Last week, a hacker generated a record-breaking DDoS attack that leveraged browser-based HTTPS requests to try and take down a website.
Internet infrastructure provider Cloudflare reported the incident today, and described it as the largest HTTPS DDoS attack on record at 26 million requests per second (rps). The goal was to overwhelm a customer website with internet traffic and force it offline. However, Cloudflare says it successfully detected and mitigated the attack, which seems to have last for only 30 seconds.
For perspective, the previous record holder was a 17.2 million rps bombardment that Cloudflare detected last August targeting a financial website. At the time, the company also noted it usually serves over 25 million HTTP requests per second on average for the entire Cloudflare network.
Last week’s attack hit an unnamed customer website enrolled in Cloudflare’s free plan. Interestingly, the hacker avoided using hacked IoT/smart home devices to generate the attack traffic. Instead, Cloudflare says the culprit mostly relied on hijacked access to cloud service providers to bombard the website.
“The 26M rps DDoS attack originated from a small but powerful botnet of 5,067 devices. On average, each node generated approximately 5,200 rps at peak,” the company added. “To contrast the size of this botnet, we’ve been tracking another much larger but less powerful botnet of over 730,000 devices. The latter, larger botnet wasn’t able to generate more than one million requests per second.”
The attack was far stronger because it used virtual machines and powerful servers at the cloud service providers, which have more computing power and better access to the internet. “Within less than 30 seconds, this botnet generated more than 212 million HTTPS requests from over 1,500 networks in 121 countries,” Cloudflare said.
In addition, the attack was conducted over the encrypted HTTPS web-browsing protocol, instead of non-encrypted HTTP connections, to try and generate the legitimate website requests.
“HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection. Therefore, it costs the attacker more to launch the attack, and for the victim to mitigate it,” the company said.
“We’ve seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale,” Cloudflare added.
In a statement to PCMag, the company also noted: "We are seeing an increased usage of server/vm-(virtual machine) based botnets that originate from Cloud Service Providers. And as we've seen, these tend to be much more powerful attacks than IoT-based botnets."
"In some cases, we've identified that these hijacked machines run up to date OS versions indicating that these are not necessarily abandoned and unprotected machines, but rather up-to-date servers running the latest OS versions," Cloudflare added.
In January, Microsoft also encountered a record-breaking DDoS attack at 3.47Tbps targeting an unnamed customer in Asia. However, the assault used what’s called a “volumetric” method to bombard the network, hence it’s measured differently.