Cloudflare says it has blocked a distributed denial-of-service, DDoS attack that peaked at just under 2 Tbps, making it one of the largest ever recorded.
The internet company said in a blog post that the attack was launched from approximately 15,000 bots running a variant of the original Mirai code on exploited Internet of Things (IoT) devices and unpatched GitLab instances.
The DDoS attack comes just two weeks after Rapid7 warned of a GitLab vulnerability — rated a full 10.0 on the CVSS severity scale — that could be exploited to allow an attacker to remotely run code, like botnet malware, on an affected server. Rapid7 found that at least half of the 60,000 internet-facing GitLab instances remain unpatched, and warned that it expected “exploitation to increase” as details of the bug became public.
The company wasn’t wrong; Cloudflare said it blocked the massive DDoS attack just one week later. From its analysis of the attack, Cloudflare believes that it was a multi-vector attack that combined both DNS amplification attacks along with UDP floods.
Cloudflare says the attack, which lasted less than a minute, was the largest it had witnessed to date. It comes just a month after Microsoft said it mitigated a “record-breaking” 2.4 Tbps DDoS attack targeting one of its Azure customers in Europe.
While Cloudflare mitigated the attack in seconds, it warns that it has witnessed multiple terabit-strong DDoS attacks last month, adding that this is unlikely a trend that’s going to slow down any time soon.
“Another key finding from our Q3 DDoS Trends report was that network-layer DDoS attacks actually increased by 44% quarter-over-quarter,” said Omer Yoachimik, product manager at Cloudflare. “While the fourth quarter is not over yet, we have, again, seen multiple terabit-strong attacks that targeted Cloudflare customers.”
Rapid7 has urged GitLab users to the latest version of GitLab as soon as possible. “In addition, ideally, GitLab should not be an internet-facing service,” the company added. “If you need to access your GitLab from the internet, consider placing it behind a VPN.”
By 44% the Network-layer DDoS Attacks Inflated
In 2021, the attackers continued to reinforce DDoS attacks and it is badly affecting thousands of companies worldwide. While the Q3 DDoS Trends report of Cloudflare claims that quarter-over-quarter the network-layer DDoS attacks increased by 44%.
This is the figure for Q3 only, as the fourth quarter is not yet over, and before its end, Cloudflare customers were targeted with multiple terabit-strong attacks.
Cloudflare blocked a massive 2 Tbps DDoS attack
Roust defence shield of Cloudflare
The robust defence mechanisms of Cloudflare allows it to examine traffic samples ‘out-of-path’ continually which enables Cloudflare’s security systems to detect these type of DDoS attacks, and all these happen within sub-seconds.
Here, to mitigate this attack without affecting the legitimate traffic, the security systems generate a real-time signature that matches the real-time signature with the deployed attack patterns.
Cloudflare Mitigates Nearly 2 Tbps DDoS Attack
Rapid7 says that GitLab released a patch in April to address the CVE-2021-22205 vulnerability that could be exploited to enable remote code execution. Yet nearly six months later it discovered that most of the 60,000 internet-facing GitLab instances are still unpatched.
That revelation was made on Nov. 1; Cloudflare says the DDoS attack it blocked was launched a week later. GitLab users have had months to patch their servers, but they haven’t, and now they’re being used in record-setting DDoS attacks. And that’s not even the worst-case scenario.
“While using these exploited hosts for DDoS is terrible by itself, there have also been discussions of other mass-exploitation attacks where random admin users were found,” another security company, Censys, says. “A bigger worry here is the potential for more advanced attacks; For example, an attacker could potentially introduce backdoors and vulnerable functionality into the source code of projects hosted by these services. If this were to happen, even the most securely written code could become an administrative nightmare.”
Cloudflare is capable of handling many DDoS attacks—that’s one of its claims to fame. But this record-setting attack was a symptom of a larger problem involving unpatched GitLab instances (and the continued vulnerability of IoT devices) that poses even greater risks to potential victims.