This Massive DDoS Attack Was One of the Longest Ever Recorded

In an unprecedented DDoS (Distributed Denial of Service) attack, more than 25.3 billion requests were sent to a target. Imperva, a cybersecurity software and services company, confirmed the attack.

As reported by Bleeping Computer, the company’s systems defended the record-breaking attack when it happened on June 27, 2022.

Getty Images

The threat actors focused their efforts on a Chinese telecommunications service provider, which was the target of an attack that reached 3.9 million requests per second (RPS), averaging 1.8 million RPS.

Admittedly, the aforementioned figure is nowhere near the largest HTTPS DDoS attack ever recorded (26 million RPS). However, it was specifically stated how long the attack lasted: this particular attack ended after four hours.

In comparison, DDoS attempts that exceed the 1 million RPS mark generally end in seconds or minutes. Imperva also mentioned in its report that about one in ten DDoS attacks last longer than an hour.

Thanks to the automated mitigation solution that blocks DDoS attacks in less than three seconds, the attempt could have reached a much higher number than the number of 3.9 million.

As for the attack itself, it was carried out through a botnet system located in 180 countries. IP addresses were mainly located in the US, Brazil and Indonesia. The botnet leveraged a network of 170,000 hacked devices, ranging from modem routers, smart security cameras and servers. The latter turned out to be hosted on public clouds and cloud security service providers.

“The attack started at 3.1 million RPS and maintained a rate of approximately 3 million RPS. Once the attack peaked at 3.9 million RPS, the attack subsided for a few minutes but returned at full strength for another hour,” Imperva said.

The hackers relied on HTTP/2 multiplexing to deliver several requests simultaneously over individual connections. Imperva added that this technique is capable of shutting down servers with limited resources. It also stressed that these types of attacks are “extremely difficult to detect”.

DDoS attacks have become increasingly popular in recent years. Cloudflare confirmed that in the fourth quarter of 2021, the number of incidents in this category increased by 175%.

Google, meanwhile, managed to stop the biggest HTTPS DDoS attack in history in August, with the company softening an attempt that peaked at 46 million RPS.

Editor’s Recommendations