In a distributed denial-of-service (DDoS) attack, multiple devices are used to overwhelm a targeted server with traffic and take online services offline. Some of the biggest DDoS attacks have made major tech headlines.
After reading this article you will be able to:
Related Content
What is a denial-of-service (DoS) attack?
How to DDoS | DoS and DDoS attack tools
What is a DDoS botnet?
What is the Internet of Things (IoT)?
What is DDoS blackhole routing?
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
Google claims to have mitigated the largest distributed denial-of-service (DDoS) attack ever in October 2023 — a HTTP/2 “Rapid Reset” attack that peaked at 398 million requests per second (rps).
HTTP/2 Rapid Reset exploits a flaw in the HTTP/2 protocol to carry out DDoS attacks. The HTTP/2 protocol is vital for how browsers interact with websites: It allows browsers to request text, images, and other content from sites. With a HTTP/2 Rapid Reset attack, attackers submit a large number of requests to a site and then immediately cancel them. They repeat that request-and-cancel process, hoping to overwhelm the website and knock it offline.
Cloudflare helped discover this type of threat and has mitigated record-breaking attacks, such as those that peaked above 201 rps (see below).
In August 2023, Cloudflare mitigated thousands of hyper-volumetric HTTP DDoS attacks, 89 of which exceeded 100 million rps. The largest peaked at 201 million rps — a figure three times higher than the previous largest attack on record (71 million rps, which was recorded in February 2023).
Google reported that a Google Cloud customer was targeted with HTTPS DDoS attacks that peaked at 46 million rps. The attack originated from more than 5,000 sources in more than 130 countries.
Google later reported that it stopped a larger DDoS attack in August of 2023. According to the company, the attack was 7.5 times larger than the attack it experienced in June 2022, though Google did not provide additional details.
In November 2021, Azure experienced what was at the time the largest DDoS attack ever. The attack reached a throughput of 3.47 terabits per second (Tbps). According to Microsoft, it originated from approximately 10,000 sources in at least 10 countries. The company noted that it also mitigated two other attacks that year with throughput of more than 2.5 Tbps.
In 2017, an attack targeting Google Cloud services reached a size of 2.54 Tbps. Google disclosed the attack in October 2020.
The attackers sent spoofed packets to 180,000 web servers, which in turn sent responses to Google. This attack was not an isolated incident: The attackers had directed multiple DDoS attacks at Google’s infrastructure over the previous six months.
AWS reported mitigating a massive DDoS attack in February 2020. At its peak, this attack saw incoming traffic at a rate of 2.3 Tbps. AWS did not disclose which customer was targeted by the attack.
The attackers responsible used hijacked connection-less lightweight directory access protocol (CLDAP) web servers. CLDAP is a protocol for user directories. It is an alternative to LDAP, an older version of the protocol. CLDAP has been used in multiple DDoS attacks in recent years.
A large DDoS attack in 2018 targeted GitHub — the popular online code management service used by millions of developers. This attack reached 1.3 Tbps, sending packets at a rate of 126.9 million per second.
The GitHub attack did not involve botnets. Instead it was a memcached DDoS attack: The attackers leveraged the amplification effect of a popular database caching system known as memcached. By flooding memcached servers with spoofed requests, the attackers were able to amplify their attack by a magnitude of about 50,000 times.
Luckily, GitHub was using a DDoS protection service, which was automatically alerted within 10 minutes of the start of the attack. This alert triggered the process of mitigation and GitHub was able to stop the attack quickly. The massive DDoS attack only lasted about 20 minutes.
A massive DDoS attack was directed at Dyn, a major DNS provider, in October of 2016. This attack was devastating and created disruption for many major sites, including Airbnb, Netflix, PayPal, Visa, Amazon, The New York Times, Reddit, and GitHub. Attackers used malware called Mirai. Mirai creates a botnet out of compromised Internet of Things (IoT) devices such as cameras, smart TVs, radios, printers, and even baby monitors. To create the attack traffic, these compromised devices are all programmed to send requests to a single victim.
