Posted on September 21, 2022 at 4:48 AM
Imperva breaks records after defending against a 25.3 billion DDoS attack
Imperva, a cybersecurity company, has announced a record-breaking achievement in defending against a distributed denial of service (DDoS) attack. The company announced that it had defended against a single attack that sent more than 25.3 billion requests to one of its clients.
Imperva defends against 25.3 billion requests DDoS attack
In the announcement, Imperva said that the customer targeted in the DDoS attack was a Chinese telecommunications service provider. This customer is usually targeted by DDoS attacks because of the high volumes.
The DDoS attack in question happened on June 27, 2022. The attack peaked at 3.9 million requests per second, with an average of 1.8 million requests per second. The attack mitigated by Imperva is record-breaking because it was unusually long.
The requests per second of this DDoS attack were significantly lower than the record-breaking 26 million RPS that Cloudflare mitigated in June. However, as aforementioned, the Imperva case was notably long.
Attacks with an RPS peaking at over one million usually last between a few seconds to several minutes. However, the attack mitigated by Imperva lasted more than four hours, making it one of the longest DDoS attacks.
In the announcement, Imperva said that at the onset of the attack, the RPS was 3.1 million. The attack maintained a rate of around 3 million RPS before peaking at 3.9 million RPS. The attack subsided for several minutes before returning to its full strength, lasting another hour.
The company further said that only one in ten DDoS attacks lasts more than an hour. Moreover, an even smaller number of DDoS attacks came with enough firepower to sustain them for a long time.
“Attackers used HTTP/2 multiplexing or combining multiple packets into one to send multiple requests at once over individual connections. This technique can bring servers down using a limited number of resources, and such attacks are extremely difficult to detect. Since our automated mitigates solution is guaranteed to block DDoS in under three seconds, we estimate that the attack could have reached a much greater rate than our tracked peak of 3.9 million RPS,” Imperva added.
The DDoS attack was launched by a global botnet
The DDoS attack that Imperva mitigated was launched by a large global botnet. The botnet was in 180 countries, with most IP addresses being located in Brazil, Indonesia, and the United States.
The massive botnet deployed 170,000 devices, including modem routers, vulnerable servers, smart security cameras, and IoTs that were not well protected.
According to Imperva, some of the compromised servers used to deploy the malicious traffic were hosted on public clouds and cloud security service providers. This demonstrated a large-scale abuse of the servers, and the extent of the damage that could be caused is also notably high.
Imperva did not provide a name or an identification number for the botnet. However, this botnet does not seem to have the same features as “Mantis.” Mantis is the botnet that was used to launch the record-breaking 26 million RPS DDoS attack that Cloudflare mitigated during the summer.
Cloudflare said that the Matis botnet relies on a small number of devices, which is a little over five thousand. Moreover, the botnet focused on enlisting powerful servers and virtual machines, which allowed it to launch a DDoS of such magnitude.
Meris and the botnet used to launch the Imperva DDoS have some similarities. The number of devices used to launch the DDoS attack against Imperva’s client is close to the Meris estimates. Meris is a botnet that was used to launched a previous record-breaking DDoS attack that had 21.8 million RPS.
Researchers estimated that Meris encompasses between 30,000 and 250,000 devices, which is significantly higher than the number of devices that the Meris botnet relied upon.
On the other hand, the Meris and mantis botnets have previously served swift detrimental effects through short-range attacks, which are not the same as the DDoS attacks that last for hours. Therefore, the botnet that attacked Imperva’s client is a novel one. Besides, its ability to sustain a high RPS attack for many hours is concerning, as it could cause significant harm if not detected during the onset. However, this botnet is yet to be identified.