Cloudflare foils record HTTPS DDoS flood • The Register


Cloudflare said it averted another record-breaking HTTPS-based distributed denial-of-service attack this month, significantly larger than the previous largest DDoS attack that occurred a year ago. only two months.

In April, the company said it mitigated an HTTPS DDoS attack that peaked at 15.3 million requests per second (rps). Last week’s flood peaked at 26 million rps, with the target being the website of a company using Cloudflare’s free plan, according to Omer Yoachimik, chief product officer at Cloudflare.

Like the April attack, the most recent was not only unusual because of its size, but also because it involved the use of unwanted HTTPS requests to overwhelm a website, preventing it from serving visitors. legitimate and therefore to fall off the ‘net’.

And also because this tsunami of network traffic came from cloud service providers rather than residential Internet Service Providers (ISPs), meaning the cybercriminal had to hijack virtual machines to pull off the attack rather than Internet of Things devices. (IoT) and easier home gateways. , wrote Yoachimik in a blog post.

“HTTPS DDoS attacks are more expensive in terms of required computational resources due to the higher cost of establishing a secure TLS-encrypted connection,” he wrote. “Therefore, it costs more for the attacker to launch the attack, and for the victim to mitigate it. We have seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out in because of the resources it required at its scale.”

The latest attack came from a small but powerful botnet comprising 5,067 compromised devices, with these systems each generating about 5,200 rps on average at most.

By comparison, Cloudflare is tracking a botnet of more than 730,000 devices, a much larger operation but one that could generate no more than 1 million rps, or about 1.3 rps on average per device, Yoachimik wrote. On average, the record botnet, although significantly smaller, was 4,000 times more powerful because it used virtual machines and servers.

“In less than 30 seconds, this botnet generated over 212 million HTTPS requests from over 1,500 networks in 121 countries,” he wrote.

More than 15% of requests were generated in Indonesia, followed by the United States, Brazil, Russia and India. The main source networks were OVH in France, Telkomnet in Indonesia, jboss in the United States and Ajeel in Libya.

The number of DDoS floods jumped in the first quarter of this year, largely due to attacks associated with Russia’s invasion of Ukraine. Cybersecurity team Kaspersky said this type of attack has increased by 46% year-over-year.

In its own April report, Cloudflare officials said there was a huge spike in application-layer DDoS attacks in Q1 (164% year-over-year) and a Smaller increase in network layer attacks (71%). . That said, volumetric DDoS attacks jumped 645% quarter over quarter.

Application-layer denial-of-service attacks disrupt web servers and other types of networked software by rendering them unable to process legitimate requests by flooding them with more requests than they can handle. Network layer attacks strike lower in the stack, typically disrupting a system’s ability to process incoming network packets.

“Most attacks are small scale, e.g. cyber vandalism,” Yoachimik wrote. “However, even small attacks can severely affect unprotected Internet properties. On the other hand, large attacks increase in size and frequency, but remain short and fast. the chaos of a single quick knockout – trying to avoid detection.”

In the past year, Microsoft has twice reported that it has mitigated the largest recorded DDoS attacks in history, with the most recent occurring in November 2021 reaching 3.47 terabits per second and targeting a customer on Azure.

Yoahimik wrote that given the speed of attacks, the key to mitigating them is automation.

“DDoS attacks can be launched by humans, but they are generated by machines,” he wrote. “By the time humans can respond to the attack, the attack may be over. And even if the attack was quick, network and application failure events may linger long after the attack has ended. , which costs you income and reputation.” ®

Previous The PainStation runs on Windows XP because of course it does • The registry
Next CVSA Updates Emergency Declarations Website