from the big-things-in-little-packages dept.
The largest HTTPS distributed denial-of-service (DDoS) attack in history materialized last week, Cloudflare has confirmed.
It should be stressed that this is an HTTPS-based DDoS attempt as opposed to the more traditional, standard DDoS attacks. In any case, the intended target was a Cloudflare client utilizing the service's Free plan.
[...] Interestingly, whoever was behind the attack managed to concentrate all its firepower with a botnet of 5,067 devices, which is a relatively small number considering the scale of the assault. Every single device was capable of delivering around 5,200 requests per second (rps) at its peak.
[...] Specifically, the botnet that was put to work in the unprecedented 26 million rps DDoS attack managed to deliver over an astronomical 212 million HTTPS requests within a period of just 30 seconds. This was achieved due to requests stemming from more than 1,500 networks located in 121 countries around the globe.
The DDoS delivered 26 million HTTPS requests per second, breaking the previous record of 15.3 million requests for that protocol set only seven weeks ago, Cloudflare Product Manager Omer Yoachimik reported. Unlike more common DDoS payloads such as HTTP, SYN, or SYN-ACK packets, malicious HTTPS requests require considerably more computing resources for the attacker to deliver and for the defender or victim to absorb.
[Cloudflare Product Manager Omer] Yoachimik wrote:
The 26M rps DDoS attack originated from a small but powerful botnet of 5,067 devices. On average, each node generated approximately 5,200 rps at peak. To contrast the size of this botnet, we've been tracking another much larger but less powerful botnet of over 730,000 devices. The latter, larger botnet wasn't able to generate more than one million requests per second, i.e. roughly 1.3 requests per second on average per device. Putting it plainly, this botnet was, on average, 4,000 times stronger due to its use of virtual machines and servers.
[...] The Cloudflare product manager said that his company automatically detected and mitigated the attack against the customer, which was using Cloudflare's free service.
« Researchers find: Why do cats lick and chew catnip? | Why Sounds and Smells Are as Vital to Cities as the Sights »
Distributed Denial of Service (DDoS) attacks are happening ever more often and growing ever bigger. At 2.4 terabits per second (Tbps), the DDoS attack Microsoft just successfully defended European Azure cloud users against could be the biggest one to date.
What we know for certain is it's the biggest DDoS attack on an Azure cloud customer. It was bigger than the previous high, 2020's Azure 1 Tbps attack, and Microsoft reported it was "higher than any network volumetric event previously detected on Azure."
[...] Microsoft isn't saying which was used in this case but it did mention DNS. Attacks exploiting DNS can produce 28 to 54 times the original number of bytes. So, if an attacker sends a request payload of 64 bytes to a DNS server, they can generate over 3,400 bytes of unwanted traffic to an attack target.
While Microsoft also didn't go into detail about how it blocked the attack, the company said Azure's DDoS protection platform, built on distributed DDoS detection and mitigation pipelines, can absorb tens of terabits of DDoS attacks: "This aggregated, distributed mitigation capacity can massively scale to absorb the highest volume of DDoS threats, providing our customers the protection they need."
A Microsoft Azure cloud computing customer in Asia was a victim of a massive 3.47 Tbps DDoS attack (distributed denial of service attack) in November 2021, the software and technology giant Microsoft revealed on January 25, 2022.
The DDoS attack lasted approximately 15 minutes and included a botnet of more than 10,000 compromised IoT (Internet of Things) devices from countries across the globe. These included Iran, India, China, Russia, Taiwan, Vietnam, Thailand, Indonesia, South Korea, and the United States.
Attack vectors were UDP reflection on port 80 using Simple Service Discovery Protocol (SSDP), Connection-less Lightweight Directory Access Protocol (CLDAP), Domain Name System (DNS), and Network Time Protocol (NTP) comprising one single peak.
Alethea Toh Product Manager, Azure Networking
Microsoft's report further disclosed that there has been a surge in DDoS attacks with the United States and India being prime targets. The company noted that Hong Kong has also become a popular hotspot for attackers however there has been a decrease in DDoS activity in Europe.
[...] A DDoS attack involves sending a huge amount of illegal traffic from compromised machines to the intended target and therefore disrupting them completely. The system can crash and lead to a massive loss of data, particularly, in the case of companies that host a significant amount of information regarding their clients and customers.
Earlier this week, Cloudflare engineers identified one of the largest distributed denial-of-service (DDOS) attacks ever attempted. The attack, made against an unidentified cryptocurrency platform, was identified and mitigated in under 20 seconds. The individuals behind the act flooded the network with more than 15 million requests.
In addition to the attack's size, the use of HTTPS rather than typical HTTP requests further complicated the issue—the secure protocol results in more resource overhead due to the compute-intensive nature of the secure HTTPS request. According to Cloudflare, the botnet responsible for carrying out the attack represented 6,000 bots from 112 countries around the world.
The attack is believed to have leveraged servers from hosting providers running vulnerable Java-based applications. Those servers were likely unpatched or not updated and susceptible to CVE-2022-21449, Psychic Signatures in Java. The vulnerability allows attackers to use the elliptic curve digital signature algorithm (ECDSA) to forge SSL certificates and other authentication-based information in order to obtain unwanted access.
The sharp spike in Cloudflare's traffic analytics shows just how quickly the attack was able to ramp up. At 22:21:15 the platform recorded between 500,000 and 1 million requests. Within five seconds, that number grew to almost 3 million requests. At this point the attack's intensity escalated, generating approximately 15.3 million requests within the next five seconds. Several seconds later, Cloudflare was able to mitigate the attack, bringing traffic patterns back to expected levels.
I am no fan of Cloudflare, but they seem to have done what they said they could do in this particular case.