The record-breaking DDoS attack that Cloudflare mitigated occurred on the weekend of February 11th and 12th, 2023. This was during the USA-based NFL Super Bowl weekend. During this time, Cloudflare detected and mitigated a wave of hyper-volumetric DDoS attacks, with the largest peaking at 71 million requests per second (rps).
What exactly is a DDoS attack?
A Distributed Denial of Service (DDoS) attack is a type of cyber-attack where the perpetrator seeks to make a machine or network resource unavailable to its intended users by overwhelming it with a flood of internet traffic. DDoS attacks are carried out using multiple compromised computer systems as sources of attack traffic. These can include computers and other networked resources such as IoT devices.
A more detailed look at the process and impact of a DDoS attack.
Botnet Creation: The attacker begins by infecting multiple systems with malware, turning them into a bot (or zombie). Collectively, these compromised systems form a “botnet.”
Attack Launch: When the attacker decides to launch the attack, they instruct the botnet to send requests to the target’s IP address. This can be done through command and control (C&C) servers.
Traffic Flood: The victim’s server or network infrastructure is bombarded with a huge volume of requests, often coming from diverse geographic locations and IP ranges, making it difficult to distinguish legitimate traffic from malicious traffic.
Resource Overload: The primary objective of a DDoS attack is to exhaust the resources of the target. This could mean consuming all available bandwidth, overwhelming application servers, or draining other system resources, effectively rendering the service slow or completely unresponsive to legitimate users.
Types of DDoS Attacks: DDoS attacks can vary in their approach:
- Volumetric Attacks: These are the most common types and involve overwhelming a system with large volumes of traffic, such as UDP floods or ICMP floods.
- Protocol Attacks: These target server resources or intermediate communication equipment like load balancers and firewalls.
- Application Layer Attacks: These are more sophisticated, targeting specific aspects of an application or service (e.g., HTTP, DNS).
Defense Mechanisms: Defending against DDoS attacks generally involves a combination of anti-DDoS technology, robust network architecture, and rapid response measures. Cloud-based protection services, like Cloudflare, are popular as they can absorb and distribute the traffic load associated with large-scale DDoS attacks.
Impact: The impact of a DDoS attack can be substantial, ranging from the temporary unavailability of services to long-term damage to a brand’s reputation and financial losses.
How can I protect my business from this form of attack?
If your a client of Digital Solutions, then chances are we have talked about this at some point. It’s essential to implement a comprehensive strategy that involves multiple layers of defense. Here are key steps I urge my clients to consider:
Risk Assessment: Understand your vulnerability to DDoS attacks. Assess your network infrastructure, identify critical assets, and understand your traffic patterns.
Increase Bandwidth: While this alone won’t stop a DDoS attack, more bandwidth can absorb larger volumes of traffic and can give you more time to act before services are affected.
Deploy Anti-DDoS Technology and Services: Implement DDoS protection solutions, such as those offered by Cloudflare, which can detect and mitigate large-scale DDoS attacks. These services often provide both on-premises and cloud-based protection.
Configure Network Hardware Against DDoS: Adjust the settings of your network hardware, like routers and firewalls, to help mitigate the risk of DDoS attacks. This can include rate limiting, traffic filtering, or dropping malformed packets.
Use a Content Delivery Network (CDN): CDNs can distribute your content across multiple data centers, so the load is balanced and less likely to be overwhelmed by an attack.
Implement Redundancy: Have a backup of your critical infrastructure in a different network or location. This redundancy can help maintain availability in case one location is under attack.
Create a Response Plan: Have a clear, documented plan for responding to DDoS attacks. This should include notification procedures, steps for traffic rerouting, and communication strategies with customers and stakeholders.
Monitor Traffic: Constantly monitor your network for unusual traffic patterns or spikes in activity, which can be early indicators of a DDoS attack.
Secure Network Devices and Services: Make sure all devices connected to your network are secured and updated to prevent them from being used in botnets for DDoS attacks.
Educate and Train Staff: Ensure that your staff is aware of the risks and knows how to respond in the event of a DDoS attack.
Collaborate with Your ISP: Your Internet Service Provider can be a valuable ally in mitigating DDoS attacks. They can provide additional resources and reroute traffic during an attack.
Regularly Update and Patch Systems: Keeping software and systems updated can prevent attackers from exploiting known vulnerabilities.
Use Web Application Firewalls (WAF): WAFs can help protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.
Engage in Law Enforcement and Legal Actions: In some cases, it may be necessary to engage with law enforcement and pursue legal actions against the attackers.
How Cloudflare survived the attack
Cloudflare mitigated the record-breaking 71 million requests per second DDoS attack using its sophisticated automated detection and mitigation systems. These systems are designed to identify and respond to DDoS attacks of various types and sizes.
The key aspects of Cloudflare’s mitigation approach include:
Automatic Detection: Cloudflare’s systems are capable of automatically detecting unusual traffic patterns indicative of DDoS attacks. This automatic detection is critical in rapidly identifying and responding to such large-scale attacks.
Mitigation Capabilities: Cloudflare offers various features and capabilities for DDoS protection. For instance, it has DDoS Managed Rules set to high sensitivity levels and mitigation actions for optimal response to attacks. Additionally, Cloudflare’s Adaptive DDoS Protection can intelligently mitigate attacks based on unique traffic patterns.
Infrastructure Design: Cloudflare’s infrastructure is designed to handle large volumes of traffic, which is essential in absorbing and mitigating the impact of volumetric DDoS attacks.
Wide Range of Targets: The attacks mitigated by Cloudflare were not limited to a single website or service but targeted a variety of entities, including gaming providers, cloud computing platforms, and cryptocurrency firms. The attacks originated from a large number of IP addresses, over 30,000, from multiple cloud providers.
Comprehensive Security Posture: In addition to specific DDoS mitigation techniques, Cloudflare recommends a comprehensive security posture for its clients. This includes deploying firewall rules, rate limiting, ensuring the security of the origin server, leveraging managed IP lists, enabling caching, and setting up DDoS alerting systems to improve response times.
The attack highlighted the increasing frequency, size, and sophistication of DDoS attacks and underscored the importance of having robust, automated systems in place to protect against such cyber threats.
For more detailed information, you can refer to Cloudflare’s blog post on the topic here and the coverage by BleepingComputer here.