Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Cloudflare mitigates record-breaking 71 million request-per-second DDoS attack
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Cloudflare mitigates record-breaking 71 million request-per-second DDoS attack

https://blog.cloudflare.com/cloudflare-mitigates-record-breaking-71-million-request-per-second-ddos-attack/

This was a weekend of record-breaking DDoS attacks. Over the weekend, Cloudflare detected and mitigated dozens of hyper-volumetric DDoS attacks. The majority of attacks peaked in the ballpark of 50-70 million requests per second (rps) with the largest exceeding 71 million rps. This is the largest reported HTTP DDoS attack on record, more than 35% higher than the previous reported record of 46M rps in June 2022.

The attacks were HTTP/2-based and targeted websites protected by Cloudflare. They originated from over 30,000 IP addresses. Some of the attacked websites included a popular gaming provider, cryptocurrency companies, hosting providers, and cloud computing platforms. The attacks originated from numerous cloud providers, and we have been working with them to crack down on the botnet.

Comments

  • Free Botnet where? jkjk

    Super nice of them to offer a free botnet threat feed to hosting providers. Automated emails to hosting providers to report abuse would be nice so they can clean up their networks.

    Thanked by 1Erisa
  • @Erisa said:
    The attacks originated from numerous cloud providers, and we have been working with them to crack down on the botnet.

    But you OVH, Digital Ocean, and Linode were the top three offenders.

    Thanked by 2greentea yongsiklee
  • @kait said:
    Free Botnet where? jkjk

    Super nice of them to offer a free botnet threat feed to hosting providers. Automated emails to hosting providers to report abuse would be nice so they can clean up their networks.

    if would be funny if cloudflare, the company that is famous for hiding all kind of scammers and phishers, and for ignoring related abuse emails, would send out abuse emails to others.

    Thanked by 3OhJohn kait gzz
  • MikeAMikeA Member, Patron Provider
    edited February 2023

    The past two week I've had a few large attacks, CloudFlare is always able to block them. As usual, the biggest offending networks are DigitalOcean, Multacom, Quadranet (some others I already blocked so not shown in my recent attack history) and smaller portions for hourly providers like Azure/AWS. Of course there's a mix of residential IPs from exploited devices but the majority of attack traffic is always from DCs.

    Edit: Would you like your company to be the next best DDoS botnet host? Start offering hourly VPS and don't run any security checks! Free money amirite.

    Thanked by 3Erisa ariq01 let_rocks
  • @mrTom said: if would be funny if cloudflare, the company that is famous for hiding all kind of scammers and phishers, and for ignoring related abuse emails, would send out abuse emails to others.

    Forgot the irony of my post, totally agree with you.

  • LOL redhooded block longhaired blue girl smurfs??

    Should I be worried about DDoS attacks?

    Yes, buy cloudflare.

  • treesmokahtreesmokah Member
    edited February 2023

    Cloudflare automatic mitigation is absolutely ass, it does not work even on higher plans.
    I had to deploy custom rules basically forcing legacy captcha(their new "smart" detection or whatever is ass) to mitigate any attacks deployed by people with at least half a brain.
    The only L7 DDoS Mitigation provider that worked out of the box(from my personal experience) was DDoS-Guard - but I've came across a few shitty things they did and I would not put anything critical to me over their L7 proxy, even Cloudflare is more "ethical" than them(they are still scum).

    Also pro-tip for anyone using Cloudflare, disable "privacy pass" support(enabled by default) - its an extension not many people use, but is being abused by attackers to bypass any cloudflare captchas you have in place.

    Cloudflare is a joke.
    Not to mention that 90% people using Cloudflare are retards that still expose their direct IP(as well as the webserver itself) unproxied - and you can attack it directly, without going through cloudflare. Or even better, they set up reverse DNS for their IP that literally gives an attacker the exact IP linked to the domain name.
    If you think your setup is great, hop on Shodan or Censys and search your SSL cert and or hostname.

