Google claims to have recently fended off the largest ever HTTPS-based distributed denial of service attack, which peaked at 46 million requests per second. According to the cloud provider, the DDoS attack was quickly detected and stopped at the edge of Google’s network, and the customer was not impacted.
The attack happened on June 1st, when Google Cloud absorbed a Layer 7 DDoS attack that was larger than the DDoS attack reported in June by Cloudflare, so far the largest one on record. A distributed attack starting at 10000 rps began targeting a Google Cloud HTTP/S Load Balancer, growing first to 100000 rps and up to a peak of 46 million rps in just a few minutes. Emil Kiner, senior product manager at Google, and Satya Konduru, technical lead at Google, write:
To give a sense of the scale of the attack, that is like receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds.
Cloud Armor Adaptive Protection was used to detect and analyze the traffic early in the attack lifecycle, alerting the customer with a protective rule before the attack ramped up to its peak size. Deepak Kumar, senior director of engineering at Tellius, comments:
Largest DDoS attack in history was stopped by one managed service offering called Cloud Armor. Rich set of WAF rules on tools such as AWS WAF or Cloud Armor help block the attacks. This should be part of the architecture, especially if you are into SaaS offering.
Source: https://cloud.google.com/blog/products/identity-security/how-google-cloud-blocked-largest-layer-7-ddos-attack-at-46-million-rps
Kiner and Konduru provide some details on how the attack was performed:
There were 5256 source IPs from 132 countries contributing to the attack. Approximately 22% of the source IPs corresponded to Tor exit nodes, although the request volume coming from those nodes represented just 3% of the traffic. (...) The geographic distribution and types of unsecured services leveraged to generate the attack matches the Mēris family of attacks. Known for its massive attacks that have broken DDoS records, the Mēris method abuses unsecured proxies to obfuscate the true origin of the attacks.
In a previous article describing the exponential growth in DDoS attack volumes on cloud providers and the key metrics of volumetric attacks, Damian Menscher, security reliability engineer at Google, writes:
The exponential growth across all metrics is apparent, often generating alarmist headlines as attack volumes grow. But we need to factor in the exponential growth of the internet itself, which provides bandwidth and compute to defenders as well. After accounting for the expected growth, the results are less concerning, though still problematic.
According to the cloud provider, the attack ended after 69 minutes when the attacker likely determined they were not having the desired impact while incurring significant expenses The name of the targeted customer on Google Cloud has not been disclosed.