Cloudflare just stopped one of the largest DDoS attacks ever

Cloudflare, a company that specializes in web security and distributed denial of service (DDoS) attack mitigation, just reported that it managed to stop an attack of an unprecedented scale.

The HTTPS DDoS attack was one of the largest such attacks ever recorded, and it came from unusual sources — data centers.


The attack was detected and mitigated automatically by Cloudflare’s defense systems, which were set up for one of its customers using the paid Professional plan. At its peak, the attack reached a massive 15.3 million requests-per-second (rps). This makes it the largest HTTPS DDoS attack ever mitigated by Cloudflare.

Cloudflare has previously seen attacks on a larger scale targeting unencrypted HTTP, but as Cloudflare mentions in its announcement, targeting HTTPS is a much more expensive and difficult venture. Such attacks typically require extra computational resources due to the need to establish a transport layer security (TLS) encrypted connection. The increase in costs is twofold: It costs more for the attacker to establish the attack, and it costs more for the targeted server to mitigate it.

The attack lasted less than 15 seconds, and its target was a cryptocurrency launchpad. Crypto launchpads are platforms that startups within the crypto space can use to raise early-stage funding while leveraging the reach of the launchpad. Cloudflare mitigated the attack without any additional actions being taken by the customer.

The source of the attack was not unfamiliar to Cloudflare — it said that it has seen attacks hitting up to 10 million rps from sources that match the same attack fingerprint. However, the devices that carried out the attack were something new, seeing as they came mostly from data centers. Cloudflare notes that this marks a shift that it has already been noticing as of late, with larger attacks moving from residential network internet service providers (ISPs) to huge networks of cloud compute ISPs.

Cloudflare DDoS attack sources.

Approximately 6,000 unique bots across over 1,300 networks carried out the DDoS attack that Cloudflare managed to mitigate automatically, without any human intervention. Perhaps more impressive is the number of locations involved, adding up to a total of 112 countries all around the globe. The largest share of it (15%) came from Indonesia, followed by Russia, Brazil, India, Colombia, and the U.S.

While this wasn’t the largest DDoS attack ever mitigated by Cloudflare, it’s definitely up there in terms of volume and severity. In 2021, the service managed to stop a 17.2 million rps HTTP DDoS attack. Earlier this year, the company reported that it has seen a massive rise in the number of DDoS attacks which increased by a staggering 175% quarter-over-quarter based on data from the fourth quarter of 2021.

Editors’ Choice

Repost: Original Source and Author Link


Cloudflare says it’s time to end CAPTCHA ‘madness’, launches new security key-based replacement

Cloudflare, which you may know as a provider of DNS services or the company telling you why the website you clicked on won’t load, wants to replace the “madness” of CAPTCHAs across the web with an entirely new system.

CAPTCHAs are those tests you have to take, often when trying to log into a service, that ask you to click images of things like busses or crosswalks or bicycles to prove that you’re a human. (CAPTCHA, if you didn’t know, stands for “Completely Automated Public Turing test to tell Computers and Humans Apart.”) The problem is, they add a lot of friction to using the web and can sometimes be difficult to solve — I’m sure I’m not the only person who has frustratingly failed a CAPTCHA because I didn’t see that corner of a crosswalk in one image.

In a blog, Cloudflare says it aims to “get rid of CAPTCHAs completely” by replacing them with a new way to prove you are a human by touching or looking at a device using a system it calls “Cryptographic Attestation of Personhood.” Right now, it only supports a limited number of USB security keys like YubiKeys, but you can test Cloudflare’s system for yourself right now on the company’s website.

I tried it out, and it worked great. All I had to do was click the prominent “I am human (beta)” button on the site, then follow a few prompts to select my security key, then tap it, and then allow the site to access the make and model of the key. When I did, the system waved me through (though it just took me back to the blog).

The whole process took all of a few seconds, and I have to admit that it was really nice not to puzzle over grainy images of busses and bus-looking objects. And in addition to the speed of it all, this new method could have a major accessibility benefit, as those with visual disabilities may not be able to complete CAPTCHAs in their current form.

Here is the company’s “elevator pitch” of what’s going on behind the scenes to establish that you’re a human via its new method:

The short version is that your device has an embedded secure module containing a unique secret sealed by your manufacturer. The security module is capable of proving it owns such a secret without revealing it. Cloudflare asks you for proof and checks that your manufacturer is legitimate.

You can read a much more extensive explanation on the company’s blog.

While it’s all an intriguing idea, it may not be the end to CAPTCHAs as we know it just yet. For one thing, you probably won’t see the prompt in many places, as Cloudflare says this is only an experiment right now, available “on a limited basis in English-speaking regions.” And in its current state, it only works with a limited set of hardware: YubiKeys, HyperFIDO keys, and Thetis FIDO U2F keys.

Cloudflare promises it will “look into adding other authenticators as soon as possible.” That could possibly expand to your phone: Cloudflare suggests the possibility of tapping a phone to their computer to pass a wireless signature using NFC. Google can now treat both iPhones and Android phones as physical security keys; If Google and Apple got on board with Cloudflare’s method, it could significantly reduce the barrier to entry to using it, since smartphones are much more common than security keys.

However, Cloudflare’s system may actually be a worse solution, according to one critic. As Ackermann Yuriy (CEO of the consulting firm Webauthn Works) points out, “attestation does not prove anything but the device model,” meaning that it doesn’t actually prove if someone using a device for authentication is, in fact, a human.

Cloudflare essentially admits this itself in its own blog, saying that a drinking bird (those bird toys that dip their beaks into water repeatedly) could press a touch sensor on a security key, thereby passing the authentication test. If the point of CAPTCHAs is to prevent bot farms from overrunning websites, we may need to consider whether bot farms equipped with with jury-rigged security key devices (or worse) will take advantage.

Cloudflare isn’t always positively associated with CAPTCHAs; in a recent example, the company moved from Google’s reCAPTCHA to a service from hCaptcha in April 2020, and some people weren’t fans:

CAPTCHAs also assume that website owners want to allow relatively anonymous traffic, but anonymous identity may be irrelevant if an website has your actual identity through login information you’ve provided. And with the recent push against ad targeting, driven in large part by Apple’s huge new privacy feature in iOS 14.5 that asks users if they want to let each app track them around the web, it’s possible that website providers will move more toward logins anyway.

Though it certainly sounds like a hassle to have to potentially deal with even more logins (which is much easier to do with a great password manager!), that shift could, counterintuitively, have the potential benefit of pushing us toward a passwordless future even sooner. If more services are pushing for direct logins, that could lead to more of them supporting security keys instead of a password. And more sites supporting security keys could put pressure on others to support them as well, like the trend we see toward two-factor authentication with phones.

While we’re not at that passwordless future just yet, Cloudflare’s potential replacement for the CAPTCHA could be a first step in that direction.

Repost: Original Source and Author Link