Google reported that it blocked the largest ever HTTPS-based DDoS Attack in June 2022. This attack reached a reported 46 million requests per second and it is 76% larger than the previous record for DDoS Attacks reported by Cloudflare. Fortunately, the attack was blocked and didn’t cause any major outages but it goes to show how attackers are continuing to become more proficient in these types of attacks.
What is a DDoS Attack?
A DDoS attack is a type of cyber attack that is designed to overload a server or network with requests, making it unavailable to legitimate users. DDoS attacks are usually carried out by botnets, which are a network of infected computers that are controlled by a hacker.
DDoS attacks can be very disruptive and costly, which is why they are considered a serious threat. If you are a victim of a DDoS attack, it is important to take steps to mitigate the damage and protect your servers or networks.
Timeline for the Attack
Google provided a timeline for what happened on June 1.
The attack occurred at approximately 09:45 PT (16:45 UTC) on June 1st with over 10,000 requests per second (rps) targeting one of Google’s HTTP Load Balancers. In less than eight minutes the attacker had grown to 100,000 rps and then two minutes later it hit its peak of 46 million rps.
At this point, Google reported that its Cloud Armor Adaptive Protection service had detected the attack, generated alerts and created a recommended rule to block the malicious activity.
After that, the attack started to dwindle, ending at 10:54 PT (17:54 UTC).
In the description of the incident, the investigators at Google pointed out some of the attack’s “noteworthy characteristics”. They identified a potential link between this attack and an earlier DDoS flood. Based on the geographic distribution of the endpoints used in this attack and the types of unsecured services it seemed to match the Meris botnet family of attacks.
Like the earlier DDoS attack, the Google-blocked event counted 5,256 source IPs from 132 countries contributing to the attack.
Another important feature of this attack is that the event used HTTPS requests, as opposed to HTTP. These HTTPS-based attacks are more resource expensive than their HTTP counterparts because it costs more in compute resources to establish a secure TLS connection.
Roughly 22% of the source IPs corresponded to Tor exit nodes. However, the request volume from those represented only 3 percent of the traffic, according to Google security researchers.
“While we believe Tor participation in the attack was incidental due to the nature of the vulnerable services, even at 3 percent of the peak (greater than 1.3 million rps) our analysis shows that Tor exit-nodes can send a significant amount of unwelcome traffic to web applications and services,” they noted.
The attack also comes amid a massive spike in DDoS volume since the beginning of the year.
In a threat analysis report [PDF] published earlier this week, Radware documented a 203 percent increase in the number of these traffic events mitigated per customer during the first six months of 2022, compared to the first six months of last year, and a 239 percent jump compared to the last six months of 2021.
The security firm also said it mitigated 60 percent more DDoS attacks in the first six months of this year compared to the entire 12 months of 2021. Plus the average volume blocked per customer per month in 2022 (between January and June) reached 3.39TB, a 47 percent increase compared to 2021.
In April, Kaspersky released a report saying that DDoS attacks hit an all-time high. With an increase of over 46% quarter-over-quarter and an increase in targeted attacks of 81%.
Recap
In conclusion, the record-breaking DDOS attack that Google faced was a result of poor security practices. The company did not properly secure its servers, and as a result, hackers were able to take them down. To stay up-to-date on the latest in cyber security, subscribe to our weekly newsletter.
Best Read: Apple releases software patches for over 127 different vulnerabilities