Google Cloud Blocks Largest HTTPS DDoS Attack Ever
Google Cloud claims to have blocked the largest Layer 7 (HTTPS) DDoS attack to date after a Cloud Armor customer was targeted by a series of attacks that peaked at 46 million requests per second (rps) . Google said the attack, which occurred on June 1, was at least 76% larger than the previously reported HTTPS DDoS record and exhibited characteristics that link it to the Mēris family of attacks.
The tech giant said Cloud Armor Adaptive Protection was able to detect and analyze traffic early in the customer’s attack lifecycle, blocking the attack while ensuring the customer’s service remained online. . The attack comes amid growing DDoS activity targeting organizations as attackers use more and more infrastructure and diversity in campaigns.
HTTPS DDoS attack peaked at 46 million requests per second
In a blog post, Google wrote that around 9:45 a.m. PT on June 1, 2022, an attack of over 10,000 rps began targeting a customer’s HTTPS load balancer. “Eight minutes later, the attack increased to 100,000 requests per second,” the firm added. Cloud Armor generated an alert containing the signature of the attack by evaluating the traffic and a recommended rule to block the malicious signature, Google said.
The customer’s network security team deployed the recommended rule in their security policy and began blocking attack traffic. “They chose the ‘throttle’ action over a ‘deny’ action to reduce the risk of impact to legitimate traffic while significantly limiting attack capacity by removing most of the attack volume at the edge of Google’s network,” Google wrote.
“Within two minutes, the attack began to ramp up from 100,000 rps to a peak of 46 million rps. Because Cloud Armor was already blocking attack traffic, the target workload was continued to function as normal. The attack then began to decrease in size, finally ending 69 minutes later at 10:54 a.m. “Presumably the striker determined he was not having the desired impact while engaging significant expense to execute the attack,” Google said.
“The attack illustrates two trends: that the size of DDoS attacks continues to grow exponentially, and that attack methods continue to evolve, taking advantage of new types of vulnerable services from which to launch attacks,” said Emil Kiner, senior product manager at Google Cloud, at CSO. .
New attack eclipses previous HTTPS DDoS campaigns
The 46 million rps attack eclipses the largest HTTPS DDoS attack on record. In June 2022, Cloudfare detected and mitigated a 26 million rps attack from a small but powerful botnet of 5,067 devices. In 2021, the same company foiled a then-record DDoS attack that peaked at 17.2 million rps, before stopping a slightly smaller attack (15 million rps) in April 2022.
Notable features of the largest HTTPS DDoS attack, links to the Mēris botnet
Besides a significantly high traffic volume, Google cited several other notable features of the attack. It identified 5,256 source IP addresses from 132 countries contributing to the attack, with the top four countries contributing around 31% of the total traffic. Kiner told the CSO that those countries were Brazil, India, Russia and Indonesia. Additionally, the attack leveraged encrypted queries, which would have required additional computing resources to generate, Google said.
“Although the end of encryption was necessary to inspect traffic and effectively mitigate the attack, the use of HTTP pipelining required Google to perform relatively few TLS handshakes,” the company added. Google estimated that 22% (1,169) of source IP addresses corresponded to Tor exit nodes, although the volume of requests from these nodes only accounted for 3% of attack traffic. “While we believe Tor’s participation in the attack was incidental due to the nature of the vulnerable services, even at 3% of the peak (greater than 1.3 million rps), our analysis shows that exit nodes of Tor can send a significant amount of unwanted traffic. to web apps and services,” Google wrote.
More interestingly, Google said the geographic distribution and types of insecure services operated match the Mēris family of attacks, known for their record-breaking DDoS campaigns that abuse insecure proxies to mask the true origin of attacks.
DDoS attacks on the rise, exhibit a rich mix of volume and duration
Typically, DDoS activity is increasing, impacting organizations across all industries and geographies. Radware’s H1 2022 Global Threat Analysis Report found that in the first six months of 2022, the number of mitigated malicious DDoS events per customer increased by 203% compared to the first six months of 2021 , and 239% compared to the last six months. month of 2021.
“DDoS attack trends tend to be somewhat cyclical in format, although there is an underlying trend over time of increasing volume, whether in bits per second (bps), packets per second (pps) or requests per second (rps),” Rik Turner, senior principal analyst at Omdia, told CSO. This upward trend is partly explained by the ability of attackers to exploit ever more infrastructure – that is, more bots from which to launch attacks – and the availability of DDoS as a as a service, which offers an infrastructure that can be rented to mount an attack. as long as the striker wants, he adds.
“That said, volumetric attacks are just a variety of exploits, and while their overall size continues to grow with new record volumes being announced nearly every year, it’s not true that the percentage of DDoS attacks which are volumetric increases in a linear fashion,” Turner continues. In some years, the percentage of volumetric attacks decreases, although maximum volumes continue to increase, as attackers can try new variations of attack methodology, he says.
“It’s also worth keeping an eye on the average duration of a DDoS attack, as it often happens that a monstrously large volume is released for just a few minutes, just to show what the attackers are capable of, and then followed by ‘a ransom note.’ Other types of attacks, including application layer (Layer 7) attacks, are often weak and slow because they want to avoid detection and find out what defenses the target has in place and how long it takes to activate them. , says Turner. “Ultimately, DDoS attacks exhibit a rich mix of volume and duration, which makes it harder to defend against them because you never know exactly what types will arrive on your infrastructure.”
Copyright © 2022 IDG Communications, Inc.