Learn from these 5 DDoS attacks
The three main types of DDoS attack include volumetric attacks, protocol attacks, and application layer attacks. With volumetric DDoS attacks, botnets are used which flood the network and quickly overwhelms it. With protocol attacks, network equipment such as firewalls and load balancers are compromised to drain the server resources. An application layer DDoS attack on the other hand represents a more sophisticated attack, utilizing less resources and targeting program weaknesses by imitating genuine user activity.
During a DDoS (Distributed Denial of Service) attack, massive volumes of data are being transmitted simultaneously from a network of computers to the server infrastructure of an organization. The perpetrators behind large DDoS attacks mostly use botnets, in other words hacked servers of innocent users that are interconnected. These compromised servers are abused to carry out such attacks on an organization’s IT infrastructure.
Particularly with the somewhat larger DDoS attacks, the amount of data tends to be far greater than what a company’s server architecture is built to manage. Due to these large DDoS attacks and the associated rush of data, an organization’s server can become temporarily unavailable or at least poorly accessible. In 2020 we wrote in an article about our DDoS service that attacks were reportedly bigger, longer, and more complicated. In 2023 this trend has not slowed down. According to NBIP, a Dutch non-profit organization for ISPs, the number of DDoS attacks in the first quarter of 2023 doubled from first quarter. This statistic comes from research conducted within their own members. The question remains: how will organizations be able to fend off such a growing number of DDoS attacks?
In this article, we list some of the most prominent DDoS attacks in recent history. The immense size of these attacks may have you consider utilizing a network backbone for your IT infrastructure with ample bandwidth available, like the one offered by Worldstream. Add to that an innovative DDoS protection scrubbing center with scalable capacity to mitigate even the most sophisticated threats, like Worldstream’s DDoS protection service for dedicated servers and services within the Worldstream network. With Worldstream DDoS Shield you may assume that you are well prepared for such massive attacks.
These are one of the most remarkable DDoS attacks any IT organization should know about
1. The 71 Million Requests at Cloudflare's NOC
: Weekend of February 11, 2023
: 71 million requests p/s
: Multiple attempts on the weekend of 11 to 12 February
: Several unnamed cloud providers
: During the weekend of February 11, Cloudflare detected and mitigated many hyper-volumetric DDoS attacks. Most of the attempts were measured between 50 and 70 million requests per second. At its height, a little over 71 million requests clocked in at Cloudflare's Network Operation Center. Luckily, mitigation is part of Cloudflare's main proposition because an attack of this size could very well cripple an organization.
Cloudflare is a content delivery network (CDN) that is widely used by organizations to ensure visitors have safe access to their websites. An estimated 80% of all websites use Cloudflare's reverse proxy service. To date, this is the largest reported HTTP DDoS attack on record, more than 54% higher than the last record of 46 million requests to Google Cloud on June 1, 2022.
These hyper-volumetric attacks were HTTP/2-based and targeted websites protected by Cloudflare. Volumetric DDoS attacks are designed to send an overwhelming amount of malicious traffic in order to congest networks. Over 30,000 original IP addresses were identified as the source. Affected companies included a popular gaming provider, multiple cryptocurrency companies, several hosting providers, and numerous cloud computing platforms. To crack down on the botnet, Cloudflare worked together with the cloud providers where the attacks originated.
Some believed that this massive request flooding was related to the Killnet group, a pro-Russian hacktivist group that targeted healthcare organizations. Others found the timing of the US Super Bowl (Sunday, February 12) to be a little suspicious. However, in both cases, Cloudflare did not find any correlation between the events. Even though the requests came from multiple providers and occurred during a single weekend, no group has claimed responsibility.
2. DDoS Target: The Asian Client of Microsoft Azure
: November 2021
: 3.47 Tbit/s
: 15 minutes
: 10,000 compromised hosts from 10 countries
: None, as Microsoft successfully mitigated the attack
In late August 2021, Microsoft withstood a 3.47 Tbit/s DDoS attack aimed at its cloud infrastructure, the most powerful DDoS attack against Microsoft infrastructure to date. At its peak throughput of 3.47 Tbit/s, this DDoS attack attained a packet rate of 340 million packets per second. An unidentified Azure cloud customer in Asia was the actual target of the attack. According to Microsoft, this DDoS attack was launched from 10,000 sites located in at least 10 different countries including China, South Korea, Russia, the U.S., India, Vietnam, Thailand, Iran, Taiwan, and Indonesia. The entire attack lasted roughly 15 minutes.
