What just happened? A significant portion of today’s internet traffic consists of bots, and AI algorithms are exacerbating the issue. Bots, security vulnerabilities, and malicious campaigns can disrupt even the largest services. Recently, Cloudflare mitigated a massive DDoS attack that was part of a month-long campaign targeting multiple types of customers.
The CDN “auto-mitigated” a record-breaking DDoS attack aimed at a single, unnamed customer. Cloudflare’s defenses intercepted over 100 hyper-volumetric L3/4 DDoS attacks during the month, many of which exceeded two billion packets per second and three terabits per second (Tbps).
The largest attack involved 3.8 Tbps of malicious traffic, which cybercriminals attempted to flood a single customer with in just one minute. Cloudflare’s systems detected and mitigated this “world record” DDoS attack without any human intervention.
The month-long, unprecedented attack campaign targeted Cloudflare customers in the finance, internet, and telecommunications sectors, aiming to either saturate network bandwidth or exhaust the computing resources of in-line applications and devices. The attacks primarily utilized the UDP protocol, with major sources of the data flood originating from Vietnam, Russia, Brazil, Spain, and the U.S.
Several types of compromised devices were exploited to generate this record-breaking traffic, though Cloudflare noted that most of the “high bitrate” attacks stemmed from vulnerable Asus routers affected by a critical security flaw (CVE 9.8), recently discovered by Censys. The DDoS attacks aimed to overwhelm networks with excessive data packets from multiple sources, while also straining the “CPU cycles” needed to process those packets.
By sending enough malicious packets, attackers can potentially consume all of a system’s CPU resources, making normal operations unsustainable. Cloudflare deploys a range of filters and network protections to thwart both malicious traffic and attempts to exhaust CPU resources.
Its “software-defined” approach successfully shielded customers from the largest DDoS campaign on record. The company, however, recommends that customers implement additional security measures, though these can be costly, especially for larger organizations.
