Cloudflare has revealed that it had automatically detected and mitigated a 26 million request per second DDoS attack last week, the largest HTTPS DDoS attack on record, according to the content delivery network and DDoS mitigation company. The target was a customer using Cloudflare’s Free plan, and it’s believed that hijacked virtual machines and powerful servers were used to generate the attack, which originated from Cloud Service Providers rather than Residential Internet Service Providers. Cloudflare is no stranger to record-setting DDoS attacks, having shared articles in August 2021 and April 2022 that detailed 17.2 million and 15 million request per second HTTP DDoS attacks, respectively. The company began offering free DDoS mitigation services in 2014.
The 26M rps DDoS attack originated from a small but powerful botnet of 5,067 devices. On average, each node generated approximately 5,200 rps at peak. To contrast the size of this botnet, we’ve been tracking another much larger but less powerful botnet of over 730,000 devices. The latter, larger botnet wasn’t able to generate more than one million requests per second, i.e. roughly 1.3 requests per second on average per device. Putting it plainly, this botnet was, on average, 4,000 times stronger due to its use of virtual machines and servers.
Within less than 30 seconds, this botnet generated more than 212 million HTTPS requests from over 1,500 networks in 121 countries. The top countries were Indonesia, the United States, Brazil and Russia. About 3% of the attack came through Tor nodes.