On Monday the 13th February, web infrastructure company Cloudflare disclosed that it had stopped a record-breaking DDoS (Distributed Denial-of-Service) attack that peaked at over 71 million requests per second (RPS).
This makes the attack the largest HTTP DDoS attack reported to date – more than 35% higher than the previous 46 million RPS DDoS attack that Google Cloud suffered in June 2022.
Cloudflare said the attacks targeted websites secured by its platform and that they emanated from a botnet comprising more than 30,000 IP addresses that belonged to “numerous” cloud providers.
Although Cloudflare did not disclose which websites were targeted, they said that they included a popular gaming provider, various cryptocurrency companies, hosting providers, and other cloud computing platforms.
These types of attack designed to send a wave of HTTP requests towards a target website, typically in an order of magnitude higher than what the website can handle, with the goal of rendering it inaccessible for legitimate users – Thus the Denial of Service.
Shake your money maker
DDoS attacks are becoming a lucrative means for criminal actors to earn illicit revenues by demanding ransom payments from victims to stop and avoid disruption to their services.
With the rise in IoT botnets (see my Mirai blog), and the relative low-cost of cloud-hosted platforms, building a network of bots to launch a devastating DDoS has never been easier.
Some of the major industry verticals recently targeted include aviation, education, gaming, hospitality, and telecoms companies.
It isn’t just companies being targeted either; Georgia, Belize, and San Marino emerged as some of the top countries targeted by HTTP DDoS attacks in Q4 2022.
Types of DDoS attack
Using HTTP is just one way of conducting a DDoS attacks, but there are plenty of other protocols at different layers of the network stack that can be used to such effect. An HTTP DDoS attack would be classed as a Application layer (or layer 7) attack.
Network-layer (layer 3) DDoS attacks have been used to attack countries such as China, Lithuania, Finland, Singapore, Taiwan, Belgium, Costa Rica, the U.A.E, South Korea, and Turkey.
There are a few protocols commonly used at layer 3 to launch DDoS attacks:
These are the most widely used layer 3 protocols, and the ones most likely to be used in a DDoS attack:
- IP: The Internet Protocol (IP) routes and addresses packets of data so that they arrive at the correct destination. Every device that connects to the Internet has an IP address, and the IP protocol attaches the correct IP address to each data packet – like addressing a letter to someone.
- IPsec: IPsec is actually a suite of several protocols. IPsec is the encrypted version of IP used by lots of VPN (Virtual Private networks).
- ICMP: The Internet Control Message Protocol handles error reports and testing. Network developers and engineers use ICMP for its ping and traceroute functions. Typically only one ICMP packet needs to be sent at a time
DDoS Attacks are theoretically possible using any of these protocols; For example, ICMP is commonly used to flood a server with too many pings (ping flood) to respond to, or with one large ping packet that crashes the receiving device (this is known as the “ping of death“).
Another example of an ICMP-based DDoS is that of a smurf attack. ICMP has no security or verification measures which makes it possible for an attacker to spoof an IP address in an ICMP request.
In a Smurf attack, the attacker sends out ping requests to thousands of devices, spoofing the senders IP address in the requests so that the responses go to the target, not the attacker. Whilst most modern networking hardware is no longer vulnerable to this attack, there are some legacy systems on the Internet that would still be affected by such an attack.
Attackers can use IPsec to flood a target with junk data or overly large security certificates, causing the system to hang or crash as it attempts to process the data.
How does Cloudflare protect against layer 3 DDoS attacks?
In addition to blocking DDoS attacks at layers 4 and 7, Cloudflare mitigates layer 3 DDoS attacks with its Magic Transit service.
Magic Transit is designed specifically to stop attacks on internal network infrastructure, including DDoS attacks at any layer. The Cloudflare WAF (Web Application Firewall) and CDN (content Delivery Networkl) also stop layer 3 DDoS attacks by only accepting traffic to layer 7 (HTTP and HTTPS) ports.