Cloudflare blocks 15M rps HTTPS DDoS attack

HTTPS DDoS Attack

Earlier this month, Cloudflare’s systems automatically detected and mitigated one of the largest HTTPS DDoS attacks on record, a 15.3 million request-per-second DDoS attack. HTTPS attacks are more expensive in terms of required computational resources due to the higher cost of establishing a secure TLS encrypted connection. Translation, it costs the attacker more to launch the attack and the victim more to mitigate the attack. While large attacks have been seen in the past, this attack stands out because of the resources required at its scale. The attack was launched by a botnet and lasted less than 15 seconds. It targeted a Cloudflare customer on a Professional Plan operating a crypto launchpad used to surface Decentralized Finance projects to potential investors. Cloudflare customers are protected against this botnet and do not need to take any action.

The Attack:

The attack mostly came from data centers during a change from residential network Internet Service Providers (ISPs) to cloud compute ISPs. It was launched from a botnet with approximately 6,00 unique bots. It originated from 112 countries with almost 15% of the attack traffic originated from Indonesia, followed by Russia, Brazil, India, Colombia, and the United States. Within these countries, over 1,300 different networks including the German provider Hetzner Online GmbH (Autonomous System Number 24940), Azteca Comunicaciones Colombia (ASN 262186), OVH in France (ASN 16276), and more were used. 

 How this attack was automatically detected and mitigated: 

Cloudflare built and operates software-defined systems that run autonomously to detect and mitigate DDoS attacks across your entire network without human intervention. The system starts off by sampling traffic, analyzes the samples, and applies mitigations when needed. During sampling, traffic is routed through the Internet via BGP Anycast to the nearest Cloudflare data centers located in over 270 cities around the world. Once the traffic reaches the data center, the DDoS systems sample it asynchronously allowing for out-of-path analysis of traffic without introducing latency penalties. Then, once analysis is done using data streaming algorithms, HTTP request samples are compared to conditional fingerprints. Multiple real-time signatures are created based on dynamic masking of various request fields and metadata. Each time another request matches one of the signatures, a counter is increased. When the activation threshold is reached for a given signature, a mitigation rule is compiled and pushed inline. The mitigation rule includes the real-time signature and the mitigation action, e.g. block.

Protect your HTTPS today. Call 248.528.3600

Leave a Reply