Web infrastructure company Cloudflare on Monday disclosed that it thwarted a record-breaking distributed denial-of-service (DDoS) attack that peaked at over 71 million requests per second (RPS).
"The majority of attacks peaked in the ballpark of 50-70 million requests per second (RPS) with the largest exceeding 71 million," the company said, calling it a "hyper-volumetric" DDoS attack.
It's also the largest HTTP DDoS attack reported to date, more than 35% higher than the previous 46 million RPS DDoS attack that Google Cloud mitigated in June 2022.
Cloudflare said the attacks singled out websites secured by its platform and that they emanated from a botnet comprising more than 30,000 IP addresses that belonged to "numerous" cloud providers.
Targeted websites included a popular gaming provider, cryptocurrency companies, hosting providers, and cloud computing platforms.
HTTP attacks of this kind are designed to send a tsunami of HTTP requests towards a target website, typically in order of magnitude higher than what the website can handle, with the goal of rendering it inaccessible.
"Given a sufficiently high amount of requests, the website's server will not be able to process all of the attack requests along with the legitimate user requests," Cloudflare said.
"Users will experience this as website-load delays, timeouts, and eventually not being able to connect to their desired websites at all."
The development comes as the size, sophistication, and frequency of DDoS attacks are on the rise, with the company recording a 79% spike in HTTP DDoS attacks year-over-year in the final quarter of 2022.
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
What's more, the number of volumetric attacks lasting more than three hours surged by 87% when compared to the previous three-month period.
DDoS attacks are also turning out to be a lucrative means for criminal actors to earn illicit revenues by demanding ransom payments from victims, usually in the form of Bitcoin, to stop and avoid disruption to their services.
Some of the major attacked industry verticals during the time period include aviation, education, gaming, hospitality, and telecom. Georgia, Belize, and San Marino emerged as some of the top countries targeted by HTTP DDoS attacks in Q4 2022.
Network-layer DDoS attacks, on the other hand, singled out China, Lithuania, Finland, Singapore, Taiwan, Belgium, Costa Rica, the U.A.E, South Korea, and Turkey.