This weekend, Cloudflare blocked what it describes as the largest volumetric distributed denial-of-service (DDoS) attack to date.
The company said it detected and mitigated not just one but a wave of dozens of hyper-volumetric DDoS attacks targeting its customers over the weekend.
“The majority of attacks peaked in the ballpark of 50-70 million requests per second (rps) with the largest exceeding 71 million rps,” Cloudflare’s Omer Yoachimik, Julien Desgats, and Alex Forster said.
“This is the largest reported HTTP DDoS attack on record, more than 35% higher than the previous reported record of 46M rps in June 2022.”
The attacks were launched using over 30,000 IP addresses from multiple cloud providers against various targets, including gaming providers, cloud computing platforms, cryptocurrency firms, and hosting providers.
Increasingly powerful and more frequent DDoS attacks align with Cloudflare’s recent DDoS threat report that paints a grim picture:
- the amount of HTTP DDoS attacks increased by 79% year-over-year
- the number of volumetric attacks exceeding 100 Gbps grew by 67% quarter-over-quarter (QoQ)
- the number of attacks lasting more than three hours increased by 87% QoQ
Today’s news comes after Google’s announcement in August 2022 that it blocked a record DDoS attack over the HTTPS protocol against a Google Cloud Armor customer that had reached 46 million RPS.
That was an increase of roughly 80% more than the previous record, an HTTPS DDoS of 26 million RPS mitigated by Cloudflare in June.
Volumetric DDoS attacks had slowly grown in size since 2021 when several botnets began leveraging powerful devices to hit targets with millions of requests per second.
For instance, in September 2021, the Mēris botnet hit Yandex with a 21.8 million RPS attack and previously hammered a Cloudflare customer with 17.2 million RPS.
In reaction to this stream of ever-increasing attacks, the FBI seized dozens of Internet domains and charged six suspects for their involvement in running ‘Booter’ or ‘Stresser’ platforms that anyone can use to launch DDoS attacks.
The move was part of a more extensive coordinated international law enforcement operation targeting DDoS-for-hire services dubbed Operation PowerOFF.
Besides seizing such platforms’ domains and taking control of their infrastructure (where possible), the FBI is also working with the UK’s National Crime Agency and the Netherlands Police to show ads in search engines to people searching for DDoS services.
For instance, when searching for ‘booter service,’ Google would show an advertisement stating, “Looking for DDoS tools? Booting is illegal.”
