Internet infrastructure organization Cloudflare stated that they mitigated a record breaking 26 million request per second distributed denial-of-service (DDoS) attack, yesterday. This is the biggest HTTPS DDoS attack detected to date. This attack took place last week and targeted one of Cloudflare’s clients using the Free plan. The culprit behind it likely used hijacked servers and virtual machines seeing that the attack originated from Cloud Service Providers instead of weaker Internet of Things (IoT) devices from compromised Residential Internet Service Providers. Cloudflare stated that the attacker used a rather small yet very powerful botnet of 5,067 devices, each capable of generating roughly 5,200 rps when peaking. “To contrast the size of this botnet, we’ve been tracking another much larger but less powerful botnet of over 730,000 devices,” revealed Cloudflare Product Manager Omer Yoachimik. “The latter, larger botnet wasn’t able to generate more than one million requests per second, i.e., roughly 1.3 requests per second on average per device. Putting it plainly, this botnet was, on average, 4,000 times stronger due to its use of virtual machines and servers.

This attack is one of the many volumetric attacks detected by Cloudflare throughout the last few years, with the organization recording a short-lived HTTP DDoS attack that  that peaked at 17.2 million requests per second (rps) in August 2021. Cloudflare also mitigated a 15.3 million rps attack in April 2022 that used approximately 6,000 bots to target a Cloudflare customer operating a crypto launchpad. It is noteworthy that the June and April attacks were volumetric attacks that used gigantic junk requests to exhaust the targeted server’s resources (CPU and RAM) and were both carried out over HTTPS. “HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection,” Yoachimik explained. “Therefore, it costs the attacker more to launch the attack, and for the victim to mitigate it. We’ve seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale.”

Source: https://www.bleepingcomputer.com/news/security/cloudflare-mitigates-record-breaking-https-ddos-attack/