Google says it recently fended off the largest HTTPS DDoS attack in history from taking down a customer’s internet services hosted over Google Cloud.
The incident occurred on June 1, and resulted in an DDoS attack that peaked at 46 million requests per second using HTTPS-based requests. “This is the largest Layer 7 DDoS reported to date,” according to Google product manager Emil Kiner and technical lead Satya Konduru.
“To give a sense of the scale of the attack, that is like receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds,” they added.
The attack was also about 76% more powerful than the 26 million RPS attack that Cloudflare encountered during the same month, the previous record-holder for largest HTTPS DDoS attack. (In January, Microsoft defended a record-breaking DDoS attack at 3.47Tbps, but the assault used a “volumetric” method to bombard the network, putting it in a different class of DDoS attack.)
DDoS attacks are designed to knock an internet site or service offline by bombarding the destination with a flood of web traffic. The June incident against the Google Cloud customer initially began as an assault made up of more than 10,000 requests per second before escalating to 100,000 RPS eight minutes later.
In response, Google’s anti-DDoS Cloud Armor system immediately detected the attack and generated an alert, which began blocking the sources of the malicious web traffic. “In the two minutes that followed, the attack began to ramp up, growing from 100,000 RPS to a peak of 46 million RPS,” the company said.
However, the massive surge in traffic failed to disrupt Google Cloud. “Since Cloud Armor was already blocking the attack traffic, the target workload continued to operate normally,” the company added. “Over the next few minutes, the attack started to decrease in size, ultimately ending 69 minutes later at 10:54 a.m. Presumably the attacker likely determined they were not having the desired impact while incurring significant expenses to execute the attack.”
The company suspects the DDoS came from the Meris botnet, which is made up of hundreds of thousands of infected internet routers and modems, many of them belonging to MikroTik. The botnet was likely created thanks to vulnerability in MikroTik products that can allow a hacker to remotely take over the devices.
The Meris botnet has also been linked to other major DDoS incidents, including a 22 million RPS attack that hit Russian company Yandex last year. The recent assault on Google indicates the Meris botnet can generate even more firepower. But even so, it wasn’t enough to faze the search giant’s cloud services.
To stop the attack, Google says its Cloud Armor system can establish a “baseline model of the normal traffic patterns” to a customer’s website. The same system also has a “rate-limiting capability" that can allow a customer to carefully throttle the malicious web traffic, without impacting legitimate website requests.
The company shared details about the attack to both warn the tech community and to attract corporate clients to its cloud services. “With Google Cloud Armor, you are able to protect your internet facing applications at the edge of Google’s network and absorb unwelcome traffic far upstream from your applications,” the tech giant added.