Tsunami of junk traffic that broke DDoS records delivered by tiniest of botnets

Tsunami of junk traffic that broke DDoS records delivered by tiniest of botnets

Aurich Lawson | Getty Images

reader comments

17 with 13 posters participating

A massive flood of malicious traffic that recently set a new distributed denial-of-service record came from an unlikely source. A botnet of just 5,000 devices was responsible as extortionists and vandals continue to develop ever more powerful attacks to knock sites offline, security researchers said.

The DDoS delivered 26 million HTTPS requests per second, breaking the previous record of 15.3 million requests for that protocol set only seven weeks ago, Cloudflare Product Manager ​​Omer Yoachimik reported. Unlike more common DDoS payloads such as HTTP, SYN, or SYN-ACK packets, malicious HTTPS requests require considerably more computing resources for the attacker to deliver and for the defender or victim to absorb.

4,000 times stronger

“We’ve seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale,” Yoachimik wrote.


The burst lasted less than 30 seconds and generated more than 212 million HTTPS requests from more than 1,500 networks in 121 countries, with Indonesia, the United States, Brazil, and Russia topping the list. The top networks used included French-based OVH (Autonomous System Number 16276), the Indonesian Telkomnet (ASN 7713), the US-based iboss (ASN 137922), and the Libyan Ajeel (ASN 37284). About 3 percent of the attack came through Tor nodes.



As was the case with the previous 15.3 million HTTPS requests-per-second attack, the new one originated mainly on devices from cloud service providers. The servers and virtual machines available from these providers are considerably more powerful than compromised computers and IoT devices connected to residential ISPs, which are the more common source of DDoSes.

critical vulnerability. This exploit allowed them to bypass authentication in a wide range of Java-based applications used inside the cloud environments running their attack devices.

DDoS attacks can be measured in several ways, including by the volume of data, the number of packets, or the number of requests sent each second. The other current records are 3.4 terabits per second for volumetric DDoSes—which attempt to consume all bandwidth available to the target—and 809 million packets per second. The 26 million HTTPS requests per second break the previous 17.2 million requests per second record set in 2020. Not only did that earlier attack deliver fewer packets than the new record, but it also relied on HTTP, which isn’t as potent as HTTPS.

The Cloudflare product manager said that his company automatically detected and mitigated the attack against the customer, which was using Cloudflare’s free service.

Article Tags:
Article Categories: