Cloudflare Just Mitigated One of the Most Powerful DDoS Attacks Ever

What just happened? Earlier this week, Cloudflare engineers identified one of the largest Distributed Denial of Service (DDOS) attacks ever attempted. The attack, launched against an unidentified cryptocurrency platform, was identified and mitigated in less than 20 seconds. The individuals behind the act flooded the network with more than 15 million requests.

In addition to the size of the attack, the use of HTTPS rather than regular HTTP requests further complicated the issue: the secure protocol incurs additional resource overhead due to the computationally intensive nature of the HTTPS request secure. According to Cloudflare, the botnet responsible for carrying out the attack represented 6,000 bots from 112 countries around the world.

The attack is believed to have exploited the servers of hosting providers running vulnerable Java applications. These servers were probably unpatched or not updated and susceptible to CVE-2022-21449, Psychic Signatures in Java. The vulnerability allows attackers to use the Elliptic Curve Digital Signature Algorithm (ECDSA) to forge SSL certificates and other authentication-based information to gain unwanted access.

The sharp increase in Cloudflare’s traffic analytics shows how quickly the attack was able to escalate. At 10:21:15 p.m. the platform was registering between 500,000 and 1 million requests. In five seconds, that number grew to almost 3 million requests. At this point, the intensity of the attack escalated, generating approximately 15.3 million requests within the next five seconds. Seconds later, Cloudflare was able to mitigate the attack, bringing traffic patterns back to expected levels.

According to data from Cloudflare, almost 15% of the attacks originated from Indonesia. The Russian Federation, Brazil, India, Colombia and the United States each accounted for around 5% of the points of origin. Cloudflare engineers and security experts concluded that the attacks originated from more than 1,300 different networks across all 112 identified countries. They were also surprised to find that unlike other attacks, many of these attacks came from data centers rather than typical ISP-based residential networks.

Oracle has since released a critical patch update advisory to help users mitigate any potential vulnerabilities. Administrators of potentially vulnerable systems should review this information to ensure that all Java-related risks are minimized.

The size of the attack, along with the resources applied and power required to execute the HTTPS-based attack, are clear signs that the hackers are continuing to beef up their weapons in what appears to be an endless arms race. Staying up to date on the latest security patches and recommendations can help minimize the possibility of falling victim to these and similar attacks in the future.

Image Credit: Cloudflare traffic pattern and location breakdown

Leave a Comment