An unprecedented distributed denial of service (DDoS) attack saw over 25.3 billion requests being sent to a target. Imperva, a cyber security software and services company, confirmed the attack.
As reported by Bleeping Computer, the firm’s systems defended the record-breaking attack when it occurred on June 27, 2022.
The threat actors concentrated their efforts on a Chinese telecommunications service provider, which was subjected to an attack that reached 3.9 million requests per second (RPS), with an average of 1.8 million RPS.
Granted, the aforementioned figure doesn’t come remotely close to the largest HTTPS DDoS attack ever recorded (26 million RPS). However, the time span of how long the attack continued was specifically highlighted — this particular attack ended after four hours.
Comparatively, DDoS attempts that exceed the 1 million RPS mark generally end after seconds or several minutes. Imperva also mentioned in its report that around one in 10 DDoS attacks lasts for over an hour.
Due to the automated mitigation solution in place that blocks DDoS attacks in under three seconds, the attempt could have peaked at a much higher number than the 3.9 million figure.
As for the attack itself, it was carried out via a botnet system situated within 180 countries. IP addresses were predominantly based in the U.S., Brazil, and Indonesia. The botnet utilized a network of 170,000 devices that were breached, ranging from modem routers, smart security cameras, and servers. The latter was found to be hosted on public clouds and cloud security service providers.
“The attack started at 3.1M RPS and maintained a rate of around 3M RPS. Once the attack peaked at 3.9M RPS, the attack lowered for several minutes but returned to full strength for another hour,” Imperva said.
The hackers relied on HTTP/2 multiplexing in order to deliver various requests at once via individual connections. Imperva added that this technique is capable of shutting servers down with a limited amount of resources. It also stressed that these sorts of attacks are “extremely difficult to detect.”
DDoS attacks have increased in popularity in recent years. Cloudflare confirmed that this category has seen a 175% increase in incidents within the fourth quarter of 2021.
Google, meanwhile, managed to stop the largest HTTPS DDoS attack in history in August, with the company mitigating an attempt that peaked at 46 million RPS.