Cloudflare says it mitigated a record-breaking 17.2M rps DDoS attack

Internet infrastructure company Cloudflare disclosed today that it mitigated the largest volumetric distributed denial of service (DDoS) attack that was recorded to date.

The attack, which took place last month, targeted one of Cloudflare's customers in the financial industry.

Cloudflare said that a threat actor used a botnet of more than 20,000 infected devices to flung HTTP requests at the customer's network in order to consume and crash server resources.

Called a volumetric DDoS, these are different from classic bandwidth DDoS attacks where threat actors try to exhaust and clog up the victim's internet connection bandwidth. Instead, attackers focus on sending as many junk HTTP requests to a victim's server in order to take up precious server CPU and RAM and prevent legitimate users from using targeted sites.

Cloudflare said this attack peaked at 17.2 million HTTP requests/second (rps), a figure that the company described as almost three times larger than any previous volumetric DDoS attack that was ever reported in the public domain.

Cloudflare said that while the attack peaked at 17.2 million rps, the threat actor kept its botnet aimed against its customer for hours, during which time it had to absorb more than 330 million junk HTTP requests.

But the botnet operator did not stop after this initial attack. Cloudflare said the same botnet also carried out two other large-scale attacks in the subsequent weeks, including another that peaked at 8 million rps, aimed at a web hosting provider.

Cloudflare said it's currently tracking the botnet's evolution, which appears to have been built using a modified version of the well-known Mirai IoT malware.

Based on the infected device's (bots) IP addresses, Cloudflare said that 15% of the attacker's traffic came from Indonesia, while another 17% of the malicious traffic came from India and Brazil combined.


At 17.2 million rps, the attack also accounted for 68% of the legitimate HTTP traffic the company processed during Q2 2021, estimated at 25 million rps.

The biggest bandwidth DDoS attack ever recorded comes at 2.3 terabytes per second (Tbps), recorded by Amazon Web Services in February 2020.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.