Cloudflare says it thwarted record-breaking HTTPS DDoS flood

The DDoS attack resulted in 26 million request per second
Cloudflare says it thwarted record-breaking HTTPS DDoS flood
Hands holding laptop

Last week, Cloudflare automatically detected and mitigated a 26 million request per second DDoS attack – the largest HTTPS DDoS attack on record.

DDoS attacks might be initiated by humans, but they are generated by machines. By the time humans can respond to the attack, it may be over.

The attack targeted a Cloudflare customer’s website that uses Cloudflare’s Free plan. Similar to the previous 15M rps attack, this attack also originated mostly from Cloud Service Providers as opposed to Residential Internet Service Providers, indicating the use of hijacked virtual machines and powerful servers to generate the attack — as opposed to much weaker Internet of Things (IoT) devices.

The 26M rps DDoS attack originated from a small but powerful botnet of 5,067 devices. On average, each node generated approximately 5,200 rps at peak. To contrast the size of this botnet, Cloudflare has been tracking another much larger but less powerful botnet of over 730,000 devices. The latter, larger botnet wasn’t able to generate more than one million requests per second, i.e. roughly 1.3 requests per second on average per device. Putting it plainly, this botnet was, on average, 4,000 times stronger due to its use of virtual machines and servers.

Moreover, Cloudflare notes that the recent attack was over HTTPS.

HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure Transport Layer Security (TLS) encrypted connection. Therefore, it costs the attacker more to launch the attack, and for the victim to mitigate it.

Cloudflare said it has seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale.