Cloudflare blocked multi-vector DDoS attack that peaked at almost 2 Tbps

Attack was launched from 15,000 bots running Mirai malware on compromised Internet of Things (IoT) devices and unpatched GitLab instances

Web security provider Cloudflare said it mitigated a multi-vector, distributed denial-of-service (DDoS) attack that peaked at almost 2 terabytes per second (Tbps) - the largest attack the company has seen to date.

The assault, which lasted just one minute, was launched from approximately 15,000 bots running a variant of the original Mirai malware code on compromised Internet of Things (IoT) devices and unpatched GitLab instances.

It combined DNS amplification attacks as well as UDP floods, the company said in a blog post.

GitLab instances entrapped into the botnet are impacted by a critical vulnerability, which could be exploited by malicious actors to remotely run code, like botnet malware, on a vulnerable server.

The bug is indexed as CVE-2021-22205 and has a CVSS score of 10. A fix for this vulnerability was released in April, but the bug still remains unpatched on thousands of systems, according to security researchers.

Earlier this month, Rapid7 warned that at least half of the 60,000 internet-facing GitLab instances remain unpatched, and the exploitation is expected to increase in coming days as details of the vulnerability are widely understood.

"There are multiple recently published public exploits for this vulnerability, and it reportedly has been exploited in the wild since June or July of 2021. We expect exploitation to increase as details of the unauthenticated nature of this vulnerability become more widely understood," Rapid7 the researchers noted.

Cloudflare says its systems constantly analyse traffic samples "out-of-path" which allows them "to asynchronously detect DDoS attacks without causing latency or impacting performance".

"Once the attack traffic was detected (within sub-seconds), our systems generated a real-time signature that surgically matched against the attack patterns to mitigate the attack without impacting legitimate traffic."

DDoS attacks, one of the most powerful weapons available to cyber actors, target online services and websites and overwhelm them with massive volumes of traffic that the server or network cannot accommodate.

The main goal behind such attacks is to create problems for the business by making their website inoperable. The disruption also causes problems for individual users who are prevented from accessing the service they require.

In DDoS attacks, the huge volume of traffic usually comes in the form of fake packets, requests for connections, and incoming messages. In many cases, attackers target a website or business with a low-level attack initially and threaten to launch a more damaging attack if ransom is not paid to them.

Cloudflare says the overall number of terabit-level DDoS attacks it observed increased in the third quarter of the year. The network-layer incidents were up 44 per cent quarter-over-quarter.

The company saw several "record-setting HTTP DDoS attacks, terabit-strong network-layer attacks and one of the largest botnets ever deployed (Meris)" in Q3, noting the emergence of ransom DDoS attacks on voice over IP (VoIP) service providers.

In August, Cloudflare observed a Mirai-variant botnet launching multiple 1Tbps attacks, some peaking at 1.2 Tbps.

The data showed that most DDoS attacks originated from devices and servers in China, the US and India, although the number of attacks from China were down 30 per cent throughout the quarter.

In the ongoing fourth quarter, the company has seen multiple terabit-strong attacks targeting Cloudflare customers.

Microsoft says it blocked a massive 2.4 Tbps assault in August, which originated from 70,000 devices worldwide.

Google and Amazon have also said they mitigated 2.5 Tbps and 2.3 Tbps DDoS attacks, respectively, last year.

In March, researchers at DDoS mitigation provider Netscout said they had identified 4,283 publicly reachable servers that could be abused by cyber criminals to launch D/TLS reflection/amplification DDoS attacks.