Cryptocurrency platform was recently subject to one of the largest distributed denial-of-service attacks ever recorded after threats bombarded it with 15.3 million requests, content delivery network Cloudflare said.
DDoS attacks can be measured in several ways, including the volume of data, the number of packets, or the number of requests sent each second. The current records are 3.4 terabits per second for volume DDoSs trying to consume all the bandwidth available to the target, and 809 million packets per second and 17.2 million requests per second. The latter two entries measure the strength of application layer attacks that attempt to exhaust the computing resources of the target’s infrastructure.
Cloudflare’s recent DDoS mitigation peaked at 15.3 million requests per second. Although it doesn’t match the record, the attack may have been more powerful because it was delivered via HTTPS requests rather than the HTTP requests used in the record. Since HTTPS requests require much more computation, this new attack had the potential to put much more strain on the target.
The resources required to deliver a stream of HTTPS requests were also greater, indicating that DDoSers are becoming more powerful. Cloudflare said the botnet responsible, comprising about 6,000 bots, delivered payloads of up to 10 million requests per second. The attack originated from 112 countries, with about 15 percent of the firepower coming from Indonesia, followed by Russia, Brazil, India, Colombia and the United States.
“Within these countries, the attack originated from over 1,300 different networks,” wrote Cloudflare researchers Omer Joachimik and Julien Degats. They said the flood of traffic came mainly from data centers as DDoSers moved away from residential ISPs to cloud computing ISPs. Top participating data center networks include German provider Hetzner Online (autonomous system number 24940), Azteca Comunicaciones Colombia (ASN 262186) and OVH in France (ASN 16276). Other sources include home and small office routers.
“In this case, the attacker used compromised servers of cloud hosting providers, some of which appear to be running Java-based applications. This is notable due to the recent discovery of a vulnerability (CVE-2022-21449) that can be used to bypass authentication in a wide range of Java-based applications,” Patrick Donahue, Cloudflare’s vice president of product, wrote in an email. “We also saw a significant number of MikroTik routers used in the attack, possibly exploiting the same vulnerability as the Meris botnet.”
The attack lasted about 15 seconds. Cloudflare mitigates it by using systems in its network of data centers that automatically detect spikes in traffic and quickly filter the sources. Cloudflare did not identify the target, other than to say it runs a crypto launchpad, a platform used to help fund decentralized finance projects.
The numbers highlight the arms race between attackers and defenders as each tries to outdo the other. It would not be surprising if a new record is set in the coming months.
This story originally appeared on Ars Technica.
More great stories on WIRED
