Cloudflare says it mitigated a distributed denial-of-service (DDoS) attack that peaked at just under 2 Tbps of bandwidth thanks to its use of approximately 15,000 compromised devices.
The company says this was the largest DDoS attack it had witnessed to date. (Although Microsoft blocked a 2.4 Tbps DDoS attack launched by 70,000 devices in August.) It was said to have used a mix of Mirai-infected Internet of Things devices, which are commonly used to launch massive DDoS attacks, as well as unpatched instances of the GitLab developer tool.
Rapid7 says that GitLab released a patch in April to address the CVE-2021-22205 vulnerability that could be exploited to enable remote code execution. Yet nearly six months later it discovered that most of the 60,000 internet-facing GitLab instances are still unpatched.
That revelation was made on Nov. 1; Cloudflare says the DDoS attack it blocked was launched a week later. GitLab users have had months to patch their servers, but they haven’t, and now they’re being used in record-setting DDoS attacks. And that’s not even the worst-case scenario.
“While using these exploited hosts for DDoS is terrible by itself, there have also been discussions of other mass-exploitation attacks where random admin users were found,” another security company, Censys, says. “A bigger worry here is the potential for more advanced attacks; For example, an attacker could potentially introduce backdoors and vulnerable functionality into the source code of projects hosted by these services. If this were to happen, even the most securely written code could become an administrative nightmare.”
Cloudflare is capable of handling many DDoS attacks—that’s one of its claims to fame. But this record-setting attack was a symptom of a larger problem involving unpatched GitLab instances (and the continued vulnerability of IoT devices) that poses even greater risks to potential victims.