blog.cloudflare.com
Open in
urlscan Pro
2606:4700:4400::6812:29ae
Public Scan
URL:
https://blog.cloudflare.com/cloudflare-thwarts-17-2m-rps-ddos-attack-the-largest-ever-reported/
Submission: On March 29 via api from US — Scanned from DE
Submission: On March 29 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
<form id="mktoForm_1653" __bizdiag="196357509" __biza="WJ__" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 261px;">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
color: #fff;
border: 1px solid #75ae4c;
padding: 0.4em 1em;
font-size: 1em;
background-color: #99c47c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
outline: none;
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
background-color: #75ae4c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Email Address
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth mktoRequired"
aria-required="true" style="width: 150px;" placeholder="Email Address"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="CloudFlare_POP__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="CountryCode__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Lead_Source_Detail__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="[ACQ] WEB - GBL - Blog Subscriber" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LeadSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="Inbound - Blog Subscriber" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="GCLID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmcampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmsource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmmedium" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Accept_Language__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="GACLIENTID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="GATRACKID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="GAUSERID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="GOX__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="botManagementrv1" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple" style="margin-left: 120px;"><button type="submit" class="mktoButton">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="1653"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="713-XSC-918">
</form><form __bizdiag="1293379393" __biza="WJ__" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft"
style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
Contact Sales: +1 (888) 274-3482
THE CLOUDFLARE BLOG
Subscribe to receive notifications of new posts:
*
Email Address
Subscribe
Subscription confirmed. Thank you for subscribing!
Product News
Speed & Reliability
Security
Serverless
Zero Trust
Developers
Deep Dive
Life @Cloudflare
Product News
Speed & Reliability
Security
Serverless
Zero Trust
Developers
Deep Dive
Life @Cloudflare
CLOUDFLARE THWARTS 17.2M RPS DDOS ATTACK — THE LARGEST EVER REPORTED
08/19/2021
August 19, 2021 1:58PM
* Omer Yoachimik
This post is also available in Français, Deutsch, 简体中文, 繁體中文, 日本語, 한국어.
Earlier this summer, Cloudflare’s autonomous edge DDoS protection systems
automatically detected and mitigated a 17.2 million request-per-second (rps)
DDoS attack, an attack almost three times larger than any previous one that
we're aware of. For perspective on how large this attack was: Cloudflare serves
over 25 million HTTP requests per second on average. This refers to the average
rate of legitimate traffic in 2021 Q2. So peaking at 17.2 million rps, this
attack reached 68% of our Q2 average rps rate of legitimate HTTP traffic.
Comparison graph of Cloudflare’s average request per second rate versus the DDoS
attack
AUTOMATED DDOS MITIGATION WITH CLOUDFLARE’S AUTONOMOUS EDGE
This attack, along with the additional attacks provided in the next sections,
were automatically detected and mitigated by our autonomous edge DDoS protection
systems. The system is powered by our very own denial of service daemon (dosd).
Dosd is a home-grown software-defined daemon. A unique dosd instance runs in
every server in each one of our data centers around the world. Each dosd
instance independently analyzes traffic samples out-of-path. Analyzing traffic
out-of-path allows us to scan asynchronously for DDoS attacks without causing
latency and impacting performance. DDoS findings are also shared between the
various dosd instances within a data center, as a form of proactive threat
intelligence sharing.
Once an attack is detected, our systems generate a mitigation rule with a
real-time signature that matches the attack patterns. The rule is propagated to
the most optimal location in the tech stack. As an example, a volumetric HTTP
DDoS attack may be blocked at L4 inside the Linux iptables firewall instead of
at L7 inside the L7 reverse proxy which runs in the user space. Mitigating lower
in the stack, e.g. dropping the packets at L4 instead of responding with a 403
error page in L7, is more cost-efficient. It reduces our edge CPU consumption
and intra-data center bandwidth utilization — thus helping us mitigate large
attacks at scale without impacting performance.
This autonomous approach, along with our network’s global scale and reliability,
allow us to mitigate attacks that reach 68% of our average per-second-rate, and
higher, without requiring any manual mitigation by Cloudflare personnel, nor
causing any performance degradation.
THE RESURGENCE OF MIRAI AND NEW POWERFUL BOTNETS
This attack was launched by a powerful botnet, targeting a Cloudflare customer
in the financial industry. Within seconds, the botnet bombarded the Cloudflare
edge with over 330 million attack requests.
Graph of 17.2M rps attack
The attack traffic originated from more than 20,000 bots in 125 countries around
the world. Based on the bots’ source IP addresses, almost 15% of the attack
originated from Indonesia and another 17% from India and Brazil combined.
Indicating that there may be many malware infected devices in those countries.
Distribution of the attack sources by top countries
VOLUMETRIC ATTACKS INCREASE
This 17.2 million rps attack is the largest HTTP DDoS attack that Cloudflare has
ever seen to date and almost three times the size of any other reported HTTP
DDoS attack. This specific botnet, however, has been seen at least twice over
the past few weeks. Just last week it also targeted a different Cloudflare
customer, a hosting provider, with an HTTP DDoS attack that peaked just below 8
million rps.
Graph of 8M rps attack
Two weeks before, a Mirai-variant botnet launched over a dozen UDP and TCP based
DDoS attacks that peaked multiple times above 1 Tbps, with a max peak of
approximately 1.2 Tbps. And while the first HTTP attacks targeted Cloudflare
customers on the WAF/CDN service, the 1+ Tbps network-layer attacks targeted
Cloudflare customers on the Magic Transit and Spectrum services. One of these
targets was a major APAC-based Internet services, telecommunications and hosting
provider. The other was a gaming company. In all cases, the attacks were
automatically detected and mitigated without human intervention.
