Tsunami of junk traffic broke DDoS records powered by the smallest botnets
A large amount of malicious traffic recently established a new distributed denial of service log coming from an uncertain source. A botnet of 5,000 devices has been held responsible, security researchers say, as blackmailers and vandals continue to develop ever-more powerful attacks to bring down websites. offline, security researchers say.
DDoS delivered 26 million HTTPS requests per second, breaking the previous record of 15.3 million requests set only for that protocol seven weeks agoCloudflare Product Manager Omer Yoachimik report. Unlike more common DDoS payloads like HTTP, SYN, or SYN-ACK packets, malicious HTTPS requests require significantly more computational resources for the attacker to deliver and for the defender or victim. absorb.
4,000 times stronger
“We have seen very large attacks in the past over HTTP (unencrypted), but this attack stands out because of the resources it requires at its scale,” Yoachimik writes. “.
The blast lasted less than 30 seconds and generated more than 212 million HTTPS requests from more than 1,500 networks in 121 countries, with Indonesia, the United States, Brazil, and Russia topping the list. The top networks used include France-based OVH (Autonomous System Number 16276), Indonesia’s Telkomnet (ASN 7713), US-based iboss (ASN 137922) and Libya’s Ajeel (ASN 37284). ). About 3% of attacks come through Tor nodes.
As was the case with the previous attack of 15.3 million HTTPS requests per second, the new attack originated mainly on devices of cloud service providers. The servers and virtual machines available from these vendors are significantly more powerful than compromised computers and IoT devices connected to residential ISPs, which are more common sources of DDoSes.
The 26M rps DDoS attack originated in a small but powerful botnet of 5,067 devices. On average, each node generates about 5,200 rps at peak. To contrast the size of this botnet, we tracked another much larger but less powerful botnet with over 730,000 devices. The second, larger botnet cannot generate more than a million requests per second, which is about 1.3 requests per second on average per device. In a word, this botnet is 4,000 times stronger on average due to the use of virtual machines and servers.
In some cases, DDoSers combine the use of their cloud-based devices with other techniques to make their attacks more powerful. For example, in 15.3 million HTTPS requests per second DDoS from earlier this year, Cloudflare discovered evidence that threat actors may have exploited serious flaw. This exploit allows them to bypass authentication in a wide range of Java-based applications used inside the cloud environment running their attack devices.
DDoS attacks can be measured in many ways, including data volume, number of packets, or number of requests sent per second. Other current records are 3.4 terabits per second for volumetric DDoS — trying to consume all available bandwidth to the target — and 809 million packs per second. 26 million HTTPS requests per second breaks the previous 17.2 million requests per second the record was set in 2020. The previous attack not only delivered fewer packets than the new record, but also relied on HTTP, which is not as powerful as HTTPS.
Cloudflare’s product manager says that his company has automatically detected and mitigated the attack against customers using Cloudflare’s free service.