Google: Here's how we blocked the largest web DDoS attack ever

Google Cloud says it protected one customer from a Mēris botnet attack that peaked at 46 million requests per second.
Written by Liam Tung, Contributing Writer
By Alfa Photo -- Shutterstock

Google Cloud has revealed it blocked the largest distributed denial-of-service (DDoS) attack on record, which peaked at 46 million requests per second (rps). 

The June 1 attack targeted one Google Cloud customer using the Google Cloud Armor DDoS protection service. 

Over the course of 69 minutes beginning at 9:45 am PT, the attackers bombarded its customer's HTTP/S Load Balancer with HTTPS requests, starting at 10,000 rps and within minutes scaling up to 100,000 rps before peaking at a whopping 46 million rps. 

Google says it is the largest ever attack at Layer 7, referring to the application layer — the top layer — in the OSI model of the Internet. 

The attack on Google's customer was almost twice the size of a HTTPS DDoS attack on a Cloudflare customer in June that peaked at 26 million rps. That attack also relied on a relatively small botnet consisting of 5,067 devices spread over 127 countries.

The attack on Google's customer was also conducted over HTTPS but used "HTTP Pipelining", a technique to scale up rps. Google says the attack came from 5,256 source IP addresses across 132 countries.   

"The attack leveraged encrypted requests (HTTPS) which would have taken added computing resources to generate," Google said.

"Although terminating the encryption was necessary to inspect the traffic and effectively mitigate the attack, the use of HTTP Pipelining required Google to complete relatively few TLS handshakes."

Google Cloud

Google says the geographic distribution and types of unsecured services used to generate the attack match the Mēris family of botnets. Mēris is an IoT botnet that emerged in 2021 that consisted mostly of compromised MikroTik routers.

Researchers at Qrator who previously analyzed Mēris' use of HTTP Pipelining explained the technique involves sending trash HTTP requests in batches to a targeted aimed server, forcing it to respond to those request batches. Pipelining scales up rps, but as mentioned by Google, that technique didn't require it to complete TLS handshakes.   

Cloudflare attributed the 26 million rps attack to what it called the Mantis botnet, which it considered an evolution of Mēris. Mantis was powered by hijacked virtual machines and servers hosted by cloud companies rather than low-bandwidth IoT devices, according to Cloudflare.

SEE: How to find out if you are involved in a data breach -- and what to do next

Google noted that this Mēris-related botnet abused unsecured proxies to obfuscate the true origin of the attacks.     

It also noted that around 22% or 1,169 of the source IPs corresponded to Tor exit nodes, but the request volume coming from those nodes amounted to just 3% of the attack traffic. 

"While we believe Tor participation in the attack was incidental due to the nature of the vulnerable services, even at 3% of the peak (greater than 1.3 million rps) our analysis shows that Tor exit nodes can send a significant amount of unwelcome traffic to web applications and services."

Editorial standards