Mantis botnet behind biggest HTTPS DDoS attack targeting Cloudflare customers


The botnet behind the largest HTTPS distributed denial-of-service (DDoS) attack in June 2022 has been linked to a wave of attacks targeting nearly 1,000 Cloudflare customers.

The powerful botnet Mantis credited the web performance and security company to more than 3,000 HTTP DDoS attacks on its users.

The industries most attacked include internet and telecom, media, gaming, finance, business and shopping, with over 20% of attacks targeting US-based companies, followed by Russia, Turkey, France, Poland, Ukraine, the UK, Germany, the Netherlands and Canada.

Last month, the company said it mitigated a record-breaking DDoS attack targeting an undisclosed customer website using its free plan that peaked at 26 million requests per second (RPS), with each node about 5,200 RPS. generated.

The junk traffic tsunami lasted less than 30 seconds and generated more than 212 million HTTPS requests from more than 1,500 networks in 121 countries, in addition to Indonesia, the US, Brazil, Russia and India.

“The Mantis botnet operates a small fleet of about 5,000 bots, but can generate tremendous power with them — responsible for the largest HTTP DDoS attacks we’ve ever observed,” Cloudflare’s Omer Yoachimik said.

Mantis stands out for a number of reasons. The first is the ability to perform HTTPS DDoS attacks, which are expensive due to the computational power required to establish a secure TLS-encrypted connection.

Second, unlike other traditional botnets that rely on IoT devices such as DVRs and routers, Mantis uses hijacked virtual machines and high-performance servers, giving it more resources.

These volumetric attacks aim to generate more traffic than the target can handle, depleting the victim’s resources. While opponents traditionally used UDP to perform amplification attacks, there has been a shift towards newer TCP reflected amplification vectors that use middleboxes.

Microsoft announced in May 2022 that it has prevented approximately 175,000 UDP-reflected amplification attacks targeting its Azure infrastructure in the past year. It also observed a TCP reflected amplification attack on an Azure resource in Asia that reached 30 million packets per second (pps) and lasted 15 minutes.

“Reflected amplification attacks are here to stay and pose a serious challenge to the Internet community,” the Azure Networking Team noted. “They continue to evolve and exploit new vulnerabilities in protocols and software implementations to evade conventional countermeasures.”