Back in June, Cloudflare reported that it has stopped the largest HTTPS distributed denial-of-service (DDoS) attack which was pegged at 26 million requests per second (rps). This was bigger than its previous record of 17.2 million rps in August 2021 and 15.3 million rps in April 2022. Fast-forward to August and Google has announced that it now wears the crown for blocking the biggest DDoS attack on record.
In a Google Cloud blog post, the company says that it managed to block a DDoS attack which peaked at 46 million requests per second, which is 76% larger than Cloudflare's best. To give you some context of the scale of this attack, imagine all the requests sent to Wikipedia globally daily, and now imagine that they are sent within 10 seconds rather than being spread out through the entire day.
The DDoS attack was mounted on a Google Cloud customer utilizing Cloud Armor. Google says that as soon as the service detected signs of a threat, it alerted the customer and recommended them a protective rule to ward off the danger. This rule was then deployed prior to the requests reaching their peak, which meant that the customer continued to stay online while Cloud Armor protected their infrastructure and workloads.
Google says that the attack started in the early hours of June 1 at 10,000rps but ramped up to 100,000rps within eight minutes, at which point Cloud Armor Adaptive Protection kicked in. Two minutes later, the requests per second had hiked to 46 million but the customer was now safe and continued operating. The attack died down within 69 minutes, likely because it was not having the desired affect due to being thwarted by Google Cloud Armor.
In its analysis of the overall attack, Google has noted that:
In addition to its unexpectedly high volume of traffic, the attack had other noteworthy characteristics. There were 5,256 source IPs from 132 countries contributing to the attack. As you can see in Figure 2 above, the top 4 countries contributed approximately 31% of the total attack traffic. The attack leveraged encrypted requests (HTTPS) which would have taken added computing resources to generate. Although terminating the encryption was necessary to inspect the traffic and effectively mitigate the attack, the use of HTTP Pipelining required Google to complete relatively few TLS handshakes.
Approximately 22% (1,169) of the source IPs corresponded to Tor exit nodes, although the request volume coming from those nodes represented just 3% of the attack traffic. While we believe Tor participation in the attack was incidental due to the nature of the vulnerable services, even at 3% of the peak (greater than 1.3 million rps) our analysis shows that Tor exit-nodes can send a significant amount of unwelcome traffic to web applications and services.
The geographic distribution and types of unsecured services leveraged to generate the attack matches the Mēris family of attacks. Known for its massive attacks that have broken DDoS records, the Mēris method abuses unsecured proxies to obfuscate the true origin of the attacks.
Google has warned that attackers use DDoS a lot to endanger mission-critical workloads. As such, the company has recommended a detailed defense strategy, and obviously, the use of Google Cloud Armor.