On Thursday, Cloudflare, a leader in web infrastructure and security, reported it has successfully mitigated the largest volumetric distributed denial of service (DDoS) attack ever recorded. This significant incident, initiated by a Mirai botnet, targeted a client within the financial sector last month.
Cloudflare’s analysis revealed that at its peak, the attack surged to an unprecedented 17.2 million requests per second (rps). This rate is an astonishing three times greater than the largest previously noted HTTP DDoS assaults. According to Cloudflare, the botnet struck within seconds, generating over 330 million attack requests directed at its network edge.
Volumetric DDoS attacks efficiently overwhelm a target’s bandwidth by flooding it with excessive traffic, often employing reflective amplification techniques to magnify their impact. Central to these attacks is a network of compromised devices—ranging from computers and servers to Internet of Things (IoT) gadgets—that are conscripted into a botnet to launch a substantial volume of malicious traffic.
During the attack, traffic was recorded from over 20,000 bots across 125 countries. Notable contributors included Indonesia (nearly 15% of the total traffic), along with India, Brazil, Vietnam, and Ukraine. Alarmingly, the 17.2 million rps constituted 68% of the average legitimate HTTP traffic processed by Cloudflare during Q2 2021, which stands at 25 million rps.
This incident marks one of numerous similar attacks observed recently. Cloudflare reported that the same Mirai botnet was implicated in a prior HTTP DDoS incident targeting a hosting provider, peaking just below 8 million rps. Additionally, a variant of the Mirai botnet attempted various UDP and TCP-based attacks, reaching over 1 Tbps at multiple intervals, aimed at a gaming company and a major Asia-Pacific telecommunications and hosting provider.
Although frequent attacks tend to be smaller and less prolonged, Cloudflare warns of a rising trend in significant volumetric attacks. The company emphasizes the risks associated with brief, intense bursts of such attacks, especially for organizations relying on outdated DDoS protection systems or lacking continuous, cloud-based security mechanisms.
