beyond the headlines
February 24, 2023by Ilana Touboul, Ebin Sandler

Cloudflare mitigates largest-ever volumetric DDoS attack

While some of the mitigated Cloudflare attacks peaked at 50-70 million requests per second (RPS), most exceeded 71 million RPS, beating the previous record of 46 million.

The Headline

Cloudflare recently announced that it thwarted the largest-ever volumetric Distributed-Denial-of-Service (DDoS) campaign targeting its customers, which involved multiple waves of hyper-volumetric DDoS attacks.

Threat actors launch DDoS attacks for several reasons, ranging from political motivations to revenge and economic sabotage. Sometimes, attackers use DDoS campaigns to extort money from victims, demanding payments to cease attacks. DDoS attacks can also be used as a smokescreen for other malicious activities, such as data theft or cybercrime.

Read: Reshaping the Threat Landscape in 2023: Cybersixgill Announces Top Trends in Cybersecurity

According to Cloudflare, most DDoS attacks hit their apex around 50-70 million requests per second (RPS), with the largest surpassing 71 million RPS. The incident was considered the most severe HTTP DDoS attack ever reported, exceeding the previous record of 46 million RPS in June 2022. Using over 30,000 IP addresses from various cloud providers, the attacks were directed at various targets, including gaming providers, cryptocurrency firms, cloud computing platforms, and hosting providers.

As Cloudflare's recent DDoS incident illustrates, DDoS attacks are launched with greater frequency and have become powerful. Indeed, the amount of HTTP DDoS attacks documented by Cloudflare surged by 79% year-over-year, and the number of volumetric attacks exceeding 100 billion bits per second (Gbps) increased by 67% quarter-over-quarter (QoQ). In addition, Cloudflare also observed an 87% QoQ increase in the number of attacks lasting over three hours.

The size of volumetric DDoS attacks has increased since 2021, when several botnets began exploiting devices and flood targets with millions of requests per second. An example was a 250,000-strong network of infected IoT devices used in 2021 to attack the Russian search engine Yandex with a 21.8 million RPS attack. The same botnet had previously targeted a Cloudflare client with a 17.2 million RPS attack.

In response to the uptick in DDoS attacks, the FBI in December 2022 seized 48 Internet domains and charged six individuals with operating Booter and Stresser platforms to launch DDoS attacks. The FBI action was part of an international law enforcement effort called Operation PowerOFF to combat criminal activity threatening Internet infrastructure and legitimate users’ access to it. The FBI partnered with the UK’s National Crime Agency and the Police of the Netherlands to display search engine ads deterring people from looking for DDoS services.

Diving Deeper

The recent Cloudflare attacks shed light on the growing threat posed by DDoS-for-hire services on the underground. Indeed, Cybersixgil collected a post advertising DDoS services from a popular Russian-language cybercrime forum member. The forum member described themself as “the most famous DDoS executor in the world” and listed the “advantages” of using their services, which are based on a well-known malware strain. Allegedly designed to bypass “any” anti-DDoS protections, the forum member’s botnet includes 10,000-80,000 devices, with a free trial offered before purchase.

The forum member also touted the “lowest” starting price ($20) on the market, where prices vary according to the target site's content, the target industry, the kind of anti-DDoS protection on the target’s systems, and the timing of the attack. The forum member offered to assist customers in protecting their servers or websites from attacks and shared a Telegram contact, inviting potential buyers to test the service. While no forum members publicly responded to the advertisement, interested parties may have made contact via Telegram per the post’s instructions.

Figure 1: A post advertising DDoS services on a Russian cybercrime forum

The DDoS threat cannot be discussed without mentioning the activity of pro-Russian hacktivist groups, which specialize in launching DDoS attacks on organizations in pro-Ukrainian countries. Among the most active of these groups is a collective that has been active since March 2022, when the group pledged allegiance to Russia following its invasion of Ukraine. Since 2022, the collective has launched hundreds of DDoS attacks on Western countries, including, but not limited to, Italy, Romania, Moldova, the Czech Republic, Lithuania, Norway, and Latvia.

Recently, the collective added entities related to the pro-Ukraine North Atlantic Treaty Organization (NATO) to its victim list, as depicted in the screenshot below. On February 12, 2023, the collective claimed it launched successful DDoS attacks on multiple NATO sites, including the NATO Special Operations Headquarters (NSHQ) website and the site of NATO's Warfare Development Command.

The NSHQ attack allegedly impacted the website of the Strategic Airlift Capability and interrupted contact between NATO and military aircraft providing aid to victims of the recent Turkey-Syria earthquake, which killed tens of thousands of people. Such incidents illustrate DDoS attacks’ ability to disrupt critical operations and systems, possibly endangering human lives.

Figure 2: Pro-Russian hacktivist group announces on Telegram DDoS attacks on NATO sites


The record-breaking DDoS attacks launched on Cloudflare customers highlight the threat posed by this attack. As the most severe HTTP DDoS attack ever reported, the incident was likely perpetrated by several sophisticated threat actors. While the motive remains unknown, Cybersixgill has observed politically motivated actors leveraging DDoS attacks to further specific ideological agendas.

Due to the potential effects of large-scale DDoS attacks on direct victims and related entities, organizations should implement proper security measures to reduce the attack surface and the impact of possible DDoS campaigns. Among these measures, organizations should avoid exposing corporate resources to ports, protocols, or applications from which connection is not required; place critical resources behind Content Delivery Networks (CDNs) or Load Balancers; and limit Internet traffic to specific sections of the corporate infrastructure.

Cybersixgill automatically aggregates data leaks and alerts customers in real time.

Learn More

You may also like


March 28, 2023

Threat Actors Sell Cybersecurity Firms' Sensitive Data on the Underground

Read more

March 16, 2023

Researchers Discover Sensitive US Military-Related Email Server Exposed Online

Read more

March 14, 2023

Powerful new ‘stealc’ malware builds buzz on the underground

Read more