This weekend, Cloudflare blocked what it describes as the largest volumetric Distributed Denial of Service (DDoS) attack to date.

The company said it detected and mitigated not one but a wave of dozens of hyper-volume DDoS attacks targeting its customers over the weekend.

“The majority of attacks peaked around 50-70 million requests per second (rps), with the largest exceeding 71 million rps,” said Cloudflare’s Omer Yoachimik, Julien Desgats, and Alex Forster. said.

“This is the largest HTTP DDoS attack on record, over 35% higher than the previous record high of 46 million rps reported in June 2022.”

The attacks were launched using more than 30,000 IP addresses from multiple cloud providers against various targets, including game providers, cloud computing platforms, cryptocurrency companies and hosting providers.

Increasingly powerful and frequent DDoS attacks align with recent DDoS Threat Report which paints a dark picture:

• the number of HTTP DDoS attacks increased by 79% year over year
• the number of volumetric attacks exceeding 100 Gbps increased by 67% quarter over quarter (QT)
• the number of attacks lasting more than three hours increased by 87% QoQ

Today’s news comes after Google announced in August 2022 that it blocked a record DDoS attack on the HTTPS protocol against a Google Cloud Armor client that had reached 46 million RPS.

This is an increase of about 80% more than the previous record, a 26 million RPS HTTPS DDoS mitigated by Cloudflare in June.

Volumetric DDoS attacks had been slowly increasing in size since 2021, when several botnets began exploiting powerful devices to hit targets with millions of requests per second.

For example, in September 2021, the The Meris botnet hit Yandex with an attack of 21.8 million RPS and before hammered a Cloudflare customer with 17.2 million RPS.

In response to this ever-increasing flood of attacks, the The FBI seized dozens of internet domains and indicted six suspects for their involvement in operating “Booter” or “Stresser” platforms that anyone can use to launch DDoS attacks.

The move was part of a larger coordinated international law enforcement operation targeting DDoS services for rental called Operation PowerOFF.

In addition to seizing the domains of these platforms and taking control of their infrastructure (wherever possible), the FBI is also working with the UK’s National Crime Agency and the Dutch police to serve advertisements in the search engines to people looking for DDoS services.

For example, when searching for “startup service”, Google would display an ad that reads: “Looking for DDoS tools? Startup is illegal”.