Rewterz Informative Update – Massive HTTP DDoS Attack With Over 71 Million RPS Blocked By Cloudflare

Severity

High

Analysis Summary

Cloudflare recently announced that it successfully mitigated a record-breaking DDoS attack, which peaked at over 71 million requests per second. The attack was a hyper-volumetric attack, which means it was designed to flood the target server with an extremely high volume of traffic.

Their ability to mitigate this attack is a significant achievement, and it underscores the importance of having effective DDoS defense capabilities. The attack was larger than any previously reported HTTP DDoS attack, including the one that was mitigated by Google in June 2022.

“This was a weekend of record-breaking DDoS attacks. Over the weekend, Cloudflare detected and mitigated dozens of hyper-volumetric DDoS attacks. The majority of attacks peaked in the ballpark of 50-70 million requests per second (rps) with the largest exceeding 71 million rps. This is the largest reported HTTP DDoS attack on record, more than 35% higher than the previous reported record of 46M rps in June 2022.” they added

According to Cloudflare’s most recent DDoS threat assessment, the number of HTTP DDoS attacks climbed by 79% year over year. The frequency of volumetric strikes above 100 Gbps grew by 67% QoQ, while the number of attacks lasting more than three hours increased by 87% QoQ (Quarter-Over-Quarter).

Cloudflare claimed the attacks targeted websites protected by its infrastructure and were launched by a botnet comprised of more than 30,000 IP addresses belonging to numerous cloud providers, including gaming providers, cryptocurrency firms, hosting providers, and cloud computing platforms.

The extent, sophistication, and frequency of distributed denial-of-service attacks have all increased recently, according to the experts.

However, mitigating such a large-scale DDoS attack is a significant achievement and highlights the importance of having effective DDoS defense capabilities. 

“The audacity of attackers has been increasing as well. In our latest DDoS threat report, we saw that Ransom DDoS attacks steadily increased throughout the year. They peaked in November 2022 where one out of every four surveyed customers reported being subject to Ransom DDoS attacks or threats.” they concludes.

DDoS attacks continue to be a significant threat to organizations, and the frequency and scale of such attacks are increasing. These attacks can have serious consequences for organizations, including website downtime, reputational damage, and financial losses. Therefore, companies need to take proactive measures to protect themselves against these attacks, including the use of DDoS mitigation services, implementation of best practices for network security, and regular testing of their defenses.

Recommendations

Here are some of the precautionary steps recommended by the company that allow customers to improve their security posture:

1. Ensure all DDoS Managed Rules are set to default settings: Customers should ensure that their DDoS Managed Rules are set to default settings, including a high sensitivity level and appropriate mitigation actions, to optimize DDoS activation.
2. Enable Adaptive DDoS Protection: Cloudflare Enterprise customers subscribed to the Advanced DDoS Protection service should consider enabling Adaptive DDoS Protection, which mitigates attacks more intelligently based on unique traffic patterns.
3. Deploy firewall rules and rate limiting rules: Customers should deploy firewall rules and rate limiting rules to enforce a combined positive and negative security model, reducing the traffic allowed to their website based on known usage.
4. Ensure origin is not exposed to the public Internet: Customers should ensure that their origin server is not exposed to the public Internet, and should only enable access to Cloudflare IP addresses. As an extra security precaution, customers should contact their hosting provider and request new origin server IPs if they have been targeted directly in the past.
5. Leverage Managed IP Lists and Bot Management: Customers with access to Managed IP Lists should consider leveraging those lists in firewall rules. Customers with Bot Management should consider leveraging the threat scores within the firewall rules.
6. Enable caching and avoid overwhelming origin servers: Customers should enable caching as much as possible to reduce the strain on their origin servers, and should avoid overwhelming their origin server with more subrequests than necessary when using Workers.
7. Enable DDoS alerting: Customers should enable DDoS alerting to improve their response time in the event of an attack.

Overall, taking these recommended steps can help improve your security posture and better protect your website or application from DDoS attacks.