Google Cloud reveals it blocked the largest distributed denial of service (DDoS) attack on record. This attack peaked at 46 million requests per second (rps).

The June 1st attack targeted one Google Cloud customer using the Google Cloud Armor DDoS protection service.

Between 9:45 and 69 minutes Pacific time, the attackers flooded the customer’s HTTP/S load balancer with HTTPS requests. Initially he started at 10,000 rps and within minutes he scaled up to 100,000 rps before he reached a whopping 46 million rps.

Google refers to the application layer as the top layer of the OSI model of the internet and says it is the largest attack on Layer 7 to date.

The attack against Google’s customers was almost double the size of the HTTPS DDoS attack against Cloudflare’s customers, which peaked at 26 million rps in June. The attack also relied on his relatively small botnet of 5,067 devices spread across 127 countries.

Attacks against Google customers were also conducted over HTTPS, but using “HTTP pipelining”, a technique for scaling up rps. According to Google, the attack came from his 5,256 source IP addresses in 132 countries.

“The attack utilized encrypted requests (HTTPS), which required additional computing resources to generate,” Google said.

“In order to inspect the traffic and effectively mitigate the attack, encryption had to be finished, but by using HTTP pipelining, Google has had to complete a relatively small number of TLS handshakes. was.”

Google cloud

Google says the geographic distribution and types of unsecured services used to generate the attack match the Mris family of botnets. Mrs is his IoT botnet that emerged in 2021, mostly made up of compromised MikroTik routers.

Qrator researchers who previously analyzed Mrs’ use of HTTP Pipelining noted that the technique involves sending batches of trash HTTP requests to targeted servers and having those request batches respond. I explained that The pipeline scales up her rps, but as Google stated, that technique didn’t require her to complete the TLS handshake.

Cloudflare attributes the 26 million rps attack to the Mantis botnet, considered an evolution of Mris. According to Cloudflare, Mantis utilized hijacked virtual machines and servers hosted by cloud companies rather than his low-bandwidth IoT devices.

Google noted that this Mris-related botnet exploited an unsecured proxy to obfuscate the true origin of the attack.

Also, approximately 22% or 1,169 of the source IPs corresponded to Tor exit nodes, yet only 3% of the attack traffic was from these nodes.

“We believe that Tor’s participation in the attack was accidental due to the nature of the vulnerable service, but even at 3% of the peak (over 1.3 million rps), Tor exit nodes generated a large amount of unwanted traffic. to web applications and services.”

