Cloudflare fended off a massive distributed denial of service (DDoS) attack last month by a botnet that bombarded 17.2 million requests per second (rps) to one of the internet infrastructure company’s customers in the area of financial services.
The attack was almost three times the size of any previous attack known to Cloudflare, according to Omar Yoachimik, product manager for DDoS protection at Cloudflare. For comparison, Cloudflare averages over 25 million HTTP RPS, so at its peak, this botnet-based DDoS attack was sending the equivalent of 68% of Cloudflare’s average daily RPS rate of legitimate traffic.
“In a few seconds [of the onset of the attack], the botnet bombarded the edge of Cloudflare with over 330 million attack requests, ”Yoachimik wrote in a blog post this week.
He added that the botnet included more than 20,000 bots in 125 countries, with nearly 15% of attacks coming from Indonesia and 17% from India and Brazil combined, indicating that there could be many devices. infected with malware in these countries.
A major attack
The size of the botnet and the attack matters, according to Tyler Shields, marketing director for cybernetic asset management platform provider JupiterOne.
“The ability of a DDoS attack to achieve this level of bandwidth exhaustion means that there is a significant backend infrastructure of compromising hosts or hosts that have been scaled for the sole purpose of send malicious traffic, ”Shields said. ESecurity planet. “The only other way to achieve these bandwidth levels is to couple a huge infrastructure with some kind of packet amplification technique. Either way, this is a significant attack that was not generated by a random attacker. This group is probably large, well funded and dedicated. “
Yoachimik wrote that Cloudflare was able to mitigate the attack with its stand-alone edge DDoS protection systems, which exploit a denial of service (dosd) daemon developed by Cloudflare. A single dosd instance runs in each of Cloudflare’s servers in all of its data centers around the world, and is designed to analyze traffic samples, find DDoS attacks, and implement mitigation processes.
DDoS attacks on the rise
According to a report from Netscout, there was a record number of DDoS attacks in 2020 during the COVID-19 pandemic and researchers expected the trend to follow in 2021. This prediction was found to be correct. Netscout’s Atlas Security Engineering and Response (ASERT) team found that approximately 2.9 million DDoS attacks occurred in the first quarter, an increase of 31% year-on-year.
If the current pace continues through the end of 2021, it will surpass last year’s record of around 10 million attacks. The researchers also noted that January and February are generally the slowest months for DDoS attacks, and while the size of attacks in the first quarter was relatively stable compared to last year, the peak throughput recorded for attacks in the first quarter was relatively stable compared to last year. during the quarter jumped 71% – an indication that “attackers continue to find interest in engaging in faster and harder to mitigate attacks.”
Netscout has also seen an increase in DDoS attacks in healthcare and education, both of which have received increased attention from attackers due to their roles during the pandemic. There was a 53% increase in attacks in the first quarter among healthcare organizations. Meanwhile, there were 32,000 attacks on education services in the third quarter of 2020, up from 45,000 in the first quarter of this year.
“As we know, adversaries thrive through constant innovation,” wrote the ASERT researchers. “Attacks will only become more complex and threat actors will continue to discover and arm new attack vectors designed to exploit the vulnerabilities exposed by this huge digital change. “
Mirai still at large
Cloudflare’s Yoachimik said the botnet used to attack the financial services client appears to have taken advantage of a new version of the durable Mirai malware, which tends to target Internet of Things (IoT) devices. The same botnet also apparently carried out two other large-scale DDoS attacks in the weeks leading up to the last one, including one targeting a web hosting provider that peaked at 8 million rps. The other victim was a gaming company.
Yoachimik wrote that the Mirai botnet started out with around 30,000 bots, although it declined to around 28,000. Yet attack traffic volumes over short periods – in some cases lasting as little as seconds – were impressive, he said.
Cloudflare researchers have seen a sharp increase in the number of Mirai-based DDoS attacks in recent weeks. In July, the number of L3 / 4 Mirai attacks jumped 88% and L7 attacks increased 9%. Also, based on what they saw on average per day in August, the number of L7 Mirai and similar botnet attacks is expected to increase by 185% and L3 / 4 attacks by 71% by the end of the month. August.
The growth of IoT will fuel more attacks
Howard Ting, CEO of data detection and response specialist Cyberhaven, said ESecurity planet that such DDoS attacks are “a growing problem and one that we should expect to see more of.” Botnets, such as Mirai who launched the attack, rely heavily on compromised IoT devices and other unmanaged devices. As the number of these devices increases, so does the potential army for DDoS attacks. “
Mirai was first discovered in 2016 and the malware is spread by infecting Linux-based devices like security cameras and routers, according to Yoachimik. When a device is infected, the malware “automatically spreads by searching for open Telnet ports 23 and 2323. Once found, it then attempts to access vulnerable devices by brutally forcing known credentials such as names. default user and passwords, ”he wrote. .
Since then, some variants have taken advantage of zero-day exploits in devices such as routers, and once infected the devices will monitor a command and control (C2) server for instructions on targets to attack.
The Mirai attack on the financial services company was a volumetric DDoS attack, designed to overwhelm the capacity of networks by sending them dramatically high volumes of malicious traffic, consuming huge amounts of bandwidth.
Yoachimik wrote that while most of the attacks Cloudflare sees are small and short, these types of volumetric attacks are becoming more and more common.
“It is important to note that these short burst volumetric attacks can be particularly dangerous for legacy DDoS protection systems or organizations without active and permanent cloud-based protection,” he wrote. “Additionally, while the short duration can say a lot about the botnet’s ability to deliver sustained levels of traffic over time, it can be difficult or impossible for humans to respond to them in time. In such cases, the attack is over before a security engineer even has time to analyze the traffic or activate their backup DDoS protection system. These types of attacks highlight the need for automated and always-on protection.