Cloudflare has blocked this month a distributed denial of service (DDoS) attack of enormous scope, launched on a cryptocurrency platform and that is not only unusual because of its size. It is also important because it was launched over HTTPS and its initial origin was in cloud data centers, instead of residential Internet service providers, which is usually much more common.
This attack, which lasted no more than fifteen seconds, had no less than 15.3 million requests per second. It is one of the largest Cloudflare has recorded, and without a doubt the biggest HTTPS attack on record. Their goal was a cryptocurrency launchpad, which Cloudflare claims is used “to present decentralized finance projects to potential investors«.
The botnet used to launch this attack had some 6,000 unique bots, spread across 1,300 different networks in 112 countries around the world. Among these countries, the traffic for the attack originating in Indonesia stands out: 15% of the total. Other countries with a large number of bots participating in the attack were Brazil, Colombia, the United States, India and Russia.
From Cloudflare they have not made public the identification of the botnet, but they have indicated that it is one that they have been monitoring for a long time, and which they have seen launch attacks of up to 10 million requests per second with the same system.
In a stroke over HTTPS, the botnet overwhelms the target’s server with a huge number of requests, which eats up system computing resources as well as memory, making users legally able to access the web. Meanwhile, in a DDoS attack, of bandwidth, the most common, the objective is to block the Internet connection of the target with a stream of messages, making it difficult for users to access the attacked page or service on a regular basis. Normally, in both cases, the attacker’s goal is to extort money from the victim, asking for money in exchange for stopping the attack.
According to members of the team that stopped the attack, “HTTPS DDoS attacks are more expensive in terms of computing resources required, due to the higher cost of establishing an encrypted TLS connection. Therefore, it costs more for the attacker to launch the attack, and it also costs more for the victim to mitigate it. We have seen very large attacks in the past on unencrypted HTTP, but this attack stands out for the resources it took due to its scale«.
On the other hand, this attack has among its characteristics one that Cloudflare has been seeing for a long time: the use of data centers as launch points, and that implies that cyber attackers are leaving behind the times when they attacked from one or several ISPs.
To mitigate the attack, Cloudflare used a software-based system that automatically detects and mitigates attacks of this type on the Internet, without the need for human intervention. The system makes copies of the traffic, analyzes these copies and mitigates the situation if necessary.
Analysis is done using data streaming algorithms, and copies of HTTP requests are compared to conditional fingerprints, and multiple signatures are created in real time based on dynamic masking of various request fields and metadata. Thus, according to Cloudflare, «each time another petition matches one of the signatures, a count is increased. When the trigger limit for a signature is reached, a mitigation rule is compiled and comes online«.
Photo: Christiaan Colen