Full Report
Web infrastructure and security company Cloudflare on Tuesday said it detected and blocked a 5.6 Terabit per second (Tbps) distributed denial-of-service (DDoS) attack, the largest ever attack to be reported to date. The UDP protocol-based attack took place on October 29, 2024, targeting one of its customers, an unnamed internet service provider (ISP) from Eastern Asia. The activity originated
Analysis Summary
# Incident Report: Record-Breaking Mirai Botnet DDoS Attack
## Executive Summary
On October 29, 2024, a Mirai variant botnet executed a record-breaking Distributed Denial of Service (DDoS) attack, peaking at 5.6 Terabits per second (Tbps) against an unnamed ISP in Eastern Asia. The attack, which lasted only 80 seconds, was launched using over 13,000 compromised Internet of Things (IoT) devices. Cloudflare successfully detected and mitigated the attack, highlighting the increasing scale and frequency of volumetric cyber threats.
## Incident Details
- Discovery Date: October 29, 2024 (Attack duration noted)
- Incident Date: October 29, 2024
- Affected Organization: Unnamed Internet Service Provider (ISP)
- Sector: Telecommunications / Internet Service Provider
- Geography: Eastern Asia
## Timeline of Events
### Initial Access
- Date/Time: Prior to October 29, 2024
- Vector: Compromise of IoT devices (implied via Mirai infection mechanism, likely leveraging default or weak credentials).
- Details: The attack was sourced from a Mirai-variant botnet comprising over 13,000 compromised IoT devices.
### Lateral Movement
- Not explicitly detailed, but the multi-source launch suggests the botnet commander orchestrated access across all nodes simultaneously for the DDoS event.
### Data Exfiltration/Impact
- Impact: Massive volumetric disruption attempt against the target ISP, reaching 5.6 Tbps.
- Duration: The peak attack lasted only 80 seconds.
### Detection & Response
- Detection: The attack was detected by Cloudflare's monitoring systems.
- Response actions taken: Cloudflare successfully blocked the 5.6 Tbps flood, preventing service disruption to the target ISP.
## Attack Methodology
- Initial Access: Exploitation of vulnerable IoT devices (infections spread prior to the attack).
- Persistence: Infected IoT devices maintained as part of the botnet structure.
- Privilege Escalation: Not applicable to the DDoS execution phase, but IoT devices are often exploited due to insecure default credentials or outdated firmware.
- Defense Evasion: Utilization of massive volumetric scale to overwhelm network defenses instantaneously.
- Credential Access: Implied via standard Mirai techniques (brute-forcing common credentials on IoT devices).
- Discovery: N/A (Botnet was already established).
- Lateral Movement: N/A (Focus was on coordinated external attack).
- Collection: N/A (The attack was a denial of service, not data theft).
- Exfiltration: N/A
- Impact: Volumetric denial of service (DDoS).
- *Specific vectors used:* UDP protocol-based attack.
## Impact Assessment
- Financial: Not estimated, but significant potential downtime costs for the targeted ISP.
- Data Breach: None reported; the incident was a denial of service attack.
- Operational: The attack was brief (80 seconds) and successfully mitigated, suggesting limited sustained operational impact on the target ISP.
- Reputational: The incident contributed to the public record demonstrating the growing threat landscape, particularly concerning IoT security.
## Indicators of Compromise
- Network indicators: Traffic floods reaching 5.6 Tbps rates originating from geographically diverse IPs (Sources included Indonesia, Hong Kong, Singapore, Ukraine, Argentina).
- File indicators: Related to known Mirai variant malware signatures (not explicitly listed).
- Behavioral indicators: High rate of UDP floods targeting network layer infrastructure, high average contribution per source IP (around 1 Gbps) despite the large number of sources.
## Response Actions
- Containment measures: Cloudflare identified and filtered the malicious traffic stream at its network edge.
- Eradication steps: Specific eradication steps for the botnet structure are not detailed, but typically involve patching/securing vulnerable end-points (IoT devices).
- Recovery actions: Restoration of normal service capacity following the mitigation of the 80-second flood.
## Lessons Learned
- The threat landscape is rapidly escalating in volume; this attack surpassed the previous record of 3.8 Tbps just months prior.
- IoT devices remain a primary source for large-scale botnet construction, compromising security across the internet.
- Attacks leveraging Layer 3/4 protocols (UDP floods in this case) are potent volumetric threats.
- A significant percentage (72%) of HTTP DDoS attacks are attributed to known DDoS botnets.
## Recommendations
- Aggressively mandate and enforce strong default credentials and firmware updates for all connected IoT devices upstream and within internal environments.
- Implement layered DDoS mitigation strategies capable of scaling to multi-Terabit per second volumes, particularly at the network edge.
- Review and tune Layer 3/4 defenses to rapidly mitigate UDP, SYN, and DNS flood attacks, which remain common network layer vectors.
- Monitor for sudden spikes in attack traffic volume, as the trend shows attacks exceeding 1 Tbps are increasing dramatically (1,885% QoQ growth mentioned).