Google Cloud blocks largest HTTPS DDoS attack ever

Google Cloud has claimed to have blocked the largest Layer 7 (HTTPS) DDoS attack to date after a Cloud Armor customer was targeted by a series of attacks that peaked at 46 million requests per second (rps). 

The vendor stated the attack, which occurred on June 1, was at least 76 per cent larger than the previously reported HTTPS DDoS record and showed characteristics that link it to the Mēris attack family.

The technology giant said Cloud Armor Adaptive Protection was able to detect and analyse the traffic early in the customer’s attack lifecycle, blocking the attack while ensuring the customer’s service stayed online. The attack comes amid increasing DDoS activity targeting organisations as attackers employ ever more infrastructure and diversity in campaigns.

HTTPS DDoS attack peaked at 46 million requests per second

In a blog post, Google Cloud wrote that, at around 9.45 a.m. PT on June 1, 2022, an attack of more than 10,000 rps began targeting a customer’s HTTPS load balancer. “Eight minutes later, the attack grew to 100,000 requests per second,” the firm added.

Cloud Armor generated an alert containing the attack signature by assessing the traffic and a recommended rule to block on the malicious signature, Google Cloud stated.

The customer’s network security team deployed the recommended rule into its security policy, and it started blocking the attack traffic. “They chose the ‘throttle’ action over a ‘deny’ action to reduce the chance of impact on legitimate traffic while severely limiting the attack capability by dropping most of the attack volume at Google’s network edge,” Google Cloud wrote.

“In the two minutes that followed, the attack began to ramp up, growing from 100,000 rps to a peak of 46 million rps. Since Cloud Armor was already blocking the attack traffic, the target workload continued to operate normally.” 

The attack then began decreasing in size, ultimately ending 69 minutes later at 10:54 a.m. “Presumably the attacker likely determined they were not having the desired impact while incurring significant expenses to execute the attack,” Google Cloud stated.

“The attack illustrates two trends: that DDoS attack sizes are continuing to grow exponentially and that attack methods are continuing to evolve, leveraging new kinds of vulnerable services from which to launch attacks,” Emil Kiner, senior product manager at Google Cloud, tells CSO.

New attack dwarfs previous HTTPS DDoS campaigns

The 46 million rps attack dwarfs the largest HTTPS DDoS attack previously recorded. In June 2022, Cloudfare detected and mitigated a 26 million rps attack that originated from a small but powerful botnet of 5,067 devices. 

In 2021, the same firm thwarted a then record DDoS attack that peaked at 17.2 million rps, before stopping a slightly smaller attack (15 million rps) in April 2022.

Noteworthy characteristics of the largest HTTPS DDoS attack, links to Mēris botnet

Along with a significantly high traffic volume, Google Cloud cited several other noteworthy characteristics in the attack. It identified 5,256 source IPs from 132 countries contributing to the attack, with the top four countries contributing approximately 31 per cent of the total traffic. 

Kiner tells CSO these countries were Brazil, India, Russia and Indonesia. Furthermore, the attack leveraged encrypted requests, which would have taken added computing resources to generate, Google Cloud stated.

“Although terminating the encryption was necessary to inspect the traffic and effectively mitigate the attack, the use of HTTP pipelining required Google to complete relatively few TLS handshakes,” the company added. 

Google Cloud approximated that 22 per cent (1,169) of the source IPs corresponded to Tor exit nodes, although the request volume coming from those nodes represented just three per cent of the attack traffic. 

“While we believe Tor participation in the attack was incidental due to the nature of the vulnerable services, even at three per cent of the peak (greater than 1.3 million rps) our analysis shows that Tor exit-nodes can send a significant amount of unwelcome traffic to web applications and services,” Google Cloud wrote.

Most interestingly, Google Cloud stated that the geographic distribution and types of unsecured services leveraged match the Mēris family of attacks, known for record-breaking DDoS campaigns that abuse unsecured proxies to obfuscate the true origin of attacks.

DDoS attacks on the rise, present rich mix of volume and duration

Generally, DDoS activity is increasing, impacting organisations across sectors and geographies. Radware’s 2022 H1 Global Threat Analysis Report discovered that, in the first six months of 2022, the number of malicious DDoS events mitigated per customer grew by 203 per cent compared to the first six months of 2021, and by 239 per cent when compared to the last six months of 2021.

“DDoS attack trends tend to be somewhat cyclical in their format, though there is an underlying trend over time of increasing volume, whether in bits per second (bps), packets per second (pps), or requests per second (rps),” Rik Turner, senior principal analyst at Omdia, tells CSO. 

This upward trend is partly explained by attackers’ ability to harness ever more infrastructure -- i.e., greater amounts of bots from which to launch attacks -- and the availability of DDoS as a service, which offers infrastructure that can be rented to mount an attack for however long the attacker desires, he adds.

“That said, volumetric attacks are only one variety of exploit, and while their overall size continues to increase with new record volumes announced almost yearly, it is not the case that the percentage of DDoS attacks that are volumetric is going up linearly,” Turner continues. 

Some years the percentage of volumetric attacks goes down, even as maximum volumes continue to rise, because attackers may be trying out new variants of attack methodology, he says.

“It’s also worth keeping an eye on the average duration of a DDoS attack, as it can often be that a monstrously large volume is unleased for only a couple of minutes, just to show what the attackers are capable of, then followed up with a ransom demand.” 

Other types of attack, including application-layer (Layer 7) attacks, are often low and slow because they want to avoid detection and discover what defences the target has in place and how long it takes to activate them, Turner says. 

“Ultimately, DDoS attacks present a rich mix of volume and duration, making it more difficult to defend against them as you are never entirely sure which types will be coming at your infrastructure.”