Google Cloud claims to have blocked the largest ever Layer 7 DDoS attack

Google Cloud Platform said on Thursday that it successfully repelled what it believes was the largest Layer 7 distributed-denial-of-service (DDoS) attack ever witnessed, when a malicious actor tried to interfere with one of its customers’ internet-based services in June.

The attack used HTTPS-based requests and peaked at an astounding 46 million requests per second (RPS).

DDoS attacks, one of the most powerful weapons available to cyber actors, target online services and websites and overwhelm them with massive volumes of traffic that the server or network cannot accommodate.

The main goal behind such attacks is to create problems for the business by making their website inoperable. The disruption also causes issues for individual users who are prevented from accessing the services they require.

According to Google, the attack began on June 1 at 9:45 Pacific Time, and targeted the victim’s HTTP/S load balancer initially with 10,000 RPS; volumes increased to 100,000 RPS after eight minutes.

By analysing the data across several dozen characteristics and attributes, the company’s Cloud Armor Adaptive Protection system was able to detect the attack and provide an alert that included the attack signature and a recommended rule to block the fraudulent signature.

The DDoS attack intensified further two minutes later, going from 100,000 RPS to a peak of 46 million RPS.

Despite the significant escalation, Google stated the cyber actors were unable to disrupt the customer’s services.

“Since Cloud Armor was already blocking the attack traffic, the target workload continued to operate normally,” the company said.

The attack came to an end 69 minutes after it began.

“Presumably the attacker likely determined they were not having the desired impact while incurring significant expenses to execute the attack.”

According to Google, the attack was 76% more powerful than the 26 million RPS attack that web security provider Cloudflare experienced in June.

Google says the DDoS attack that it blocked was the equivalent of receiving all the daily requests to Wikipedia in just 10 seconds.

An investigation conducted by Google led it to suspect that the Meris botnet, which consists of hundreds of thousands of compromised routers and modems, was responsible for the DDoS attack. Many of those infected modems and routers were sold by a company named MikroTik.

According to Google researchers, the attack used encrypted HTTPS requests and originated from only 5,256 IP addresses scattered over 132 different countries. This suggests that the machines delivering the queries had powerful computational capabilities.

The use of Tor exit nodes to send the traffic was another distinguishing feature of the attack.

The attack coincides with a sharp increase in DDoS activity since the start of the year.

Radware reported a 203 percent increase in the amount of these traffic events mitigated per customer during the first half of 2022, compared to the first half of last year, in a threat analysis report released earlier this week.

In April, Kaspersky stated in a report that DDoS attacks reached a record high in the first quarter of 2022, up 46% quarter-over-quarter, while the number of targeted attacks rose by 81%.

Last year, Cloudflare said it mitigated a multi-vector, DDoS attack that was launched from 15,000 bots running Mirai malware on compromised IoT devices and unpatched GitLab instances.

Leave a Comment