A Deep Dive into How Cloudflare Stopped a Recent Record-Breaking DDoS Attack

A Deep Dive into How Cloudflare Stopped a Recent Record-Breaking DDoS Attack

The Largest DDoS Attack Ever Seen  

Starting in early September, Cloudflare's systems faced an onslaught of huge DDoS attacks that lasted a full month. These attacks hit the third and fourth layers of the network, aiming to overwhelm servers with a flood of data. Throughout this period, Cloudflare successfully stopped more than 100 attacks, many of which were over 2 billion packets per second or 3 terabits per second. The largest of these attacks hit an astonishing 3.8 Tbps, making it the biggest DDoS attack ever publicly reported. What’s even more remarkable is that Cloudflare handled this attack completely autonomously—no human intervention required.

The Attack That Lasted 65 Seconds  

This 3.8 Tbps attack only lasted 65 seconds, but during that time, it pushed the limits of what most networks could handle. Luckily for Cloudflare customers, the system responded instantly, shutting down the attack without disrupting any legitimate traffic.

Who Was Protected?  

If you're a Cloudflare customer using their HTTP reverse proxy services like their Web Application Firewall (WAF) or Content Delivery Network (CDN), you’re automatically protected from these types of attacks. Customers using Cloudflare’s Spectrum and Magic Transit services are also protected, with even more control available through custom firewall rules.

What Happens to Unprotected Services?  

However, not all internet services are so lucky. Attacks of this scale and frequency are unprecedented, and without proper defenses, they have the power to take down unprotected websites. Even some companies with their own hardware or other cloud providers may not have enough capacity to deal with attacks of this magnitude while keeping their services running smoothly.

Why Cloudflare Can Handle It  

Cloudflare, however, is prepared. Thanks to its vast network capacity, global coverage, and intelligent systems, Cloudflare can absorb and automatically stop these huge attacks. In fact, Cloudflare’s system is built specifically to handle massive spikes in traffic like this.

The Global Nature of the Attack  

This wave of attacks targeted several industries, including financial services, the internet sector, and telecommunications. The attackers' goal was to overwhelm bandwidth and drain system resources. Most of these attacks used a type of traffic called UDP, coming from compromised devices worldwide, including from countries like Vietnam, Russia, Brazil, Spain, and the U.S.

Devices Behind the Attack  

The devices behind these attacks weren’t just high-end servers; they included everyday devices like routers and DVRs that had been hacked. For the largest attacks, compromised ASUS home routers were used, likely due to a critical security flaw.

How DDoS Attacks Work  

So how does a DDoS attack work? The goal is to overwhelm a system with so much traffic that it runs out of the resources needed to operate, such as CPU power or network bandwidth. In this case, the attackers were trying to drain the CPU cycles required to process all the incoming data.

Overloading CPU Power  

Processing each packet of data takes CPU power. When a system is flooded with packets, it can use up all its available CPU power, leaving none to handle legitimate traffic. To defend against these kinds of attacks, a system needs to figure out how to filter out the bad packets as efficiently as possible, while still handling the real traffic. While you could add more CPUs, that’s a slow and expensive process.

Bandwidth: The Pipe for Data  

Network bandwidth is like a pipe that delivers data. The more bandwidth you have, the larger the pipe. If an attacker floods the pipe with too much data, both good and bad data get blocked. The service goes down, and the attack succeeds.

Challenges for Attackers  

The attackers also face challenges. Generating massive amounts of traffic takes CPU power and resources, and attackers need a large number of devices to pull off an attack of this scale.

Cloudflare’s Global Defense  

Cloudflare’s global network plays a major role in defending against attacks. Their servers are spread across the world, and attack traffic is distributed across all of them. This means that no single location gets overwhelmed, making it much easier to manage the attack.

Allocating Resources Where They’re Needed  

Cloudflare's anycast network also allows them to allocate resources where they’re needed most. In high-traffic areas, their data centers have more bandwidth and computing power to handle legitimate traffic and attacks. In regions with less traffic, smaller data centers are still effective at handling attacks. This system helps distribute both good and bad traffic evenly.

An Advantage in Bandwidth  

Another advantage of Cloudflare’s network is that it’s designed to handle far more outbound (legitimate) traffic than incoming attack traffic. This means that when an attack floods the network with data, Cloudflare has plenty of extra bandwidth to absorb the hit.

Identifying and Stopping Attack Traffic  

To stop the bad packets, Cloudflare samples small portions of traffic and looks for patterns that match an attack. They use a special system called l4drop, which runs directly on their hardware. This system drops bad packets using minimal CPU power, thanks to a technology called eBPF that allows them to filter traffic right at the network card level.

Real-Time Defense  

Once an attack is detected, Cloudflare’s system generates real-time "fingerprints" of the attack traffic. These fingerprints are then used to block the bad packets across the entire network. The system runs autonomously on every server, ensuring that attacks are stopped both locally and globally without any delays.

Scrubbing Traffic in Real Time  

Cloudflare’s system doesn’t rely on separate scrubbing centers to clean up attack traffic. Instead, every server has the full set of tools to detect and mitigate attacks in real time. This means that whether the attack is localized or spread across the globe, Cloudflare’s system can stop it instantly.

Defenses for More Complex Attacks  

On top of this, Cloudflare has additional defenses for more sophisticated attacks, such as TCP-based attacks (targeting how data is transmitted) and DNS-based attacks (targeting how websites are resolved). With the help of real-time threat intelligence, traffic profiling, and machine learning, Cloudflare stays ahead of even the most complex DDoS threats.

Protecting Customers from the Biggest Attacks  

In short, Cloudflare’s network is one of the largest in the world, and their defenses are built to ensure that their customers remain protected from the biggest DDoS attacks, no matter how large or sophisticated.

Source:  The Cloudflare Blog - How Cloudflare auto-mitigated world record 3.8 Tbps DDoS attack

Image: Elchinator from Pixabay