Cloudflare, a company that specializes in web security and distributed denial of service (DDoS) attack mitigation, just reported that it managed to stop an attack of an unprecedented scale.
The HTTPS DDoS attack was one of the largest such attacks ever recorded, and it came from unusual sources — data centers.
The attack was detected and mitigated automatically by Cloudflare’s defense systems, which were set up for one of its customers using the paid Professional plan. At its peak, the attack reached a massive 15.3 million requests-per-second (rps). This makes it the largest HTTPS DDoS attack ever mitigated by Cloudflare.
Cloudflare has previously seen attacks on a larger scale targeting unencrypted HTTP, but as Cloudflare mentions in its announcement, targeting HTTPS is a much more expensive and difficult venture. Such attacks typically require extra computational resources due to the need to establish a transport layer security (TLS) encrypted connection. The increase in costs is twofold: It costs more for the attacker to establish the attack, and it costs more for the targeted server to mitigate it.
The attack lasted less than 15 seconds, and its target was a cryptocurrency launchpad. Crypto launchpads are platforms that startups within the crypto space can use to raise early-stage funding while leveraging the reach of the launchpad. Cloudflare mitigated the attack without any additional actions being taken by the customer.
The source of the attack was not unfamiliar to Cloudflare — it said that it has seen attacks hitting up to 10 million rps from sources that match the same attack fingerprint. However, the devices that carried out the attack were something new, seeing as they came mostly from data centers. Cloudflare notes that this marks a shift that it has already been noticing as of late, with larger attacks moving from residential network internet service providers (ISPs) to huge networks of cloud compute ISPs.
Approximately 6,000 unique bots across over 1,300 networks carried out the DDoS attack that Cloudflare managed to mitigate automatically, without any human intervention. Perhaps more impressive is the number of locations involved, adding up to a total of 112 countries all around the globe. The largest share of it (15%) came from Indonesia, followed by Russia, Brazil, India, Colombia, and the U.S.
While this wasn’t the largest DDoS attack ever mitigated by Cloudflare, it’s definitely up there in terms of volume and severity. In 2021, the service managed to stop a 17.2 million rps HTTP DDoS attack. Earlier this year, the company reported that it has seen a massive rise in the number of DDoS attacks which increased by a staggering 175% quarter-over-quarter based on data from the fourth quarter of 2021.