Google Cloud has revealed that it blocked the largest distributed denial of service (DDoS) attack on record, which peaked at 46 million requests per second (RPS).
The attack of 1er June targeted a Google Cloud customer using the Google Cloud Armor DDoS protection service.
For 69 minutes, the attackers bombarded the client’s HTTP/S load balancer with HTTPS requests, starting at 10,000 RPS and increasing within minutes to 100,000 RPS before reaching an impressive peak of 46 million RPS.
5,256 source IP addresses distributed in 132 countries
Google says it’s the biggest Layer 7 attack ever, referring to the application layer – the top layer – of the OSI model.
The attack on Google’s client was almost twice as large as an HTTPS DDoS attack on a Cloudflare client in June that hit 26 million RPS. This attack also relied on a relatively small botnet consisting of 5,067 devices spread across 127 countries.
The attack against Google’s client was also carried out via HTTPS, but used “HTTP Pipelining”, a technique to increase the transmission speed. According to Google, the attack came from 5,256 source IP addresses spread across 132 countries.
“The attack leveraged encrypted (HTTPS) requests that would have required additional computing resources to generate,” Google said.
“While breaking the encryption was necessary to inspect the traffic and effectively mitigate the attack, the use of HTTP Pipelining required Google to perform relatively few TLS handshakes. »
The culprit Mēris
According to Google, the geographic distribution and types of insecure services used to generate the attack match the Mēris family of botnets. Mēris is a botnet that appeared in 2021 that consisted mostly of compromised MikroTik routers.
Qrator researchers, who previously analyzed Mēris’ use of HTTP Pipelining, explained that this technique involves sending trash HTTP requests in batches to a targeted server, forcing it to respond to those batches of requests. Pipelining increases processing speed.
Cloudflare attributed the 26 million RPS attack to what it called the Mantis botnet, which it sees as an evolution of Mēris. Mantis was powered by hijacked virtual machines and servers hosted by cloud companies rather than low-bandwidth IoT devices, according to Cloudflare.
Google noted that this Mēris-related botnet abused insecure proxies to obscure the true origin of the attacks. He also noted that about 22% or 1,169 of the source IPs matched Tor exit nodes, but the volume of requests from those nodes only accounted for 3% of the attack traffic.
“While we believe Tor’s involvement in the attack was coincidental due to the nature of the vulnerable services, even at 3% of peak (over 1.3 million RPS), our analysis shows that exit nodes Tor can send a significant amount of unwanted traffic to web applications and services. »
Source: ZDNet.com