extended hand meaning stop

Largest DDoS attack ever reported gets hoovered up by Cloudflare

On the Cloudflare blog, the American web infrastructure behemoth that provides content delivery network (CDN) and DDoS mitigation services reports that it detected and mitigated a 17.2 million request-per-second (rps) DDoS attack. To put that number in perspective. The company reports that this is three times as large as anything it has seen before.


In a DDoS attack, an attacker tries to stop people from using a service by making it so busy it either crashes or grinds to a halt. It does this by flooding the service with spurious requests from multiple, distributed locations.

If hacking is opening a door by picking its lock, then DDoS is blocking the door by boarding it up from the outside.

The target

The target of this enormous DDoS attack was a customer of Cloudflare in the financial sector. Cloudflare reports that within seconds, the botnet bombarded the its edge with over 330 million requests.

For Internet devices, the network edge is where the device, or the local network containing the device, communicates with the Internet. The “edge” in this case refers to the Cloudflare CDN, which customers use to improve the performance of their websites. CDNs are geographically dispersed clusters of servers that store web content. When users try to access a website that uses a CDN, they actually get directed to the nearest CDN server rather than the website itself, and Cloudflare handles the web traffic. Similarly, if somebody tries to DDoS attack the website, the attack ends up hitting the Cloudflare CDN.

The Cloudflare CDN is absolutely enormous, and is used by almost 20% of all websites, which means it can handle an absolutely enormous amount of traffic.

The botnet

The attack traffic is reported to have originated from more than 20,000 bots in 125 countries around the world. Based on the bots’ source IP addresses, almost 15% of the attack originated from Indonesia and another 17% from India and Brazil combined. Cloudflare attributes this attack to the Mirai botnet. Although the number of Mirai bots is on the decline, the botnet was still able to generate impressive volumes of attack traffic for short periods.

You may remember hearing about this botnet after the massive East Coast internet outage of 2016 when the Mirai botnet was leveraged in a DDoS attack aimed at Dyn, an Internet infrastructure company. Traffic to Dyn’s Internet directory servers throughout the US—primarily on the East Coast but later on the opposite end of the country as well—was stopped by a flood of malicious requests from tens of millions of IP addresses disrupting the system.

Although it hasn’t generated headlines like that for a few years, we recently we posted about how Mirai was trying to add a host of home routers to its collection of compromised devices. It was found hijacking routers using a vulnerability that was disclosed only two days earlier

As it happens Microsoft wrote about the Mozi botnet, which is essentially a Mirai variant, going after Netgear, Huawei, and ZTE gateways by using clever persistence techniques that are specifically adapted to each gateway’s particular architecture. Last year, security experts from IBM X-Force said that the Mozi botnet accounted for 90 percent of traffic from IoT devices at that time.


Mirai works by harnessing tens of thousands of small, low-powered Internet-of-Things (IoT) devices, such as Internet-connected cameras and home routers. Although each device it compromises only adds a little horsepower to Mirai’s engine, there are plenty of them to hijack.

Vulnerabilities in home networking equipment often go unpatched for long periods. Since most home users are unaware of the existence of such vulnerabilities and many lack the skills and/or confidence to apply a patch if one is made available.

And almost the same can be said about many small and medium-sized businesses. As long as the equipment works many fail to see the need for patching or the need to replace vulnerable devices. In some cases patches are not even made available when devices are replaced by newer models. Or because vendors fail to inform users about the vulnerability existing in the first place.


When it coms to blocking DDoS attacks there is not much businesses can do, except hire specialized help. But there are some things you can do so you do not become part of the problem.

Businesses and consumers alike should also start worrying about securing their IoT devices in a manner that they can’t be used in a DDoS botnet. We have an excellent article called Internet of Things (IoT) security: what is and what should never be that explains in detail why and how you can make the IoT a safer place.

And maybe, just maybe, we should try and work out Internet protocols that are designed so that they do not offer opportunities for DDoS attacks.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.