CloudFlare has said it has observed mobile advertisements that are pumping out around 275,000 HTTP requests per second.
No victims have been named, but cloudflare has said the Layer 7 HTTP floods hitting the target is a once-theoretical attack turning up in the real world.
“Browser-based L7 floods have been rumored as a theoretical threat for a long time,” Majkowski says.
“Since an efficient distribution vector is crucial in issuing large floods, up until now I haven’t seen many sizable browser-based floods.”
CloudFlare recorded 4.5 billion requests in a day of attacks against a customer domain, originating from around 650 thousand unique IPs addresses, with pretty much all traffic coming from mobile devices in China.
Small website operators will not be well equipped to mitigate attacks such as this one, as they’re completely different to DDoS attacks we’re used to. It’s clear that this could in fact be a new development in the threat landscape.
Other recent DDoS victims have included 4chan and 8chan, who were DDoS’d through code hiding in images on imgur.