Cloudflare reports thwarting the largest known HTTP-request distributed denial of service attack in history, approximately three times larger than any other previously reported.
The attack in July reached 17.2 million requests per second, the company wrote in a blog post. For scale, the entirety of the Cloudflare network typically sees around 25 million requests per second in normal traffic.
While that is the largest attack the company has recently seen of the type, Patrick Donahue, product manager at Cloudflare, told SC Media that the botnet behind it has broken previously reported records several times in just the last month.
“We have recently observed several attacks that we suspect were from this group, based on the scale and attack signatures. In the past 30 days, we’ve seen four separate attacks ranging from 7 million requests per second,” he said.
HTTP flooding can be a difficult type of attack to defend. The traffic being directed at a web server appears to be legitimate GET and POST requests that are hard to distinguish from legitimate traffic.
These new attacks appear to be directed through a massive, 20,000 IoT device botnet, with a disproportionate amount of devices, more than a combined 30 percent, located in Indonesia and Brazil. While the location of hacked devices obviously does not speak to the attacker, it may speak to the type of device or component being hijacked for the botnet.
“The rising upper limit [of attack speeds] may exceed mitigation systems of enterprises who have been able to successfully fend off attacks in the past — especially those relying on on-premise hardware that cannot scale in the same manner cloud-based systems can,” said Donahue. “Attacks of this scale are still rare, but the targets have been changing, so companies should be prepared.”
In the same blog, Cloudflare announced a new series of Mirai DDoS attacks topping, with a dozen topping a terabit a second in the same week. Mirai, an IoT botnet program with well-circulated source code, is most famous for the cyberattack against Dyn in 2016. Dyn provided DNS services for Twitter, The New York Times, Netflix and others, leading to a short outage at several extremely popular websites. The new Mirai attacks were been detected at a gaming firm and a “APAC-based Internet services, telecommunications and hosting provider,” per the blog.