Cloudflare mitigates biggest ever HTTPS DDoS attack

A laptop receiving numerous internet requests on its screen to represent a DDoS attack
(Image credit: Getty Images)

Cloudflare automatically detected and mitigated a 26 million request per second (rps) DDoS attack, which it claims is the largest HTTPS DDoS attack on record.

The attack targeted a customer website using Cloudflare’s Free plan last week, the company revealed. The attack originated mostly from Cloud Service Providers instead of Residential Internet Service Providers, which the company said indicates the use of hijacked virtual machines and powerful servers to generate the attack, instead of much weaker Internet of Things (IoT) devices.

The 26M rps DDoS attack also originated from a small but powerful botnet of 5,067 devices. Each node generated around 5,200 rps at peak. Cloudflare compared this to a larger botnet of 730,000 devices it has been tracking. The larger botnet wasn’t able to generate more than one million requests per second, which is around 1.3 requests per second on average per device for example. On average, the 26M rps botnet was 4,000 times stronger due to its use of virtual machines and servers.

The company added that it’s worth noting the attack was over HTTPS. “HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection,” said Cloudflare. “Therefore, it costs the attacker more to launch the attack, and for the victim to mitigate it. We’ve seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale.”

Within less than 30 seconds, the botnet generated over 212 million HTTPS requests from over 1,500 networks in 121 countries. The top countries were Indonesia, the United States, Brazil and Russia, with about 3% of the attacks coming through Tor nodes. The top source networks were the French-based OVH, the Indonesian Telkomnet, the US-based iboss, and the Libyan Ajeel.


Understanding the economics of in-cloud data protection

Data protection solutions designed with cost optimisation in mind


Cloudflare pointed out that its recent DDoS Trends report shows that most of the attacks are small, like cyber vandalism, However, even small attacks can severely impact unprotected Internet properties. It added that large attacks are growing in size and frequency, but remain short and rapid. Attackers concentrate their botnet’s power to try and wreak havoc with a single quick knockout blow, trying to avoid detection.

The company highlighted some of the record-breaking attacks it witnessed over the past year. In August 2021, it disclosed a 17.2M rps HTTP DDoS attack, and more recently in April 2022, a 15M rps HTTPS DDoS attack.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.