Internet security company Imperva has announced that its Distributed Denial of Service (DDoS) mitigation solution broke a new record, defending against a single attack that sent more than 25.3 billion requests to one of its clients.

The target was a Chinese telecommunications service provider often on the receiving end of DDoS attacks with unusually large volumes.

The DDoS attack took place on June 27, 2022, peaking at 3.9 million requests per second (RPS) and an average of 1.8 million RPS.

Although that pales in comparison to the record attack that Cloudflare toned down in Junewhich peaked at 26 million RPS, the duration in Imperva’s case was unusually long.

Attacks peaking above a million RPS usually last between several seconds and a few minutes, but the one mitigated by Imperva lasted over four hours.

“The attack started at 3.1M RPS and maintained a rate of around 3M RPS. Once the attack peaked at 3.9M RPS, the attack decreased for several minutes, but is back to full power for another hour.” describes Imperva.

According to the company, only one in ten DDoS attacks last longer than an hour, and an even lower percentage comes with noticeable firepower sustained for that long.

Global botnet

The DDoS attack that Imperva mitigated was launched by a massive botnet spread across 180 countries, with most IP addresses located in the United States, Brazil, and Indonesia.

The botnet used 170,000 captured devices, including modem routers, smart security cameras, vulnerable servers and poorly protected IoT devices.

Imperva comments that some of the servers from which the malicious traffic originates are hosted on public clouds and cloud security service providers, indicating widespread abuse.

Although the botnet has not been named or identified, it does not appear to be “Mantis“, who was responsible for Cloudflare’s DDoS mitigation record this summer.

Cloudflare says Mantis relies on a smaller number of devices, just over five thousand, primarily focusing on enrolling powerful servers and virtual machines.

The number of devices used against Imperva’s client is closer to the Meris estimates the botnet responsible for the previous DDoS record at 21.8 million RPS. The researchers estimated that the Mēris swarm would consist of between 30,000 and 250,000 devices.

Still, Mēris and Mantis have already delivered quick hits in short-lived attacks, not hour-long DDoS attacks, so this could be a new, as yet unidentified botnet.