Azure fended off two more massive DDoS attacks the following month, both of which again targeted customers in Asia. Although not as big as the first one in November 2021, the size of these successive attacks was still rather impressive. The first one, which weighed in at 3.25 Tbit/s was a UDP attack which lasted more than 15 minutes and included four primary peaks: 3.25 Tbit/s, 2.54 Tbit/s, 0.59 Tbit/s, and 1.25 Tbit/s. The other DDoS attack was a 2.55 Tbit/s UDP attack on that lasted little over five minutes and had one single peak.
The 15 minutes attack in November 2021 utilized multiple attack vectors for UDP (User Datagram Protocol) reflection on port 80. UDP request and answer packets are then mirrored within a local network using a faked source Internet Protocol (IP) address. This UDP reflection attack included: Simple Service Discovery Protocol (SSDP); Network Time Protocol (NTP); Domain Name System (DNS); as well as Connection-less Lightweight Directory Access Protocol (CLDAP). With the successive attacks in December 2021, also port 443 was being used.
3. State Sponsored-attack on Google Cloud
: September 2017
: 2.54 Tbit/s
: Over 6 months
: According to Google’s Threat Analysis Group, this DDoS attack was backed by a government-entity while it came from China.
: The attack was mitigated by Google.
The 2.54 Tbit/s peak was the climax of a 6-month DDoS attack that hammered Google Cloud’s server infrastructure with various DDoS protection techniques. Back then, this DDoS Attack was four times larger than a record-breaking, Mirai botnet based 623 Gbit/s DDoS attack one year earlier. During the attack on Google Cloud, 167 million packets per second (Mpps) through multiple networks were sent to 180,000 compromised CLDAP, DNS, and SMTP servers, which subsequently sent massive replies to the Google Cloud server infrastructure.
The DDoS attack began within the network of four Chinese Internet Service Providers (ISPs), according to Google Threat Analysis Group (TAG) experts. Despite targeting thousands of Google’s IP addresses at the same time, probably in the hopes of getting past automated protections, the attacking had no effect. Google Cloud did not disclose the 2017 DDoS attack until 2020. By still doing so three years later, the hyperscaler aimed to call attention to the rising number and scope of state-sponsored DDoS attacks. Google also aimed at drawing attention to internet bandwidth capacity growth and associated reinforcement of DDoS attacks in the years ahead.
Although the DDoS attack on Google Cloud was unsuccessful, the tech giant discovered multiple vulnerabilities in servers, which it notified to the appropriate network providers. Google also worked with these network providers to track the attacks and learn from it.
4. Rivalry Between Minecraft Hosters, Hosted at OVHcloud
: September 2016
: 1 Tbit/s
: Seven days
: About 150,000 hosted CCTV cameras and DVRs were being exploited by Mirai, a type of malware popular for infecting IoT devices.
: Although around the same time, the Mirai botnet took down the krebsonsecurity.com website, OVH’s infrastructure was not affected as far as we know of.
OVH, a hosting company originating from France and now called OVHcloud, was facing a massive DDoS attack back in 2016. Over 152,000 hacked Internet of Things (IoT) devices including cameras and DVRs (video recorders) were used for this DDoS attack, a malicious infrastructure with Mirai-infected bots capable of launching strikes at speeds of up to 1.5 Tbit/s. Because their owners forget to alter default credentials or select easy-to-guess passwords, many of those cameras and DVRs could easily be hacked.
The DDoS attack against OVH’s infrastructure was targeted at Minecraft servers hosted within OVH’s network, eventually resulting in a 1 Tbit/s impact at its peak. According to an investigation by Wired, Mirai’s creators aimed to take down rival Minecraft servers hosted at OVH while also potentially making money by offering their own DDoS protection. For seven days, OVH’s servers were subjected to numerous DDoS attacks surpassing 100 Gbit/s at the same time including one attack that reached 799 Gbit/s on its own, totaling 1 Tbit/s for the entire DDoS attack.
The immense number of IoT and home router devices being exploited for this DDoS attack against OVH was the result of manufacturers utilizing the same set of hard-coded SSH (Secure Shell) encryption keys. It made millions of internet-connected devices vulnerable to hijacking, including home routers, modems, and IP cameras, allowing the hackers to take control of the appliances.
The DDoS attack against OVH occurred just after krebsonsecurity.com, a cybersecurity news and investigation blog by journalist Brian Krebs was hit by an identical Mirai botnet-based DDoS attack, also record-breaking. This DDoS attack flooded the site at a pace of 665 Gbit/s. The attack against krebsonsecurity.com led content delivery and DDoS protection company Akamai to halt its pro bono service to Krebs, which resulted in the website being unavailable for some days.
5. The Yandex Plague
: August 2021
: 21.8 million requests per second
: Several days in one month
: Mēris botnet - 56,000 compromised hosts
: Although a threat to Russian internet infrastructure, the attack was mitigated, and client data and services were not affected.
In August and September 2021, the Russian internet company Yandex was subjected to a severe DDoS attack that lasted several days in total. About 22 million requests per second (RPS) were registered during the attack. The origin of this DDoS attack was a botnet dubbed Mēris, meaning ‘plague’ in Latvian, according to Yandex and its DDoS security supplier Qrator Labs.
This DDoS attack utilized a method known as HTTP pipelining. It would allow a client such as a web browser to create a connection to a server and send several requests without having to wait for each answer. The malicious traffic came from over 56,000 compromised hosts, mostly MikroTik network appliances–equipment from a vendor located in the Baltic region. Network routers running a vulnerable version of MikroTik’s own RouterOS software were compromised. According to Qrator Labs, attackers exploited an unpatched 2018 bug in over 56,000 MikroTik servers engaged in the DDoS attack.
The Mēris botnet employed a SOCKS4 proxy and port 5678 to launch the DDoS attack via HTTP pipelining. Mēris was using application-layer or volumetric DDoS attacks to overload server resources, causing them to crash. Ports 2000 and 5678 were open on the majority of the compromised appliances. The severity of the DDoS attacks gradually increased. According to Yandex, in 2021, there were 5.2 million Requests Per Second (RPS) on August 7, 6.5 million RPS on August 9, 9.6 million RPS on August 29, 10.9 million RPS on August 31, and 21.8 million RPS on September 5.
Lessons Learned from These Large DDoS Attacks
DDoS poses a significant risk to virtually any organization with mission-critical applications. The examples of DDoS attacks in this article only describe a few newsworthy attacks the world has seen so far. While maybe smaller in scale or more insidious, an average DDoS attack can have the same effect though without any proactive preparation: namely, that your IT infrastructure will be down and with it your business operations.
Deploying a firewall to begin with can be a good step toward protecting your organization from DDoS attacks. Worldstream provides an advanced unmanaged firewall-as-a-service solution as part of its comprehensive infrastructure as-a-service portfolio. A second step can be the deployment of an IT Infrastructure with dedicated anti-DDoS protection. To be able to mitigate high-volume based types of DDoS attacks now and in the future. Worldstream’s R&D team has developed a highly effective anti-DDoS scrubbing service for dedicated servers and services within the Worldstream network—based on clustering technology. Worldstream’s Worldshield DDoS Protection is added as a bonus with every dedicated server or service.
Intelligent clustering is a technique in which interrelated details in internet traffic are divided into groups called clusters and analyzed as such. Based on smart clustering algorithms and a layered DDoS protection approach, Worldstream’s Worldshield can handle the very highest bandwidth volumes in an advanced and highly scalable manner.
With Worldstream Worldshield, malicious internet traffic can be automatically detected, filtered, and mitigated. Worldshield provides real-time visibility into internet traffic and both standard and custom anti-DDoS profiles. To protect your IT and business assets against even the most bandwidth-intensive threats, the solution is backed by Worldstream’s global network backbone ample bandwidth.
To learn more about Worldstream’s Worldshield, visit our
about our engineers staging a DDoS attack on Worldstream’s website and mitigating the attack by using Worldshield.
You might also like:
Have a question for the editor of this blog post? You can reach us