Cybersecurity firm mitigates DDoS attack with 25.3 billion requests
Cybersecurity firm Imperva has revealed that earlier this year it mitigated a DDoS (distributed denial-of-service) attack with more than 25.3 billion requests. The attack targeted an unidentified Chinese telecoms firm and is reported to have lasted for around four hours, peaking at 3.9 million RPS (requests per second).
In a report published on the attack, which occurred on June 27 2022, Imperva said: "Attackers used HTTP/2 multiplexing, or combining multiple packets into one, to send multiple requests at once over individual connections.”
The attack was launched via a botnet made up of close to 170,000 different IP addresses. These addresses were spread across compromised servers, routers and security cameras, primarily located in the US, Brazil and Indonesia, but distributed across over 180 countries.
Separately, web infrastructure provider Akamai has revealed that it mitigated a new DDoS attack that targeted a customer base in Eastern Europe. Attack traffic for this assault peaked at 704.8 million pps (packets per second).
The victim of the attack had previously been targeted in July 2022, in an assault lasting 14 hours and peaking at 853.7 Gbps (gigabits per second) and 659.6 million pps. Craig Sparling of Akamai said that the target company had been "bombarded relentlessly with sophisticated distributed denial-of-service (DDoS) attacks” with indications that the attacks could be politically motivated and linked to Russia’s war in Ukraine.
Both attacks on this victim were UDP flood attacks, in which attackers use User Datagram Protocol (UDP) packets to target and overwhelm the host’s arbitrary ports. UDP is considered well-suited for handling VoIP traffic, but can also be vulnerable to exploitation.
In an effort to reduce the threat posed by DDoS attacks, the EU has introduced the “Cyber Resilience Act” draft legislation, which will compel manufacturers to take more accountability for the security of their devices by introducing “mandatory cyber security requirements for products with digital elements, throughout their whole lifecycle."