Cloudflare blocked a massive 2 Tbps DDoS attack

Cloudflare says it has blocked a distributed denial-of-service, DDoS attack that peaked at just under 2 Tbps, making it one of the largest ever recorded.

The internet company said in a blog post that the attack was launched from approximately 15,000 bots running a variant of the original Mirai code on exploited Internet of Things (IoT) devices and unpatched GitLab instances.

The DDoS attack comes just two weeks after Rapid7 warned of a GitLab vulnerability — rated a full 10.0 on the CVSS severity scale — that could be exploited to allow an attacker to remotely run code, like botnet malware, on an affected server. Rapid7 found that at least half of the 60,000 internet-facing GitLab instances remain unpatched, and warned that it expected “exploitation to increase” as details of the bug became public.

The company wasn’t wrong; Cloudflare said it blocked the massive DDoS attack just one week later. From its analysis of the attack, Cloudflare believes that it was a multi-vector attack that combined both DNS amplification attacks along with UDP floods.

Cloudflare says the attack, which lasted less than a minute, was the largest it had witnessed to date. It comes just a month after Microsoft said it mitigated a “record-breaking” 2.4 Tbps DDoS attack targeting one of its Azure customers in Europe.

While Cloudflare mitigated the attack in seconds, it warns that it has witnessed multiple terabit-strong DDoS attacks last month, adding that this is unlikely a trend that’s going to slow down any time soon.

“Another key finding from our Q3 DDoS Trends report was that network-layer DDoS attacks actually increased by 44% quarter-over-quarter,” said Omer Yoachimik, product manager at Cloudflare. “While the fourth quarter is not over yet, we have, again, seen multiple terabit-strong attacks that targeted Cloudflare customers.”

Rapid7 has urged GitLab users to the latest version of GitLab as soon as possible. “In addition, ideally, GitLab should not be an internet-facing service,” the company added. “If you need to access your GitLab from the internet, consider placing it behind a VPN.”

By 44% the Network-layer DDoS Attacks Inflated

In 2021, the attackers continued to reinforce DDoS attacks and it is badly affecting thousands of companies worldwide. While the Q3 DDoS Trends report of Cloudflare claims that quarter-over-quarter the network-layer DDoS attacks increased by 44%.

This is the figure for Q3 only, as the fourth quarter is not yet over, and before its end, Cloudflare customers were targeted with multiple terabit-strong attacks.

Cloudflare blocked a massive 2 Tbps DDoS attack
Cloudflare blocked a massive 2 Tbps DDoS attack

Roust defence shield of Cloudflare

The robust defence mechanisms of Cloudflare allows it to examine traffic samples ‘out-of-path’ continually which enables Cloudflare’s security systems to detect these type of DDoS attacks, and all these happen within sub-seconds.

Here, to mitigate this attack without affecting the legitimate traffic, the security systems generate a real-time signature that matches the real-time signature with the deployed attack patterns.

Now for cost-efficient mitigation, the footprint is delivered to the most optimal location in the Cloudflare edge as a fading mitigation rule.

While in this case, to release the attack packet at wire-speed the rule was driven in-line into the Linux kernel eXpress Data Path (XDP), and this happens with most L3/4 DDoS attacks.

Moreover, Cloudflare has asserted that for now being they have successfully blocked this massive 2 Tbps multi-vector DDoS attack, and none of their customers is in danger.

Cloudflare Mitigates Nearly 2 Tbps DDoS Attack

Rapid7 says that GitLab released a patch in April to address the CVE-2021-22205 vulnerability that could be exploited to enable remote code execution. Yet nearly six months later it discovered that most of the 60,000 internet-facing GitLab instances are still unpatched.

That revelation was made on Nov. 1; Cloudflare says the DDoS attack it blocked was launched a week later. GitLab users have had months to patch their servers, but they haven’t, and now they’re being used in record-setting DDoS attacks. And that’s not even the worst-case scenario.

“While using these exploited hosts for DDoS is terrible by itself, there have also been discussions of other mass-exploitation attacks where random admin users were found,” another security company, Censys, says. “A bigger worry here is the potential for more advanced attacks; For example, an attacker could potentially introduce backdoors and vulnerable functionality into the source code of projects hosted by these services. If this were to happen, even the most securely written code could become an administrative nightmare.”

Cloudflare is capable of handling many DDoS attacks—that’s one of its claims to fame. But this record-setting attack was a symptom of a larger problem involving unpatched GitLab instances (and the continued vulnerability of IoT devices) that poses even greater risks to potential victims.