Last week, Cloudflare blocked the largest HTTPS DDoS attack on record. The attack amassed some 26 million requests per second (rps). The previous record for a HTTPS DDoS attack was 15.3 million rps.

The attack targeted an unnamed Cloudflare customer and originated mostly from Cloud Service Providers.

DDoS over HTTPS

DDoS stands for Distributed Denial of Service. This type of attack involves sending large amounts of traffic from multiple sources to a service or website, intending to overwhelm it and make it inaccessible for regular users. DDoS attacks have been growing considerably in number and scale over the past years.

DDoS attacks require traffic to come from many sources. Large numbers can be found in IoT botnets, but given the necessary computational resources needed to pull off an attack this powerful, there is no IoT botnet strong enough. This attack originated from a small but powerful botnet of 5,067 devices. This and the fact that the attack originated from Cloud Service Providers indicates the use of hijacked virtual machines and powerful servers to generate the attack.

What makes the HTTPS DDoS attack more expensive, in terms of required computational resources, is the fact that such an attack requires a secure TLS encrypted connection. The advantage of using such a HTTPS DDoS attack is that it also costs the victim more to mitigate it.

The attack

Within less than 30 seconds, this botnet generated more than 212 million HTTPS requests from over 1,500 networks in 121 countries.

Even though 30 seconds is not that long, such an attack can disrupt an unprotected internet property like a network or online service for a long time. DDoS attacks can cripple some online businesses for a period of time long enough to set them back considerably, or even put them out of business completely for the length of the attack and some period afterwards.

Without knowing who the target was it is hard to guess at the reason behind the attack. Application-layer denial-of-service attacks disrupt web servers and other kinds of networked software by making them unable to process legitimate requests.

The goal usually is the disruption itself or to abuse the vulnerable state in which it leaves the internet property.

Good news

International cooperation between the Federal Bureau of Investigation (FBI), the United Kingdom National Crime Agency, and the Dutch Police has brought an end to a DDoS platform that gave threat actors short-term access to malicious infrastructure, enabling them to carry out damaging attacks by renting and selecting DDoS attacks they would like to launch. In this case an Illinois man running the websites DownThem.org and AmpNode.com was sentenced to 24 months in federal prison.

“Records from the DownThem service revealed more than 2,000 registered users and more than 200,000 launched attacks, including attacks on homes, schools, universities, municipal and local government websites, and financial institutions worldwide.”

The system was set up to use one or more of their own dedicated attack servers to appropriate the resources of hundreds or thousands of other servers connected to the internet in reflected amplification attacks.

A reflection amplification attack is a technique that allows attackers to both magnify the amount of malicious traffic they can generate and obscure the sources of the attack traffic.

Mitigation

Scrambling for a solution at the moment you find out that you are the target of a DDoS attack is not the best strategy, especially if your organization depends on internet-facing servers. Without an automated defense, the attack would very likely have ended even before you noticed. But the damage would have been done.

Ideally, you want to detect, identify, and mitigate DDoS attacks before they reach their target. You can do that through two types of defenses:

  • On-premise protection (e.g. identifying, filtering, detection, and network protection)
  • Cloud-based counteraction (e.g. deflection, absorption, rerouting, and scrubbing)

The best of both worlds is a hybrid solution that detects an attack on-premise early on and escalates to a cloud-based solution when it reaches a volume that the on-premise solution cannot handle.

Stay safe, everyone!