Aug 19, 2022 13:00:00

Google Cloud blocks record 46 million requests per second DDoS attack, more than 76% stronger than attacks previously blocked by Cloudflare

Over the past few years, the number of distributed denial of service attacks (DDoS attacks), which make services unavailable by sending numerous requests from a large number of devices to servers and networks, has increased exponentially. increase. On August 19, 2022, Google announced that its protection service,

Cloud Armor , was blocking 46 million requests per second during a peak DDoS attack on June 1. clarified.

How Google Cloud blocked largest Layer 7 DDoS attack yet, 46 million rps | Google Cloud Blog
https://cloud.google.com/blog/products/identity-security/how-google-cloud-blocked-largest-layer-7-ddos-attack-at-46-million-rps

Google reported that starting around 9:45 p.m. PST on June 1, 2022, a DDoS attack of over 10,000 requests per second was launched against a customer's HTTP/S load balancer . Eight minutes after the attack started, it surged to 100,000 requests per second. Google's Cloud Armor detected this early in the attack cycle, evaluated the traffic, created rules to identify attack patterns, and immediately started blocking traffic.

After that, the attack continued, reaching 46 million requests per second at its peak. An attack of this scale is like receiving all requests for a day to Wikipedia, which is ranked among the top 10 sites with high traffic, in just 10 seconds, and it seems that it was the largest DDoS attack of this kind in history. Recent large-scale DDoS attacks include the 26 million requests per second reported by Cloudflare in June 2022, but this attack was at least 76% higher.

In this attack, countermeasures were taken before the peak was reached, so each server was not affected and processing was performed as usual. ``Perhaps the attacker decided that it would cost a lot to carry out the attack, but that it would not have the desired effect,'' Google said.

Google pointed out that in addition to the unexpectedly high volume of traffic generated in the DDoS attack detected on June 1, there were other notable features. The attack involved 5256 source IPs from 132 countries, with the top four countries accounting for approximately 31% of the total attack traffic. Furthermore, approximately 22% (1169) of the source IPs corresponded to Tor exit nodes, but only 3% of the attack traffic was from these nodes. However, assuming that it was 3% of the peak time, it would be equivalent to 1.3 million requests per second, so ``Tor exit nodes may send a considerable amount of unfavorable traffic to web applications and services.'' Did.

“The scale of attacks will continue to grow and tactics will continue to evolve,” Google said. We recommend deploying defenses and controls at the layer and adopting a defense-in-depth strategy: Cloud Armor protects internet-facing applications within Google's network and removes unnecessary security far upstream of the application. It will be possible to absorb traffic.'