Google announced to have blocked the largest ever HTTPs DDoS attack that hit one of its Cloud Armor customers. The IT giant revealed that the attack reached 46 million requests per second (RPS).
The attack took place on June 1st, at 09:45, it started with more than 10,000 requests per second (rps) and targeted a customer’s HTTP/S Load Balancer. Eight minutes later, the attack grew to 100,000 requests per second, and two minutes later reached 46 million RPS. The DDoS attack lasted 69 minutes.
The company pointed out that the volume of requests per second is at least 76% more than the previous record, which was blocked by Cloudflare in June and that reached 26 million RPS.
“This is the largest Layer 7 DDoS reported to date—at least 76% larger than the previously reported record. To give a sense of the scale of the attack, that is like receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds.” reported Google.
The experts reported that the attack originated from 5,256 source IPs from 132 countries, the top 4 countries contributed approximately 31% of the total attack traffic.
Approximately 22% (1,169) of the source IPs corresponded to Tor exit nodes, but experts pointed out that the request volume coming from those nodes represented just 3% of the attack traffic.
“While we believe Tor participation in the attack was incidental due to the nature of the vulnerable services, even at 3% of the peak (greater than 1.3 million rps) our analysis shows that Tor exit-nodes can send a significant amount of unwelcome traffic to web applications and services.” continues the report.
The geographic distribution and types of unsecured services that were involved in the attack suggest it was launched by a Mēris botnet.
“The attack was stopped at the edge of Google’s network, with the malicious requests blocked upstream from the customer’s application. Before the attack started, the customer had already configured Adaptive Protection in their relevant Cloud Armor security policy to learn and establish a baseline model of the normal traffic patterns for their service. ” concludes the experts. “As a result, Adaptive Protection was able to detect the DDoS attack early in its life cycle, analyze its incoming traffic, and generate an alert with a recommended protective rule–all before the attack ramped up. The customer acted on the alert by deploying the recommended rule leveraging Cloud Armor’s recently launched rate limiting capability to throttle the attack traffic.”
Another Cloudflare customer was hit with DDoS reaching 26 million RPS.
Follow me on Twitter: @securityaffairs and Facebook
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, HTTPs DDoS)