  • @treesmokah said: Not to mention that 90% people using Cloudflare are retards that still expose their direct IP(as well as the webserver itself) unproxied - and you can attack it directly, without going through cloudflare. Or even better, they set up reverse DNS for their IP that literally gives an attacker the exact IP linked to the domain name.

    If you think your setup is great, hop on Shodan or Censys and search your SSL cert and or hostname.

    Works wonders, and there is another way to take down a site that setup cloudflare correctly, pom taught me that technique.

  • CloudFlare is a joke, they attack themselves to portray themselves as big and strong 😅

  • kidrockkidrock Member
    edited February 2023

    @treesmokah said:
    Cloudflare automatic mitigation is absolutely ass, it does not work even on higher plans.

    Also pro-tip for anyone using Cloudflare, disable "privacy pass" support(enabled by default) - its an extension not many people use, but is being abused by attackers to bypass any cloudflare captchas you have in place.

    Cloudflare is a joke.
    Not to mention that 90% people using Cloudflare are retards that still expose their direct IP(as well as the webserver itself) unproxied - and you can attack it directly, without going through cloudflare. Or even better, they set up reverse DNS for their IP that literally gives an attacker the exact IP linked to the domain name.

    If you think your setup is great, hop on Shodan or Censys and search your SSL cert and or hostname.

    Appreciate if you can provide any tutorial links to setup Cloudflare correctly with best security settings. Google search results are the posts providing same general settings.

  • @kait said:

    there is another way to take down a site that setup cloudflare correctly, pom taught me that technique.

    Mind sharing it ? So that people can protect their site better

  • @kidrock said:

    @treesmokah said:
    Cloudflare automatic mitigation is absolutely ass, it does not work even on higher plans.

    Also pro-tip for anyone using Cloudflare, disable "privacy pass" support(enabled by default) - its an extension not many people use, but is being abused by attackers to bypass any cloudflare captchas you have in place.

    Cloudflare is a joke.
    Not to mention that 90% people using Cloudflare are retards that still expose their direct IP(as well as the webserver itself) unproxied - and you can attack it directly, without going through cloudflare. Or even better, they set up reverse DNS for their IP that literally gives an attacker the exact IP linked to the domain name.

    If you think your setup is great, hop on Shodan or Censys and search your SSL cert and or hostname.

    Appreciate if you can provide any tutorial links to setup Cloudflare correctly with best security settings. Google search results are the posts providing same general settings.

    Hey, I'm not aware of any public source that lists "essentials" of using Cloudflare in a high-risk env.
    I'm self-taught, I learned it myself when I was getting attacked(or while I was attacking) and had to tweak things.

    I'm happy to answer whatever questions you may have though.
    The bare minimum of using cloudflare is making sure that your webserver is only reachable over cloudflare, if you are using a VPS - https://github.com/Paul-Reed/cloudflare-ufw/blob/master/cloudflare-ufw.sh this script will help you a lot

    Thanked by 2kidrock Void
  • @jmaxwell said: Mind sharing it ? So that people can protect their site better

    The Cloudflare blog has steps to better protect your site at https://blog.cloudflare.com/cloudflare-mitigates-record-breaking-71-million-request-per-second-ddos-attack/ under heading What steps should I take to defend against DDoS attacks?

    For 4th step, they forgot to link to https://developers.cloudflare.com/fundamentals/get-started/setup/allow-cloudflare-ip-addresses/ though

    You can also use Cloudflare Tunnels too i.e. https://blog.centminmod.com/2021/02/09/2250/how-to-setup-cloudflare-argo-tunnel-on-centos-7/

    Thanked by 2verd Void
  • eva2000eva2000 Veteran
    edited February 2023

    @treesmokah said: Cloudflare automatic mitigation is absolutely ass, it does not work even on higher plans.
    I had to deploy custom rules basically forcing legacy captcha(their new "smart" detection or whatever is ass) to mitigate any attacks deployed by people with at least half a brain.
    The only L7 DDoS Mitigation provider that worked out of the box(from my personal experience) was DDoS-Guard - but I've came across a few shitty things they did and I would not put anything critical to me over their L7 proxy, even Cloudflare is more "ethical" than them(they are still scum).

