Cloudflare this month halted a massive distributed denial-of-service (DDoS) attack on a cryptocurrency platform that not only was unusual in its sheer size but also because it was launched over HTTPS and primarily originated from cloud datacenters rather than residential internet service providers (ISPs).
At 15.3 million requests-per-second (rps), the DDoS bombardment was one of the largest that the internet infrastructure company has seen, and the largest HTTPS attack on record.
It lasted less than 15 seconds and targeted a crypto launchpad, which Cloudflare analysts in a blog post said are “used to surface Decentralized Finance projects to potential investors.”
The botnet used comprised about 6,000 unique bots and originated from more than 1,300 different networks in 112 countries around the world, with about 15 percent of the traffic coming from Indonesia. Other countries generating the most traffic included Russia, Brazil, India, Colombia and the US.
Cloudflare researchers didn’t name the botnet but said it was one that they’ve been watching and had seen attacks as large as 10 million rps that matched the same fingerprint.
The use of a volumetric HTTPS DDoS attack rather than a more typical bandwidth strike was unusual. In a bandwidth DDoS attack, the goal is to jam a target’s internet connection with a flood of messages, making it difficult for legitimate customers to get into the site.
In an HTTPS attack, the botnet overwhelms the target’s server with massive numbers of HTTP requests, eating up compute power and memory with the same goal of making it near impossible for legitimate users to access the website.
The attacker’s goal at times is to extort money from the victim with the promise of ending the attack if payment is made.
“HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection,” the Cloudflare threat-hunters wrote. “Therefore it costs the attacker more to launch the attack, and for the victim to mitigate it. We’ve seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale.”
In addition, the use by the botnet of datacenters as launching pads is part of a shift that Cloudflare is seeing, where bad actors are moving away from ISPs. Top networks included in the attack were Hetzner Online GmbH, Azteca Comunicaciones Colombia, and French cloud firm OVH, the company said.
Cloudflare beat back the DDoS attack through a software-based system that automatically detects and mitigates such attacks across the network without human intervention. The system samples traffic, analyzes the samples and the mitigates the situation if needed.
“The analysis is done using data streaming algorithms,” they wrote. “HTTP request samples are compared to conditional fingerprints, and multiple real-time signatures are created based on dynamic masking of various request fields and metadata.
“Each time another request matches one of the signatures, a counter is increased. When the activation threshold is reached for a given signature, a mitigation rule is compiled and pushed inline.”
DDoS attacks, which have been around for decades, are growing in scale and sophistication, driven in part by the rapid rise of botnets that leverage Internet of Things (IoT) devices, according to Nokia.
The company said in a report in February that between 2020 and 2021, its researchers analyzed more than 10,000 DDoS attacks from internet providers around the world.
They found “the explosive growth of IoT botnets and an increasingly lucrative extortion market that have fueled exponential growth in DDoS capacity.”
The report’s authors added: “We now measure IoT botnet and amplifier attack capacity exceeding 10 Tbps [terabytes per second] – a significant 3-4x increase from the size of any publicly reported DDoS attacks to date. We further observe aggregate daily DDoS attack volumes peaking over 3Tbps during the study period.”
In addition, Kaspersky analysts this week said that in the first quarter, the number of DDoS attacks hit an all-time high, jumping 4.5 times year-over-year, driven in large part by Russia’s invasion of Ukraine. The number of advanced and targeted attacks jumped 81 percent and the average DDoS session lasted 80 times longer.
Over the past several months, Microsoft reported twice that it had stopped the largest recorded DDoS attacks in history, with the most recent one occurring in November that hit 3.47Tbps. ®