Massive HTTP DDoS Attack Hits Record High of 71 Million Requests/Second

Massive HTTP DDoS Attack

Web infrastructure company Cloudflare on Monday disclosed that it thwarted a record-breaking distributed denial-of-service (DDoS) attack that peaked at over 71 million requests per second (RPS).

“The majority of attacks peaked in the ballpark of 50-70 million requests per second (RPS) with the largest exceeding 71 million,” the company said, calling it a “hyper-volumetric” DDoS attack.

It’s also the largest HTTP DDoS attack reported to date, more than 35% higher than the previous 46 million RPS DDoS attack that Google Cloud mitigated in June 2022.

Cloudflare said the attacks singled out websites secured by its platform and that they emanated from a botnet comprising more than 30,000 IP addresses that belonged to “numerous” cloud providers.

Targeted websites included a popular gaming provider, cryptocurrency companies, hosting providers, and cloud computing platforms.

HTTP attacks of this kind are designed to send a tsunami of HTTP requests towards a target website, typically in order of magnitude higher than what the website can handle, with the goal of rendering it inaccessible.

“Given a sufficiently high amount of requests, the website’s server will not be able to process all of the attack requests along with the legitimate user requests,” Cloudflare said.

“Users will experience this as website-load delays, timeouts, and eventually not being able to connect to their desired websites at all.”

The development comes as the size, sophistication, and frequency of DDoS attacks are on the rise, with the company recording a 79% spike in HTTP DDoS attacks year-over-year in the final quarter of 2022.

Read more: