Cloudflare detected and mitigated dozens of hyper-volumetric DDoS attacks over the weekend. The majority of attacks peaked in the ballpark of 50-70 million requests per second (rps) with the largest exceeding 71 million rps. This is the largest reported HTTP DDoS attack on record, more than 35% higher than the previously reported record of 46M rps in June 2022.
The attacks, which used HTTP/2, targeted Cloudflare-protected websites. They came from more than 30,000 different IP addresses. Well-known game providers, cryptocurrency firms, hosting corporations, and cloud computing platforms were among the websites that were attacked. Numerous cloud service providers were the source of the attacks, and we have been collaborating with them to take down the botnet.
In the last year, there has been an increase in attacks that start from cloud computing providers. To address this issue, we will offer a Botnet threat feed to service providers who have their autonomous system at no cost. This feed will provide them with threat intelligence related to their own IP space, specifically attacks that originate from within their autonomous system. Service providers who have their own IP space can now register for the early access waiting list.
No. This campaign of attacks arrives less than two weeks after the Killnet DDoS campaign that targeted healthcare websites. Based on the methods and targets, we do not believe that these recent attacks are related to the healthcare campaign. Furthermore, yesterday was the US Super Bowl, and we also do not believe that this attack campaign is related to the game event.
Distributed Denial of Service attacks is cyber attacks that aim to take down Internet properties and make them unavailable for users. These types of cyberattacks can be very efficient against unprotected websites and they can be very inexpensive for the attackers to execute.
Typically, an HTTP DDoS assault involves a deluge of HTTP requests directed at the target website. The attacker’s goal is to overwhelm the website with requests that it cannot process. The website’s server won’t be able to handle both the legitimate user requests and all of the attack requests if there are enough demands. This will be felt by users as a delay in the loading of websites, timeouts, and eventually being completely unable to connect to their intended websites.
To make attacks larger and more complicated, attackers usually leverage a network of bots — a botnet. The attacker will orchestrate the botnet to bombard the victim’s websites with HTTP requests. A sufficiently large and powerful botnet can generate very large attacks as we’ve seen in this case.
Even though creating and managing botnets demands a considerable investment and know-how, the situation may not be hopeless for an average individual. If someone wants to execute a DDoS attack on a website and lacks the technical knowledge, they don’t need to start from scratch. They can simply pay for the services of one of many DDoS-as-a-Service providers, which can cost as little as $30 per month. The size and duration of the attack will depend on the amount paid, with higher prices resulting in larger and more prolonged attacks.
Over the years, it has become easier, cheaper, and more accessible for attackers and attackers-for-hire to launch DDoS attacks. But as easy as it has become for the attackers, we want to make sure that it is even easier – and free – for defenders of organizations of all sizes to protect themselves against DDoS attacks of all types.
Ransom DDoS attacks don’t require a real system intrusion or a foothold inside the targeted network, unlike ransomware operations. Typically, ransomware attacks begin when a staff member carelessly opens a link in an email that installs and spreads the malware. With DDoS attacks, that is not necessary. They resemble a hit-and-run attack more so. A DDoS attacker only has to be aware of the website’s IP address or address.
Yes. The size, sophistication, and frequency of attacks have been increasing over the past months. In our latest DDoS threat report, we saw that the amount of HTTP DDoS attacks increased by 79% year-over-year. Furthermore, the number of volumetric attacks exceeding 100 Gbps grew by 67% quarter-over-quarter (QoQ), and the number of attacks lasting more than three hours increased by 87% QoQ.
However, there is more to the story. Attackers are becoming increasingly daring as well. According to our most recent DDoS threat report, Ransom DDoS attacks have been on the rise over the year, with a steady increase. These attacks reached their highest point in November 2022, when one in every four surveyed customers stated that they had been targeted by Ransom DDoS attacks or received threats of such attacks.
Yes. If your website, server, or networks are not protected against volumetric DDoS attacks using a cloud service that provides automatic detection and mitigation, we recommend that you consider it.
Cloudflare’s systems have been automatically detecting and mitigating these DDoS attacks.
Cloudflare provides various features and functionalities that you might already have access to, but perhaps you are not utilizing them to their full potential. For added safety measures, we suggest leveraging these capabilities to enhance and optimize your security posture:
1. Ensure all DDoS Managed Rules are set to default settings (High sensitivity level and mitigation actions) for optimal DDoS activation.
2. Cloudflare Enterprise customers that are subscribed to the Advanced DDoS Protection service should consider enabling Adaptive DDoS Protection, which mitigates attacks more intelligently based on your unique traffic patterns.
3. Deploy firewall rules and rate limiting rules to enforce a combined positive and negative security model. Reduce the traffic allowed to your website based on your known usage.
4. Ensure your origin is not exposed to the public Internet (i.e., only enable access to Cloudflare IP addresses). As an extra security precaution, we recommend contacting your hosting provider and requesting new origin server IPs if they have been targeted directly in the past.
5. Customers with access to Managed IP Lists should consider leveraging those lists in firewall rules. Customers with Bot Management should consider leveraging the threat scores within the firewall rules.
6. Enable caching as much as possible to reduce the strain on your origin servers, and when using Workers, avoid overwhelming your origin server with more subrequests than necessary.
7. Enable DDoS alerting to improve your response time.
Organizations of all sizes must defend against DDoS attacks. Attacks may be started by humans, but bots carry them out, and to win, you must engage in bot-on-bot combat. Because depending entirely on humans to mitigate in real time puts defenders at a disadvantage, detection and mitigation must be automated as much as feasible. For the benefit of our clients, Cloudflare’s automated technologies constantly detect and mitigate DDoS attacks. Customers can customise the protection according to their needs thanks to this automated method and our extensive range of security capabilities.
We’ve been providing unmetered and unlimited DDoS protection for free to all of our customers since 2017 when we pioneered the concept. Cloudflare’s mission is to help build a better Internet. A better Internet is more secure, faster, and reliable for everyone – even in the face of DDoS attacks.
