17.2 Million Request-Per-Second Attack Launched by 20,000 Bots, Cloudflare Says
Security firm Cloudflare says it detected and mitigated a 17.2 million request-per-second distributed denial-of-service attack, almost three times larger than any previously reported HTTP DDoS attack.
See Also: 2021 Cyberthreat Defense Report
DDoS attacks are often waged as part of extortion campaigns, with hackers threatening to escalate attacks if a ransom is not paid.
“Cloudflare serves over 25 million HTTP requests per second on average. This refers to the average rate of legitimate traffic in 2021 Q2. So peaking at 17.2 million rps, this attack reached 68% of our Q2 average rps rate of legitimate HTTP traffic,” said Omer Yoachimik, product manager at Cloudflare’s DDoS Protection Service.
Cloudflare notes that the attack traffic originated from over 20,000 bots in 125 countries. Based on the bots’ source IP addresses, however, almost 15% of the attacks originated from Indonesia and another 17% from India and Brazil combined. The security firm says that there may be many malware-infected devices in those countries.
This attack was launched by a botnet that bombarded the Cloudflare edge with more than 330 million attack requests, targeting a Cloudflare customer in the financial industry.
The Cloudflare report notes that this specific botnet has been seen at least twice over the past few weeks, and last week it targeted a different Cloudflare customer, a hosting provider, with an HTTP DDoS attack that peaked just below 8 million rps.
The attack was recorded by Cloudflare’s DDoS protection systems, which is powered by its own denial-of-service daemon, a home-grown software-defined daemon.
Resurgence of Mirai
Another notable attack that Cloudflare discovered was around two weeks previously, when a Mirai-variant botnet launched more than a dozen UDP- and TCP-based DDoS attacks that peaked multiple times above 1 terabyte, with a maximum peak of approximately 1.2 Tbps.
“While the first HTTP attacks targeted Cloudflare customers on the WAF/CDN service, the 1+ Tbps network-layer attacks targeted Cloudflare customers on the Magic Transit and Spectrum services,” Yoachimik states. “One of these targets was a major APAC-based internet services, telecommunications and hosting provider. The other was a gaming company. In all cases, the attacks were automatically detected and mitigated without human intervention.”
The Mirai botnet started with around 30,000 bots, then shrank to about 28,000. Despite losing bots from its fleet, the botnet was able to generate high volumes of attack traffic for short periods. In some cases, these bursts lasted only a few seconds.
“These attacks join the increase in Mirai-based DDoS attacks that we’ve observed on our network over the past weeks. In July alone, L3/4 Mirai attacks increased by 88% and L7 attacks by 9%. Additionally, based on the current August per-day average of the Mirai attacks, we can expect L7 Mirai DDoS attacks and other similar botnet attacks to increase by 185% and L3/4 attacks by 71% by the end of the month,” Yoachimik notes.
Mirai is a codename for malware that was first discovered in 2016 by MalwareMustDie, a nonprofit security research workgroup. The malware spreads by infecting Linux-operated devices such as security cameras and routers. It then self-propagates by searching for open Telnet ports 23 and 2323.
“Once found, the malware attempts to gain access to vulnerable devices by brute-forcing known credentials such as factory default usernames and passwords. Later variants of Mirai also took advantage of zero-day exploits in routers and other devices. Once infected, the devices will monitor a command-and-control server for instructions on which target to attack,” Cloudflare notes.
Other DDoS Attacks
In June, telecommunications equipment manufacturer Nokia’s data analytics division, Nokia Deepfield, reported that the daily peak of DDoS attack traffic increased 100% from January 2020 to May 2021, reaching 3 Tbps, with most of the high-bandwidth, high-intensity attacks originating from less than 50 hosting companies.
As many workers worldwide shifted to working remotely during the COVID-19 pandemic in 2020, broadband connectivity became more essential, and DDoS attack traffic surged 50% in the period between mid-March and June 2020, the company said.
The rapidly growing number of open and insecure internet services and IoT devices also increased the potential size for DDoS attacks to over 10 Tbps, the Nokia Deepfield report said (see: Peak DDoS Traffic Up 100%, Researchers Report).
In 2018, a Kaspersky report noted that the financial impact of a DDoS attack averaged more than $120,000 for small and midsize businesses and more than $2 million for larger enterprises.
The NetScout Atlas Security Engineering and Response Team in January said that the number of distributed denial-of-service attacks launched in 2020 surpassed 10 million, up from 8.5 million in 2019.
NetScout noted the number of DDoS attacks exceeded 800,000 per month starting in March 2020, when the spread of the COVID-19 virus was declared a pandemic, and peaked in May 2020, when 929,000 were launched. By comparison, the number of attacks each month averaged about 725,000 in 2019 (see: Netscout: 10 Million DDoS Attacks in 2020).