Fortunately Dyn was able to resolve the attack within one day, but the motive for the attack was never discovered. Hacktivist groups claimed responsibility for the attack as a response to WikiLeaks founder Julian Assange being denied Internet access in Ecuador, but there was no proof to back up this claim. There are also suspicions that the attack was carried out by a disgruntled gamer.
GitHub suffered a DDoS in 2015 that was the largest ever at the time. This politically motivated attack lasted several days and adapted itself around implemented DDoS mitigation strategies. The DDoS traffic originated in China and specifically targeted the URLs of two GitHub projects aimed at circumventing Chinese state censorship. It is speculated that the intent of the attack was to try and pressure GitHub into eliminating those projects.
The attack traffic was created by injecting JavaScript code into the browsers of everyone who visited Baidu, China’s most popular search engine. Other sites who were using Baidu’s analytics services were also injecting the malicious code. This code was causing the infected browsers to send HTTP requests to the targeted GitHub pages. In the aftermath of the attack, it was determined that the malicious code was not originating from Baidu but rather being added by an intermediary service.
In 2013, a large attack was directed at Spamhaus, an organization that helps combat spam emails and spam-related activity. Spamhaus is responsible for filtering as much as 80% of all spam, which makes them a popular target for people who would like to see spam emails reach their intended recipients.
The attack drove traffic to Spamhaus at a rate of 300 Gbps. Once the attack began, Spamhaus signed up for Cloudflare. Cloudflare’s DDoS protection mitigated the attack. The attackers responded to this by going after certain Internet exchanges and bandwidth providers in an attempt to bring down Cloudflare. This attack did not achieve its goal, but it did cause major issues for LINX, the London Internet exchange. The main culprit of the attack turned out to be a teenage hacker for hire in Britain who was paid to launch this DDoS attack.
Read more about this attack and how it was mitigated on the Cloudflare blog.
In 2000, an attacker known as “Mafiaboy” took down several major websites, including CNN, Dell, E-Trade, eBay, and Yahoo!. At the time, Yahoo! was the most popular search engine in the world. This attack had devastating consequences, even creating chaos in the stock market.
Mafiaboy, who was later revealed to be a 15-year-old high-school student named Michael Calce, coordinated the attack by compromising the networks of several universities and using their servers to conduct the DDoS attack. The aftermath of this attack directly led to the creation of many of today’s cyber crime laws.
In April 2007, Estonia was hit with a massive DDoS attack targeting government services, financial institutions, and media outlets. This had a crushing effect since Estonia’s government was an early adopter of online government and was practically paperless at the time — even national elections were conducted online.
The attack, considered by many to be the first act of cyber warfare, came in response to a political conflict with Russia over the relocation of the “Bronze Soldier of Tallinn,” a World War II monument. The Russian government was suspected of involvement and an Estonian national from Russia was arrested as the result, but the Russian government has not let Estonian law enforcement do any further investigation in Russia. This ordeal led to the creation of international laws for cyber warfare.
The ability of DDoS protection vendors to mitigate these types of large-scale attacks depends on their network capacity. Some vendors do in fact have sufficient network capacity to absorb the amount of traffic that the DDoS attack in question is generating while still providing service. Cloudflare features 296 Tbps of network capacity, which is much larger than the largest DDoS attacks ever recorded.
Cloudflare has also mitigated DDoS attacks that featured extremely high packet rates and HTTP request rates. For example, in June 2020, Cloudflare mitigated a 754 million packet-per-second DDoS attack. And in August 2023, Cloudflare mitigated attacks exceeding 201 million rps. Importantly, Cloudflare also protects against HTTP/2 Rapid Reset attacks.
The vast majority of DDoS attacks are not as big as the attacks chronicled above. In fact, most DDoS attacks do not exceed 1 Gbps. However, even these smaller DDoS attacks can knock websites or applications offline for long periods of time if they do not have DDoS mitigation in place. As DDoS attacks continue to evolve, more organizations could be at risk.
Learn more about the next era of DDoS attacks. And discover Cloudflare Magic Transit, which capitalizes on Cloudflare’s massive global network to protect public-facing subnets from DDoS attacks without slowing down traffic.