On October 29, 2024, Cloudflare recorded the most powerful DDoS attack of all time. As a reminder, a distributed denial of service attack consists of making a website or online service unavailable by overwhelming it with traffic.
In concrete terms, hackers will bombard the server with requests. This overload will paralyze the targeted website for a time. Hackers often use DDoS to conduct large-scale communication or protest campaigns. It is also one of the main weapons in the arsenal of hacktivists, hackers who defend a cause or ideology.
The cyberattack identified by Cloudflare reached the threshold of 5.6 terabits per second. This unit of measurement designates volumes of digital data. In the case of a DDoS, it refers to the amount of data sent to a site's servers. The operation lasted no more than 80 seconds, and is part of the trend of increasingly brief attacks. In fact, the vast majority of attacks recorded by Cloudflare take no more than ten minutes.
Resurgence of large-scale DDoS
As Cloudflare explains, the DDoS attack follows a resurgence of denial-of-service attacks recorded in previous months. Between September and the end of October 2024, the American company noted that a wave of large-scale DDoS was underway around the world. The attacks in this salvo were already considered overpowering. The most powerful of this previous wave did not exceed 3.8 terabits per second.
During the last quarter of 2024, DDoS attacks crossed the 1 Tbps threshold, registering a spectacular growth of 1885% compared to the previous quarter. DDoS with significant volumes represented only 3% of the total offensives, while 63% were minor attacks, with less than 50,000 requests per second.
A botnet inspired by Mirai
The offensive was deployed through a botnet based on Mirai, a famous malware that appeared almost a decade ago. The virus was originally designed to hack Internet of Things (IoT) devices, such as smart cameras, routers, and other smart devices, by exploiting default credentials or weak passwords.
When the malware’s source code was made available to the public, a plethora of variants hit the web, each with unique capabilities. Currently, a mountain of botnets derived from Mirai’s source code has been identified by researchers. For example, a Mirai derivative called Gayfemboy recently took control of thousands of devices, ranging from traditional routers to IoT devices, by exploiting about 20 vulnerabilities.
13,000 devices hacked
The network of hacked devices behind the record-breaking cyberattack includes 13,000 compromised devices, Cloudflare found in its report. The firm explains that "although the attack involved approximately 13,000 unique IP addresses in total, the average per second was approximately 5,500 active IP addresses."
The operation aimed to take down the online services of an ISP operating in East Asia, whose identity is not disclosed. Thanks to Cloudflare's mitigation measures, the target did not suffer any malfunction. Fortunately, Cloudflare's entire counterattack was automated:
It was triggered automatically when requests began to overload the server. Most of the targets were located in China, the Philippines, Taiwan, Hong Kong, and Germany. In most cases, these are companies in the telecommunications, internet, marketing and advertising sectors.
Source: Cloudflare
0 Comments