Google Cloud said today it fended off what it believes was the largest Layer-7 distributed-denial-of-service attack ever seen, when an attacker attempted to disrupt one of its customers’ internet based services on June 1.
The DDoS attack peaked at a stunning 46 million requests per second using Hypertext Transfer Protocol Secure-based requests.
“This is the largest Layer 7 DDoS attack reported to date,” said Google Cloud product manager Emil Kiner and technical lead Satya Konduru in a blog post describing the incident. “To give a sense of the scale of the attack, that is like receiving all of the daily requests to Wikipedia in just 10 seconds,” they added.
Google added that the attack was 76% more powerful than the 26 million RPS attack that was encountered by Cloudflare Inc. during the same month, which had been regarded as the largest to date.
DDoS attacks are used by malicious persons or entities to take websites and applications offline. They do this by bombarding a service with web traffic in the shape of millions of requests performed by bots. The June incident first kicked off with an assault that began with around 10,000 requests per second, before escalating to 100,000 RPS around eight minutes later.
Google Cloud’s anti-DDoS Cloud Armor immediately burst into action, generating an alert that enabled it to start blocking the malicious web traffic. “In the two minutes that followed, the attack began to ramp up, growing from 100,000 RPS to a peak of 46 million RPS,” Kiner and Konduru wrote.
Despite the massive escalation, the attackers were unable to disrupt the customer’s services, Google said.
“Since Cloud Armor was already blocking the attack traffic, the target workload continued to operate normally,” the employees wrote. “Over the next few minutes, the attack started to decrease in size, ultimately ending 69 minutes later at 10:54 a.m. Presumably the attacker likely determined they were not having the desired impact while incurring significant expenses to execute the attack.”
Google said that an investigation has led it to believe the DDoS attacks were perpetrated by the Meris botnet, which is made up of hundreds of thousands of infected internet modems and routers, many of which were sold by a company called MIkroTik. It’s said that the botnet was created due to a vulnerability in MikroTik’s products that enables hackers to remotely control those devices.
The Meris botnet has been linked to a number of other high profile DDoS attacks in recent times, including a 22 million RPS attack against the Russian search company Yandex LLC last year. That was a powerful attack itself, but the recent assault uncovered by Google shows the Meris botnet has the ability to generate much more firepower. However, it remains to be seen if it has enough to take on Google’s Cloud Armor service.
Kine and Konduru explained that Cloud Armor has the ability to establish a baseline model of normal traffic patterns for each customer’s website. It also has a rate-limiting capability that enables customers to carefully throttle malicious traffic while allowing legitimate requests to interact with the service as normal.
The failed attack is obviously a great advertisement for Google’s Cloud Armor service and it comes at a time when enterprises may show more interest in DDoS attack protection. A number of recent reports show that DDoS attacks have become more commonplace this year. For instance, Radware Ltd. said in a threat analysis report earlier this week that it saw a 203% increase in DDoS attacks against its customers in the first six months of the year, compared to the same period a year earlier.
The security firm AO Kaspersky Lab said in April that it believed DDoS attacks hit an all-time high in the first quarter of the year, increasing by 46% from the previous quarter. Both Kaspersky and Radware said Russia’s invasion of Ukraine has played a major role in the increase in DDoS attacks this year.