CloudFlare has said it has observed mobile advertisements that are pumping out around 275,000 HTTP requests per second.
No victims have been named, but cloudflare has said the Layer 7 HTTP floods hitting the target is a once-theoretical attack turning up in the real world.
London CloudFlare engineer Marek Majkowski says the difficulty in turning HTTP floods into a real attack was overcome using malicious JavaScript in an advertisement.
“Browser-based L7 floods have been rumored as a theoretical threat for a long time,” Majkowski says.
“It seems the biggest difficulty is not in creating the JavaScript — it is in effectively distributing it.
“Since an efficient distribution vector is crucial in issuing large floods, up until now I haven’t seen many sizable browser-based floods.”
CloudFlare recorded 4.5 billion requests in a day of attacks against a customer domain, originating from around 650 thousand unique IPs addresses, with pretty much all traffic coming from mobile devices in China.
Small website operators will not be well equipped to mitigate attacks such as this one, as they’re completely different to DDoS attacks we’re used to. It’s clear that this could in fact be a new development in the threat landscape.
Other recent DDoS victims have included 4chan and 8chan, who were DDoS’d through code hiding in images on imgur.