Graph of Mirai botnet attack peaking at 1.2 Tbps
The Mirai botnet started with roughly 30K bots and slowly shrinked to
approximately 28K. However, despite losing bots from its fleet, the botnet was
still able to generate impressive volumes of attack traffic for short periods.
In some cases, each burst lasted only a few seconds.
These attacks join the increase in Mirai-based DDoS attacks that we’ve observed
on our network over the past weeks. In July alone, L3/4 Mirai attacks increased
by 88% and L7 attacks by 9%. Additionally, based on the current August per-day
average of the Mirai attacks, we can expect L7 Mirai DDoS attacks and other
similar botnet attacks to increase by 185% and L3/4 attacks by 71% by the end of
the month.
Graph of change in Mirai based DDoS attacks by month
BACK TO THE MIRAI
Mirai, which means ‘future’ in Japanese, is a codename for malware that was
first discovered in 2016 by MalwareMustDie, a non-profit security research
workgroup. The malware spreads by infecting Linux-operated devices such as
security cameras and routers. It then self-propagates by searching for open
Telnet ports 23 and 2323. Once found, it then attempts to gain access to
vulnerable devices by brute forcing known credentials such as factory default
usernames and passwords. Later variants of Mirai also took advantage of zero-day
exploits in routers and other devices. Once infected, the devices will monitor a
Command & Control (C2) server for instructions on which target to attack.
Diagram of Botnet operator controlling the botnet to attack websites
HOW TO PROTECT YOUR HOME AND BUSINESS
While the majority of attacks are small and short, we continue to see these
types of volumetric attacks emerging more often. It’s important to note that
these volumetric short burst attacks can be especially dangerous for legacy DDoS
protection systems or organizations without active, always-on cloud-based
protection.
Furthermore, while the short duration may say something about the botnet’s
capability to deliver sustained levels of traffic over time, it can be
challenging or impossible for humans to react to it in time. In such cases, the
attack is over before a security engineer even has time to analyze the traffic
or activate their stand-by DDoS protection system. These types of attacks
highlight the need for automated, always-on protection.
HOW TO PROTECT YOUR BUSINESS AND INTERNET PROPERTIES
1. Onboard to Cloudflare to protect your Internet properties.
2. DDoS is enabled out of the box, and you can also customize the protection
settings.
3. Follow our preventive best practices, to ensure that both your Cloudflare
settings and your origin server settings are optimized. As an example, make
sure that you allow only traffic from Cloudflare’s IP range. Ideally, ask
your upstream Internet Service Provider (ISP) to apply an access control
list (ACL), otherwise, attackers may target your servers’ IP addresses
directly and bypass your protection.
RECOMMENDATIONS ON HOW TO PROTECT YOUR HOME AND IOT APPLIANCES
1. Change the default username and password of any device that is connected to
the Internet such as smart cameras and routers. This will reduce the risk
that malware such as Mirai can gain access to your router and IoT devices.
2. Protect your home against malware with Cloudflare for Families. Cloudflare
for Families is a free service that automatically blocks traffic from your
home to malicious websites and malware communication.
Discuss on Twitter Discuss on Hacker News Discuss on Reddit
DDoS Mirai dosd Trends Botnet
Follow on Twitter
Omer Yoachimik |@OmerYoahimik
Cloudflare |Cloudflare
Related Posts
April 25, 2017 8:45AM
ECOMMERCE WEBSITES ON CLOUDFLARE: BEST PRACTICES
Cloudflare provides numerous benefits to ecommerce sites, including advanced
DDOS protection and an industry-leading Web Application Firewall (WAF) that
helps secure your transactions and protect customers’ private data....
By
* Nick B
eCommerce , Tips , Page Rules , Railgun , JavaScript
January 10, 2022 1:58PM
DDOS ATTACK TRENDS FOR Q4 2021
In Q4, we observed a 95% increase in L3/4 DDoS attacks and record-breaking
levels of Ransom DDoS attacks. The Manufacturing industry was the most targeted
alongside a 5,800% increase in SNMP-based DDoS attacks and massive campaigns
against VoIP providers around the world...
By
* Omer Yoachimik
* , Vivek Ganti
DDoS , Attacks , Trends , Cloudflare Radar , Ransom DDoS
December 09, 2021 1:59PM
HOW TO CUSTOMIZE YOUR LAYER 3/4 DDOS PROTECTION SETTINGS
Cloudflare Enterprise customers using the Magic Transit and Spectrum services
can now tune and tweak their L3/4 DDoS protection settings directly from the
Cloudflare dashboard or via the Cloudflare API....
By
* Omer Yoachimik
CIO Week , DDoS , L3/4 , Managed Rules , flowtrackd
November 09, 2021 12:59PM
A BRIEF HISTORY OF THE MERIS BOTNET
Over the past months, we’ve been tracking and analyzing the activity of the
Meris botnet....
By
* Vivek Ganti
* , Omer Yoachimik
DDoS , Attacks , Trends , Cloudflare Radar , Ransom DDoS
* Sales
* Enterprise Sales
* Become a Partner
Contact Sales:
+1 (888) 99 FLARE
+1 650 319 8930
* Getting Started
* Pricing
* Case Studies
* White Papers
* Webinars
* Learning Center
* Community
* Community Hub
* Blog
* Project Galileo
* Athenian Project
* Cloudflare TV
* Developers
* Developer Hub
* Technical Resources
* Cloudflare Workers
* Integrations
* Support
* Support
* Cloudflare Status
* Compliance
* GDPR
* Company
* About Cloudflare
* Our Team
* Press
* Analysts
* Careers
* Internet Summit
* Logo
* Network Map
© 2022 Cloudflare, Inc. | Privacy Policy | Terms of Use | Trust & Safety |
Trademark