Google Cloud has revealed that it blocked the largest distributed denial of service (DDoS) attack on record, which peaked at 46 million requests per second (rps).
The June 1 attack targeted a Google Cloud customer using the Google Cloud Armor DDoS protection service.
Over the course of 69 minutes starting at 9:45 a.m. PT, attackers bombarded its client’s HTTP/S load balancer with HTTPS requests, starting at 10,000 rps and within minutes up to 100,000 rps before peak at 46 million rps.
Google says it’s the largest Layer 7 attack ever, referring to the application layer – the top layer – of the OSI model of the internet.
The attack on Google’s client was almost twice as large as an HTTPS DDoS attack on a Cloudflare client in June that peaked at 26 million rps. This attack also relied on a relatively small botnet consisting of 5,067 devices spread across 127 countries.
The attack against Google’s client was also carried out via HTTPS but used “HTTP Pipelining”, a technique to increase rps. Google says the attack originated from 5,256 source IP addresses in 132 countries.
“The attack exploited encrypted (HTTPS) requests that would have required additional computing resources to generate,” says Google.
“Although the end of encryption was necessary to inspect traffic and effectively mitigate the attack, the use of HTTP pipeline required Google to perform relatively few TLS handshakes.”
Google says the geographic distribution and types of insecure services used to generate the attack match the Mēris family of botnets. Mēris is an IoT botnet that emerged in 2021 and consisted mostly of compromised MikroTik routers.
Researchers at Qrator who previously analyzed Mēris’ use of HTTP Pipelining explained that the technique involves sending unnecessary HTTP requests in batches to a targeted targeted server, forcing it to respond to these batches of requests. Pipelining increases rps, but as mentioned by Google, this technique did not require it to complete TLS handshakes.
Cloudflare attributed the 26 million rps attack to what it called the Mantis botnet, which it considered an evolution of Mēris. According to Cloudflare, Mantis was powered by hacked virtual machines and servers hosted by cloud companies rather than low-bandwidth IoT devices.
SEE: How to know if you’re involved in a data breach – and what to do next
Google noted that this Mēris-linked botnet abused insecure proxies to hide the true origin of the attacks.
He also noted that about 22% or 1,169 of source IP addresses corresponded to Tor exit nodes, but the volume of requests from these nodes accounted for only 3% of attack traffic.
“Although we believe that Tor’s participation in the attack was incidental due to the nature of the vulnerable services, even at 3% of the peak (above 1.3 million rps), our analysis shows that exit nodes of Tor can send a significant amount of unwanted traffic to web applications and services.”