Cloudflare has revealed that it has managed to detect and mitigate a 26 million-request-per-second DDoS, the largest such attack on record for HTTPS, a secure way to send a web server and a browser.
This happened with a customer website that uses Cloudflare’s free plan. It originated from cloud service providers rather than residential internet service providers, indicating the use of hijacked virtual machines and servers to generate the attack, as opposed to IoT devices.
The DDoS involved using a botnet of 5,067 devices, with each node generating about 5,200 requests per second at the attack’s peak.
Cloudflare has been tracking a much larger but less powerful botnet of more than 730,000 devices that can generate no more than 1 million requests per second or 1.3 requests per second per device. But this botnet was, on average, 4,000 times stronger due to its use of virtual machines and servers.
The attack was over HTTPS. An HTTPS DDoS attack requires establishing a secure so-called TLS encryption connection, costing the attacker more to launch the attack and for the victim to mitigate it.
Although this was a record HTTPS DDoS attack, there have been much higher traditional DDoS attacks, including an attack peaking at 809 million packets per second in 2020.
The botnet attack generated more than 212 million HTTPS requests from more than 1,500 networks in 121 countries. The top countries were Indonesia, the U.S., Brazil, and Russia. Some 3% of the attacks came via Tor nodes that are used to conceal a user’s location from a destination such as a website or web server.