Web infrastructure and website security company Cloudflare on Thursday disclosed that it mitigated the largest ever volumetric distributed denial of service (DDoS) attack recorded to date.
The attack, launched via a Mirai botnet, is said to have targeted an unnamed customer in the financial industry last month. "Within seconds, the botnet bombarded the Cloudflare edge with over 330 million attack requests," the company noted, at one point reaching a record high of 17.2 million requests-per-second (rps), making it three times bigger than previously reported HTTP DDoS attacks.
Volumetric DDoS attacks are designed to target a specific network with an intention to overwhelm its bandwidth capacity and often utilize reflective amplification techniques to scale their attack and cause as much operational disruption as possible.
They also typically originate from a network of malware-infected systems — consisting of computers, servers, and IoT devices — enabling threat actors to seize control and co-opt the machines into a botnet capable of generating an influx of junk traffic directed against the victim.
In this specific incident, the traffic originated from more than 20,000 bots in 125 countries worldwide, with almost 15% of the attack originating from Indonesia, followed by India, Brazil, Vietnam, and Ukraine. What's more, the 17.2 million rps alone accounted for 68% of the average rps rate of legitimate HTTP traffic processed by Cloudflare in Q2 2021, which is at 25 million HTTP rps.
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
This is far from the first time similar attacks have been detected in recent weeks. Cloudflare noted that the same Mirai botnet was used to strike a hosting provider with an HTTP DDoS attack that peaked a little below 8 million rps.
Separately, a Mirai-variant botnet was observed launching over a dozen UDP and TCP-based DDoS attacks that peaked multiple times above 1 Tbps. The company said the unsuccessful attacks were aimed at a gaming company and a major Asia Pacific-based internet services, telecommunications, and hosting provider.
"While the majority of attacks are small and short, we continue to see these types of volumetric attacks emerging more often," Cloudflare said. "It's important to note that these volumetric short burst attacks can be especially dangerous for legacy DDoS protection systems or organizations without active, always-on cloud-based protection."