrote that given the speed of the attacks, the key to mitigating them is automation.

"DDoS attacks might be initiated by humans, but they are generated by machines," he wrote. "By the time humans can respond to the attack, it may be over. And even if the attack was quick, the network and application failure events can extend long after the attack is over — costing you revenue and reputation." ®

Other stories you might like

  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Man gets two years in prison for selling 200,000 DDoS hits
    Over 2,000 customers with malice on their minds

    A 33-year-old Illinois man has been sentenced to two years in prison for running websites that paying customers used to launch more than 200,000 distributed denial-of-services (DDoS) attacks.

    A US California Central District jury found the Prairie State's Matthew Gatrel guilty of one count each of conspiracy to commit wire fraud, unauthorized impairment of a protected computer and conspiracy to commit unauthorized impairment of a protected computer. He was initially charged in 2018 after the Feds shut down 15 websites offering DDoS for hire.

    Gatrel, was convicted of owning and operating two websites – DownThem.org and AmpNode.com – that sold DDoS attacks. The FBI said that DownThem sold subscriptions that allowed the more than 2,000 customers to run the attacks while AmpNode provided customers with the server hosting. AmpNode spoofed servers that could be pre-configured with DDoS attack scripts and attack amplifiers to launch simultaneous attacks on victims.

    Continue reading
  • Google, EFF back Cloudflare in row over pirate streams
    Ban akin to 'ordering a telephone company to prevent a person from having conversations' over its lines

    Google, EFF, and the Computer and Communications Industry Association (CCIA) have filed court documents supporting Cloudflare after it was sued for refusing to block a streaming site.

    Earlier this year, a handful of Israel-based media companies took Israel.tv to court, accusing it of streaming TV and movie content it had no right to distribute. The corporations — United King Film Distribution, D.B.S. Satellite Services, HOT Communication Systems, Charlton, Reshet Media and Keshet Broadcasting — won the lawsuit after Israel.tv's creators failed to show up to their hearings, and the judge ordered Israel-tv.com, Israel.tv and Sdarot.tv each pay $7,650,000 in damages. 

    In a more surprising move, however, the media outfits also won an injunction [PDF] in the United States in April against a slew of internet companies, among others, banning them from aiding Israel.tv in its piracy.

    Continue reading

Biting the hand that feeds IT © 1998–2022