Cloudflare recently detected and mitigated what it is calling the largest HTTPS DDoS attack on record. The content delivery network and DDoS mitigation company said the attack, which peaked at 26 million requests per second, mostly came from cloud service providers rather than residential ISPs. This suggests the attacker was using hijacked virtual machines to drive the powerful attack rather than weaker Internet of Things devices.
Within less than 30 seconds, it had launched more than 212 million HTTPS requests from more than 1,500 networks across 121 countries. The attack targeted a Cloudflare customer using the company’s free plan.
Perhaps the most impressive aspect of the attack was the small size of the botnet – just 5,067 devices. According to Cloudflare, each node was generating around 5,200 requests per second at its peak. Another botnet they have been tracking consists of more than 730,000 devices but wasn’t able to generate more than a million requests per second.
Comparing the two, the smaller botnet was on average about 4,000 times stronger.
The attack was also somewhat unique in that it occurred over HTTPS. Such attacks require more computational resources to pull off and therefore cost the attacker more to conduct. They are also more expensive for the victim to mitigate.
Back in April, Cloudflare mitigated a 15M rps attack in just under 20 seconds flat. In August 2021, the company successfully thwarted a 17.2M rps attack.