The Internet infrastructure company Cloudflare revealed today that it managed to block the largest distributed denial-of-service attack service(DDoS) recorded to date.
The attack, which took place last month, targeted one of Cloudflare's clients in the financial sector.
Cloudflare said the attackers used a botnet of more than 20.000 infected devices to route HTTP requests to the customer's network. Their goal was to consume and destroy Frconditions of the server.
Volumetric DDoS attack differs from classic bandwidth DDoS attacks where attackers try to exhaust the victim's bandwidth in Internet. In volumetric DDoS attack attackers focus on sending so many spam HTTP requests to a victim's server to take up the server's valuable CPU and RAM and prevent normal users from using targeted websites.
Cloudflare said the attack peaked at 17,2 million HTTP requests per second (rps), a rate the company described as almost three times higher than any previous volumetric DDoS ever recorded.
We are currently under DDoS and are working to mitigate. Requests reached > 7million/minute at our edge and declining.
- BitMEX (@BitMEX) August 22
Cloudflare also reported that although the attack peaked at 17,2 million rps, the attackers operated their botnet for hours on the same target. During this time the company had to absorb more than 330 million unsolicited HTTP requests.
The botnet operators did not stop after this initial attack. Cloudflare reported that the same botnet carried out two other large-scale attacks in the coming weeks, one of which peaked at 8 million rps, targeting a web hosting provider.
Cloudflare is currently monitoring the evolution of the botnet, which appears to have been created using a modified version of the known Mirai IoT malware.
With base bots' IP addresses, Cloudflare reports that 15% of the attacker's traffic comes from Indonesia, a 17% of malicious traffic from India and Brazil combined.
Historically, the largest DDoS bandwidth attack ever recorded was at 2,3 terabytes per second (Tbps), which was recorded by Amazon Web Services in February 2020.