Enlarge (credit: Aurich Lawson / Getty)

In August and September, threat actors unleashed the biggest distributed denial-of-service attacks in Internet history by exploiting a previously unknown vulnerability in a key technical protocol. Unlike other high-severity zerodays in recent years— Heartbleed or log4j , for example—which caused chaos from a torrent of indiscriminate exploits, the more recent attacks, dubbed HTTP/2 Rapid Reset, were barely noticeable to all but a select few engineers.

HTTP2/Rapid Reset is a novel technique for waging DDoS, or distributed denial-of-service attacks, of an unprecedented magnitude. It wasn’t discovered until after it was already being exploited to deliver record-breaking DDoSes. One attack on a customer using the Cloudflare content delivery network peaked at 201 million requests per second, almost triple the previous record Cloudflare had seen of 71 million rps . An attack on a site using Google’s cloud infrastructure topped out at 398 million rps, more than 7.5 times bigger than the previous record Google recorded of 46 million rps.

Doing more with less

The DDoSes hitting Cloudflare came from a network of roughly 20,000 malicious machines, a relatively small number compared with many so-called botnets. The attack was all the more impressive because, unlike many DDoSes directed at Cloudflare customers, this one resulted in intermittent 4xx and 5xx errors when legitimate users attempted to connect to some websites.

Enlarge (credit: Aurich Lawson / Getty)

The protracted arms race between criminals who wage distributed denial-of-service attacks and the defenders who attempt to stop them continues, as the former embraces “alarming” new methods to make their online offensives more powerful and destructive, researchers from content-delivery network Cloudflare reported Wednesday.

With a global network spanning more than 300 cities in more than 100 countries around the world, Cloudflare has visibility into these types of attacks that’s shared by only a handful of other companies. The company said it delivers more than 63 million network requests per second and more than 2 trillion domain lookups per day during peak times. Among the services that Cloudflare provides is mitigation for the attacks, which are typically referred to by the abbreviation DDoS.

Alarming escalation

“In recent months, there's been an alarming escalation in the sophistication of DDoS attacks,” Cloudflare researchers Omer Yoachimik and Jorge Pacheco wrote Wednesday in a threat report that recaps highlights during the second quarter of this year. “And even the largest and most sophisticated attacks that we’ve seen may only last a few minutes or even seconds—which doesn’t give a human sufficient time to respond.”

Enlarge (credit: Getty Images)

Federal prosecutors on Wednesday charged six people for allegedly operating websites that launched millions of powerful distributed denial of service attacks on a wide array of victims on behalf of millions of paying customers.

The sites promoted themselves as booter or stressor services designed to test the bandwidth and performance of customers’ networks. Prosecutors said in court papers that the services were used to direct massive amounts of junk traffic at third-party websites and Internet connections customers wanted to take down or seriously constrain. Victims included educational institutions, government agencies, gaming platforms, and millions of individuals. Besides charging six defendants, prosecutors also seized 48 Internet domains associated with the service.

“These booter services allow anyone to launch cyberattacks that harm individual victims and compromise everyone’s ability to access the Internet,” Martin Estrada, US attorney for the Southern District of California, said in a statement . “This week’s sweeping law enforcement activity is a major step in our ongoing efforts to eradicate criminal conduct that threatens the internet’s infrastructure and our ability to function in a digital world.”

Enlarge / An iteration of what happens when your site gets shut down by a DDoS attack.

The European Parliament website was knocked offline for several hours on Wednesday by a distributed denial-of-service (DDoS) attack that started shortly after the governing body voted to declare the Russian government a state sponsor of terrorism.

European Parliament President Roberta Metsola confirmed the attack on Wednesday afternoon European time, while the site was still down. “A pro-Kremlin group has claimed responsibility,” she wrote on Twitter . “Our IT experts are pushing back against it & protecting our systems. This, after we proclaimed Russia as a State-sponsor of terrorism.”

While this post was being reported and written, the website became available again and appeared to work normally.

Enlarge / Drowning in a sea of data. (credit: Getty Images )

The record-vying distributed denial-of-service attacks keep coming, with two mitigation services reporting they encountered some of the biggest data bombardments ever by threat actors whose tactics and techniques are constantly evolving.

On Monday, Imperva said it defended a customer against an attack that lasted more than four hours and peaked at more than 3.9 million requests per second (RPS).

(credit: Imperva)

In all, the attackers directed 25.3 billion requests at the target with an average rate of 1.8 million RPS. While DDoSes exceeding 1 million RPS are growing increasingly common, they typically come in shorter bursts that measure in seconds or a few minutes at most.

Enlarge / Drowning in a sea of data. (credit: Getty Images )

Internet services in Lithuania came under "intense" distributed denial of service attacks on Monday as the pro-Russia threat-actor group Killnet took credit. Killnet said its attacks were in retaliation regarding Lithuania's recent banning of shipments sanctioned by the European Union to the Russian exclave of Kaliningrad.

Lithuania's government said that the flood of malicious traffic disrupted parts of the Secure National Data Transfer Network, which it says is "one of the critical components of Lithuania's strategy on ensuring national security in cyberspace" and "is built to be operational during crises or war to ensure the continuity of activity of critical institutions." The country's Core Center of State Telecommunications was identifying the sites most affected in real time and providing them with DDoS mitigations while also working with international web service providers.

"It is highly probable that such or even more intense attacks will continue into the coming days, especially against the communications, energy, and financial sectors," Jonas Skardinskas, acting director of Lithuania's National Cyber Security Center, said in a statement. The statement warned of website defacements, ransomware, and other destructive attacks in the coming days.

Enlarge (credit: Aurich Lawson | Getty Images)

A massive flood of malicious traffic that recently set a new distributed denial-of-service record came from an unlikely source. A botnet of just 5,000 devices was responsible as extortionists and vandals continue to develop ever more powerful attacks to knock sites offline, security researchers said.

The DDoS delivered 26 million HTTPS requests per second, breaking the previous record of 15.3 million requests for that protocol set only seven weeks ago , Cloudflare Product Manager ​​Omer Yoachimik reported . Unlike more common DDoS payloads such as HTTP, SYN, or SYN-ACK packets, malicious HTTPS requests require considerably more computing resources for the attacker to deliver and for the defender or victim to absorb.

4,000 times stronger

"We've seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale," Yoachimik wrote.