Cloudflare Stops Huge DDoS Attack That Made 17mn Requests per Second

The risk of distributed denial of service (DDoS) attacks should never be disregarded, as illustrated by news that Cloudflare, the US content distribution and security business, recently stopped an internet attack with the highest number of requests per second (RPS) ever recorded. A mind-boggling 17.2mn RPS were generated by a Mirai-powered botnet targeting an unnamed business in the financial services sector. To give a sense of scale, this is more than two-thirds of the average level of traffic that Cloudflare normally has to deal with in order to support 25 million websites worldwide. The attack lasted several minutes and generated 330mn requests in total using 20,000 bots across 125 countries. Cloudflare described the attack as “almost three times the size of any other reported HTTP DDoS attack”.

Volumetric DDoS attacks are designed to overwhelm the bandwidth of a specific network. They tend to rely on botnets assembled by infiltrating malware into computers, servers and IoT devices. The botnet in this particular attack has also been used to launch two other recent DDoS attacks, one against a telco and another against a gaming business. Analysis of the IP addresses shows that nearly 15 percent of the bots are located in Indonesia, and almost 10 percent are in India, indicating high levels of malware penetration in those countries.

The scale of this attack highlights why IoT manufacturers need to do a better job of securing their products. The Mirai malware often infects devices like security cameras by repeatedly attempting to use well-known default usernames and passwords created by manufacturers. New legislation proposed in the UK seeks to ban the use of default credentials by IoT manufacturers and other countries are likely to adopt similar rules.

You can read Cloudflare’s blog about this DDoS attack here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.