On June 27, 2022, Imperva mitigated a single attack with over 25.3 billion requests, setting a new record for Imperva’s application DDoS mitigation solution.
While attacks with over one million requests per second (RPS) aren’t new, we’ve previously only seen them last for several seconds to a few minutes. On June 27, Imperva successfully mitigated a strong attack that lasted more than four hours and peaked at 3.9 million RPS.
The owner of the targeted site, a Chinese telecommunications company, is often targeted by large attacks. This specific site was targeted again two days later, although the attack was shorter in duration. We haven’t seen any similar attacks target this site since these two at the end of June.
The attack
On the morning of June 27, attack rates reached a total of 25.3 billion requests over four hours, with an average rate of 1.8 million RPS. Attackers used HTTP/2 multiplexing, or combining multiple packets into one, to send multiple requests at once over individual connections. This technique can bring servers down using a limited number of resources, and such attacks are extremely difficult to detect. Since our automated mitigation solution is guaranteed to block DDoS in under three seconds, we estimate that the attack could have reached a much greater rate than our tracked peak of 3.9 million RPS.
As seen in this image, the attack started at 3.1M RPS, and maintained a rate of around 3M RPS. Once the attack peaked at 3.9M RPS, the attack lowered for several minutes but returned to full strength for another hour.
The attack lasted over four hours, which puts it in a small category of attacks. According to Imperva’s DDoS Threat Landscape Report, only 10.5% of attacks last between one and six hours, and most last under fifteen minutes.
The botnet
This specific attack was launched from a massive botnet of almost 170,000 different IPs, including routers, security cameras and compromised servers. This network includes compromised devices from over 180 countries, although most are based in the US, Indonesia, and Brazil. Some of these servers are hosted on various public clouds, and even cloud security service providers.
Botnet device locations
Visit our new monthly Global DDoS Threat Landscape post for more information on current DDoS trends, and click here to learn more about Imperva’s DDoS protection and schedule a free demo.
Try Imperva for Free
Protect your business for 30 days on Imperva.