- A Google Cloud Armor customer was targeted with a series of HTTPS DDoS attacks which peaked at 46 million requests per second.
- There were 5,256 source IPs from 132 countries contributing to the attack. Approximately 22% of the source IPs corresponded to Tor exit nodes.
- This is the largest Layer 7 DDoS reported to date, at least 76% larger than the previously reported record.
Google announced that on the 1st of June, a Google Cloud Armor customer was targeted by a DDoS attack. It was the largest Layer 7 DDoS attack reported to date and it was at least 76% larger than the previous record. The HTTPS DDoS attacks peaked at 46 million requests per second. It is equal to receiving all the daily requests sent to Wikipedia within 10 seconds.
46 million requests per second
The traffic early in the attack lifecycle was detected and analyzed by Cloud Armor Adaptive Protection. The customer was alerted to deploy recommended protective rules. After the deployment, the attack ramped up to its full magnitude. The attack was blocked by Cloud Armor and the customer’s service stayed online and continued serving.
At 9:45 a.m. PT on June 1, the attack started with 10,000 requests per second which targets the customer’s HTTP(S) Load Balancer. Within eight minutes, the attack increased to 100,000 requests per second. Cloud Armor Adaptive Protection assessed the traffic across several features and attributes, detected the attack, and generated an alert containing the attack signature. The alert also included a recommended rule to deploy to block the malicious signature.
Google also shared other notable characteristics of the attacks. There were 5,256 source IPs from 132 countries contributing to the attack. The attack leveraged encrypted requests, which makes it harder for attackers to generate. Approximately 22% of the source IPs were coming from Tor exit nodes. Google said,
« Attack sizes will continue to grow and tactics will continue to evolve. To be prepared, Google recommends using a defense-in-depth strategy by deploying defenses and controls at multiple layers of your environment and your infrastructure providers’ network to protect your web applications and services from targeted web attacks. This strategy includes performing threat modeling to understand your applications’ attack surfaces, developing proactive and reactive strategies to protect them, and architecting your applications with sufficient capacity to manage unanticipated increases in traffic volume. »