    Layer 7 application attacks can't really be 100% automatically mitigated. You need to provide hints to Cloudflare WAF/Firewall so Cloudflare knows what is considered legit traffic to your specific web app and what is not legit. Cloudflare provides you with the tools to provide those hints via Cloudflare WAF and Firewall rules and more recently via Cloudflare Transform request header/rewrite rules and Cache Rules and unmetered Cloudflare rate limiting rules.

  • treesmokahtreesmokah Member
    edited February 2023

    @eva2000 said:

    @treesmokah said: Cloudflare automatic mitigation is absolutely ass, it does not work even on higher plans.
    I had to deploy custom rules basically forcing legacy captcha(their new "smart" detection or whatever is ass) to mitigate any attacks deployed by people with at least half a brain.
    The only L7 DDoS Mitigation provider that worked out of the box(from my personal experience) was DDoS-Guard - but I've came across a few shitty things they did and I would not put anything critical to me over their L7 proxy, even Cloudflare is more "ethical" than them(they are still scum).

    Layer 7 application attacks can't really be 100% automatically mitigated. You need to provide hints to Cloudflare WAF/Firewall so Cloudflare knows what is considered legit traffic to your specific web app and what is not legit. Cloudflare provides you with the tools to provide those hints via Cloudflare WAF and Firewall rules and more recently via Cloudflare Transform request header/rewrite rules and Cache Rules and unmetered Cloudflare rate limiting rules.

    If a webserver returning "overload" errors is not enough for Cloudflare to enable their shitty "under attack mode" - I don't know what is.
    100k/req/s with user-agent "faggot" was happily passed through by cloudflare.
    DDoS-Guard is literally plug and play, as soon as it notices insanely high pps - it forces a captcha(a real captcha, not cloudflare bullshit that can be bypassed).

    That said, Cloudflare is great if you have brain - sadly most of its users, don't(even enterprise clients).
    In my experience, automatic detection of attacks in Cloudflare is useless, unless you do your own rules - it wont filter shit(or actually, it might, if the same IP is sending 2k/req/s+)

    The only pros of Cloudflare is that they can tank any amount of L7, if you send it to them. But L4, may be different - nodes are not anycasted and if you have enough power(and such power is on the market, and is getting cheaper and cheaper), you can take them down.

    I'm speaking from my lengthy experience in both attacking and defending L7 ddos-attacks. Yours may vary.

  • FatGrizzlyFatGrizzly Member, Host Rep

    are there any performance differences between cloudflare tunnel and cloudflare default ip based setup? like will my perf drop If i'm using the tunnel?

  • eva2000eva2000 Veteran
    edited February 2023

    @FatGrizzly said: are there any performance differences between cloudflare tunnel and cloudflare default ip based setup? like will my perf drop If i'm using the tunnel?

    Not enough difference to notice really.

    @treesmokah said: That said, Cloudflare is great if you have brain - sadly most of its users, don't(even enterprise clients).
    In my experience, automatic detection of attacks in Cloudflare is useless, unless you do your own rules - it wont filter shit(or actually, it might, if the same IP is sending 2k/req/s+)

    Yeah depends, I don't even use Under attack mode, CF WAF/Firewall/Transform/Rate Limit rules assist CF automatic mitigation for me. Early this month had 19 million request attack and CF DDOS mitigation caught 13.1 million, my Firewall Rules caught 5.32 million, rate limit rules caught 709K, security level WAF caught 240k, Managed rules 2.6k with less than 100 request reaching the backend. There's overlap with my Firewall Rules probably catching stuff CF DDOS mitigation already handles.

    But probably not applicable to a lot of folks as only CF paid plans have better Firewall/Analytics to help you profile and work out what requests to block. CF free plans have limited Firewall analytics and rule quotas to be useful TBH.

