Cloudflare just disclosed that they mitigated a DDoS attack peaking at 26 million HTTPS requests per second — the largest of its kind ever recorded. The attack, attributed to a botnet they’ve dubbed “Mantis,” targeted a customer using Cloudflare’s Free plan. Let that sink in: the largest HTTPS DDoS attack in history, absorbed by a free-tier service. The infrastructure behind that capability is remarkable, but the botnet itself is what keeps me up at night.
Why HTTPS DDoS Is Different#
Most people hear “DDoS” and think of volumetric attacks — flooding a target with raw bandwidth. Those are the blunt instruments of the DDoS world, and while they can be massive (we’ve seen attacks exceeding 3 Tbps), they’re relatively straightforward to mitigate with sufficient network capacity.
HTTPS DDoS is a fundamentally different beast. Each request requires a TLS handshake, HTTP parsing, and application-layer processing. The computational cost per request is orders of magnitude higher than a simple UDP flood. An attacker generating 26 million HTTPS requests per second isn’t just filling pipes — they’re exhausting CPU, memory, and connection tables on the target. It’s the difference between someone flooding your mailbox with empty envelopes versus sending 26 million certified letters that each require a signature.
This is why the Mantis numbers are so alarming. The previous record was around 15.3 million HTTPS rps, set earlier this year. We’ve seen a 70% increase in attack capability in just months.
The Mantis Botnet Architecture#
What makes Mantis particularly interesting — and concerning — is its composition. According to Cloudflare’s analysis, the botnet operates with approximately 5,000 nodes. That’s tiny by botnet standards. Mirai at its peak controlled hundreds of thousands of IoT devices. Mantis achieves its record-breaking output through quality over quantity.
The nodes aren’t compromised IoT devices with limited compute. They’re virtual machines and servers running in cloud data centers, each capable of generating thousands of HTTPS requests per second. These are machines with powerful CPUs, generous memory, and high-bandwidth network connections — the same hardware we use to run production workloads.
This represents an evolution in DDoS strategy. Instead of infecting millions of cheap devices, attackers are compromising a smaller number of powerful machines. The economics make sense: a single compromised cloud VM can generate more malicious traffic than thousands of IoT lightbulbs, and it’s harder to distinguish from legitimate traffic because it originates from reputable IP ranges.
Cloud Providers as Unwitting Accomplices#
The elephant in the room is that cloud providers are effectively hosting the attack infrastructure. These compromised VMs are running in AWS, GCP, Azure, and other platforms, using those providers’ bandwidth and compute to launch attacks. The attackers get enterprise-grade infrastructure at someone else’s expense.
This creates an uncomfortable responsibility question. Cloud providers have the technical capability to detect and shut down anomalous outbound traffic patterns. A VM suddenly generating thousands of HTTPS requests per second to a single target is not normal behavior. But implementing automated detection and response at scale is complex, and false positives could impact legitimate customers.
I’ve worked with enough cloud infrastructure to know that egress monitoring is often an afterthought. We obsess over ingress security — firewalls, WAFs, intrusion detection — but monitoring what leaves our networks gets far less attention. Mantis is a reminder that compromised infrastructure isn’t just a risk to the machine’s owner; it’s a risk to the entire internet.
What This Means for Defense#
If you’re running internet-facing services, the implications are straightforward but sobering. Traditional DDoS mitigation that relies on IP reputation and rate limiting is increasingly insufficient. Mantis traffic comes from cloud IP ranges that host millions of legitimate services. You can’t simply block AWS or GCP without cutting off real users.
The effective defenses are moving up the stack:
- Challenge-based mitigation: CAPTCHAs and JavaScript challenges that are trivial for browsers but expensive for bots
- Behavioral analysis: Distinguishing human browsing patterns from automated requests
- Anycast networks: Distributing traffic across global points of presence so no single location is overwhelmed
- Managed DDoS services: Cloudflare, Akamai, and AWS Shield exist because most organizations can’t build this in-house
The cost asymmetry is the fundamental problem. Launching an HTTPS DDoS attack from compromised cloud infrastructure is cheap. Defending against it requires significant investment in global infrastructure. This is exactly why managed services make sense for all but the largest organizations.
My Take#
I’ve been watching DDoS evolution for two decades, and Mantis represents a phase shift. We’ve moved from script kiddies with IoT botnets to sophisticated operators leveraging cloud infrastructure. The 26 million rps number will be broken — probably within the year.
The uncomfortable truth is that our cloud-centric architecture has created the perfect attack platform. The same elasticity and global distribution that makes cloud computing powerful for legitimate use makes it powerful for attacks. Until cloud providers take more aggressive action on outbound abuse, we’re in an arms race where defenders are always reacting.
For now, if you’re running production services without DDoS protection, you’re living on borrowed time. The barrier to launching devastating attacks has never been lower, and the ceiling keeps rising.