Google blocked the largest-ever DDoS cyber attack on a customer

Google said it has blocked the largest-ever distributed denial-of-service (DDoS) cyber attack on a customer that peaked at 46 million requests per second (RPS).
Google South KoreaGoogle did not reveal the name of its customer on the Cloud platform.

Google said this is the largest Layer 7 DDoS reported to date — 76 percent larger than the previously reported record. In June 2022, Cloudflare automatically detected and mitigated a 26 million request per second DDoS attack — the largest HTTPS DDoS attack on record.

“To give a sense of the scale of the attack, that is like receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds,” Satya Konduru, Technical Lead, Google Cloud, said in blog post.

DDoS cyber-attacks are increasing in frequency and growing in size exponentially.

Cloud Armor Adaptive Protection was able to detect and analyze the traffic early in the attack lifecycle. Cloud Armor alerted the customer with a recommended protective rule which was then deployed before the attack ramped up to its full magnitude. Cloud Armor blocked the attack ensuring the customer’s service stayed online and continued serving their end-users.

“Our customer’s network security team deployed the Google Cloud Armor-recommended rule into their security policy, and it immediately started blocking the attack traffic,” said Emil Kiner, senior product manager, Cloud Armor.

In the two minutes that followed, the attack began to ramp up, growing from 100,000 RPS to a peak of 46 million RPS.

Since Cloud Armor was already blocking the attack traffic, the target workload continued to operate normally.

“Over the next few minutes, the attack started to decrease in size, ending 69 minutes later. The attacker determined they were not having the desired impact while incurring significant expenses to execute the attack,” said the company.

The geographic distribution and types of unsecured services leveraged to generate the attack matches the Meris family of attacks.

Known for its massive attacks that have broken DDoS records, the Meris method abuses unsecured proxies to obfuscate the true origin of the attacks, said Google.

The attack was stopped at the edge of Google’s network, with the malicious requests blocked upstream from the customer’s application.

Attack sizes will continue to grow and tactics will continue to evolve.

Google recommended using a defense-in-depth strategy by deploying defenses and controls at multiple layers of your environment and your infrastructure providers’ network to protect your web applications and services from targeted web attacks.

There were 5,256 source IPs from 132 countries contributing to the attack. The cyber attack leveraged encrypted requests (HTTPS) which would have taken added computing resources to generate.