These are one of the most remarkable DDoS attacks any IT organization should know about
1. The 71 Million Requests at Cloudflare’s NOC
Date: Weekend of February 11, 2023
Size: 71 million requests p/s
Duration: Multiple attempts on the weekend of 11 to 12 February
Origin: Several unnamed cloud providers
Impact: During the weekend of February 11, Cloudflare detected and mitigated many hyper-volumetric DDoS attacks. Most of the attempts were measured between 50 and 70 million requests per second. At its height, a little over 71 million requests clocked in at Cloudflare’s Network Operation Center. Luckily, mitigation is part of Cloudflare’s main proposition because an attack of this size could very well cripple an organization.
Cloudflare is a content delivery network (CDN) that is widely used by organizations to ensure visitors have safe access to their websites. An estimated 80% of all websites use Cloudflare’s reverse proxy service. To date, this is the largest reported HTTP DDoS attack on record, more than 54% higher than the last record of 46 million requests to Google Cloud on June 1, 2022.
These hyper-volumetric attacks were HTTP/2-based and targeted websites protected by Cloudflare. Volumetric DDoS attacks are designed to send an overwhelming amount of malicious traffic in order to congest networks. Over 30,000 original IP addresses were identified as the source. Affected companies included a popular gaming provider, multiple cryptocurrency companies, several hosting providers, and numerous cloud computing platforms. To crack down on the botnet, Cloudflare worked together with the cloud providers where the attacks originated.
Some believed that this massive request flooding was related to the Killnet group, a pro-Russian hacktivist group that targeted healthcare organizations. Others found the timing of the US Super Bowl (Sunday, February 12) to be a little suspicious. However, in both cases, Cloudflare did not find any correlation between the events. Even though the requests came from multiple providers and occurred during a single weekend, no group has claimed responsibility.
2. DDoS Target: The Asian Client of Microsoft Azure
Date: November 2021
Size: 3.47 Tbit/s
Duration: 15 minutes
Origin: 10,000 compromised hosts from 10 countries
Impact: None, as Microsoft successfully mitigated the attack
In late August 2021, Microsoft withstood a 3.47 Tbit/s DDoS attack aimed at its cloud infrastructure, the most powerful DDoS attack against Microsoft infrastructure to date. At its peak throughput of 3.47 Tbit/s, this DDoS attack attained a packet rate of 340 million packets per second. An unidentified Azure cloud customer in Asia was the actual target of the attack. According to Microsoft, this DDoS attack was launched from 10,000 sites located in at least 10 different countries including China, South Korea, Russia, the U.S., India, Vietnam, Thailand, Iran, Taiwan, and Indonesia. The entire attack lasted roughly 15 minutes.
Azure fended off two more massive DDoS attacks the following month, both of which again targeted customers in Asia. Although not as big as the first one in November 2021, the size of these successive attacks was still rather impressive. The first one, which weighed in at 3.25 Tbit/s was a UDP attack which lasted more than 15 minutes and included four primary peaks: 3.25 Tbit/s, 2.54 Tbit/s, 0.59 Tbit/s, and 1.25 Tbit/s. The other DDoS attack was a 2.55 Tbit/s UDP attack on that lasted little over five minutes and had one single peak.
The 15 minutes attack in November 2021 utilized multiple attack vectors for UDP (User Datagram Protocol) reflection on port 80. UDP request and answer packets are then mirrored within a local network using a faked source Internet Protocol (IP) address. This UDP reflection attack included: Simple Service Discovery Protocol (SSDP); Network Time Protocol (NTP); Domain Name System (DNS); as well as Connection-less Lightweight Directory Access Protocol (CLDAP). With the successive attacks in December 2021, also port 443 was being used.
3. State Sponsored-attack on Google Cloud
Date: September 2017
Size: 2.54 Tbit/s
Duration: Over 6 months
Origin: According to Google’s Threat Analysis Group, this DDoS attack was backed by a government-entity while it came from China.
Impact: The attack was mitigated by Google.
The 2.54 Tbit/s peak was the climax of a 6-month DDoS attack that hammered Google Cloud’s server infrastructure with various DDoS protection techniques. Back then, this DDoS Attack was four times larger than a record-breaking, Mirai botnet based 623 Gbit/s DDoS attack one year earlier. During the attack on Google Cloud, 167 million packets per second (Mpps) through multiple networks were sent to 180,000 compromised CLDAP, DNS, and SMTP servers, which subsequently sent massive replies to the Google Cloud server infrastructure.
The DDoS attack began within the network of four Chinese Internet Service Providers (ISPs), according to Google Threat Analysis Group (TAG) experts. Despite targeting thousands of Google’s IP addresses at the same time, probably in the hopes of getting past automated protections, the attacking had no effect. Google Cloud did not disclose the 2017 DDoS attack until 2020. By still doing so three years later, the hyperscaler aimed to call attention to the rising number and scope of state-sponsored DDoS attacks. Google also aimed at drawing attention to internet bandwidth capacity growth and associated reinforcement of DDoS attacks in the years ahead.
Although the DDoS attack on Google Cloud was unsuccessful, the tech giant discovered multiple vulnerabilities in servers, which it notified to the appropriate network providers. Google also worked with these network providers to track the attacks and learn from it.