  • @eva2000 said: Yeah depends, I don't even use Under attack mode, CF WAF/Firewall/Transform/Rate Limit rules assist CF automatic mitigation for me. Early this month had 19 million request attack and CF DDOS mitigation caught 13.1 million, my Firewall Rules caught 5.32 million, rate limit rules caught 709K, security level WAF caught 240k, Managed rules 2.6k with less than 100 request reaching the backend. There's overlap with my Firewall Rules probably catching stuff CF DDOS mitigation already handles.

    But probably not applicable to a lot of folks as only CF paid plans have better Firewall/Analytics to help you profile and work out what requests to block. CF free plans have limited Firewall analytics and rule quotas to be useful TBH.

    The single "basic" thing that does a lot of job for me and is worth paying to Cloudflare(on top of a paid plan) is their rate-limitting - it works really nice on most attack vectors.

  • @treesmokah said:
    The only pros of Cloudflare is that they can tank any amount of L7, if you send it to them. But L4, may be different - nodes are not anycasted and if you have enough power(and such power is on the market, and is getting cheaper and cheaper), you can take them down.

    Not sure what you mean by that but Cloudflare serves traffic on anycast ips. They frequently talk about how using anycast increases their scrubbing capacity.

  • treesmokahtreesmokah Member
    edited February 2023

    @itzaname said:

    @treesmokah said:
    The only pros of Cloudflare is that they can tank any amount of L7, if you send it to them. But L4, may be different - nodes are not anycasted and if you have enough power(and such power is on the market, and is getting cheaper and cheaper), you can take them down.

    Not sure what you mean by that but Cloudflare serves traffic on anycast ips. They frequently talk about how using anycast increases their scrubbing capacity.

    You can pinpoint the node responsible for delivering/receiving traffic from the origin server. These nodes fall down with 500Gbps+ L4 volumetric attacks. (voices in my head told me that)
    I'm not pulling this out of my ass, but I'm not willing to elaborate further. So lets keep your version the official one.

    For 99,99% of cloudflare clients, it wont be a problem.

  • kidrockkidrock Member
    edited February 2023

    @treesmokah said:
    Hey, I'm not aware of any public source that lists "essentials" of using Cloudflare in a high-risk env.
    I'm self-taught, I learned it myself when I was getting attacked(or while I was attacking) and had to tweak things.

    I'm happy to answer whatever questions you may have though.
    The bare minimum of using cloudflare is making sure that your webserver is only reachable over cloudflare, if you are using a VPS - https://github.com/Paul-Reed/cloudflare-ufw/blob/master/cloudflare-ufw.sh this script will help you a lot..

    Thanks for the script. Any such advice for shared hosting?
    BTW, if you have used Quic Cloud, which one do you think is better for Litespeed servers - Cloudflare or QuicCloud? Quic is better for speed performance on Litespeed, but it has fewer configurations for security.

  • @Donkey said:
    CloudFlare is a joke, they attack themselves to portray themselves as big and strong 😅

    Name checks out.

  • itzanameitzaname Member
    edited February 2023

    @treesmokah said:

    @itzaname said:

    @treesmokah said:
    The only pros of Cloudflare is that they can tank any amount of L7, if you send it to them. But L4, may be different - nodes are not anycasted and if you have enough power(and such power is on the market, and is getting cheaper and cheaper), you can take them down.

    Not sure what you mean by that but Cloudflare serves traffic on anycast ips. They frequently talk about how using anycast increases their scrubbing capacity.

    You can pinpoint the node responsible for delivering/receiving traffic from the origin server. These nodes fall down with 500Gbps+ L4 volumetric attacks. (voices in my head told me that)
    I'm not pulling this out of my ass, but I'm not willing to elaborate further. So lets keep your version the official one.

    For 99,99% of cloudflare clients, it wont be a problem.

    They actually anycast their egress now but it seems to be limited within a region in practice. Multiple servers behind one IP but port ranges map directly to one server. IPv6 is all unicast afaik. I believe you but I'm just shocked they don't have something in place for that. Oh well...

Sign In or Register to comment.