Cloudflare recently repelled the largest HTTPS DDoS attack of all time. The attack executed as many as 26 million HTTPS requests per second using hijacked servers and virtual machines.

The attack targeted one of Cloudflare’s customers. The hackers used a botnet consisting of 5,067 IoT devices, servers and virtual machines. Cloudflare is aware of botnets spanning hundreds of thousands of devices, but this one was extremely powerful for its size. The customer’s servers received 26 million requests per second (rps).

HTTPS protocol

Interestingly enough, the DDoS attack was based on HTTPS requests. These attacks are much more expensive than HTTP. The TLS encryption of HTTPS requires more computing power. According to Cloudflare, attackers made a considerable investment.

In less than 30 seconds, the attack generated more than 212 million HTTPS requests from 1,500 networks in 121 countries. A significant amount of the devices were located in Indonesia, the United States, Brazil and Russia.

Regular occurrence

Cloudflare is increasingly detecting large-scale DDoS attacks. The previous record attack dates back to 2021 and peaked at 17.2 million rps. In April this year, an HTTPS DDoS attack of 15.3 million rps was repelled.