Google has blocked the biggest Layer 7 DDoS attack in history

Google has blocked one of the biggest DDoS attacks (Distributed Denial of Service, that is, Distributed Denial of Service) of history. This has been pointed out in a post on the Google Cloud blog, in which Emil Kilner, Cloud Armor Product Manager, and Satya Kondory, Cloud Technical Manager, specify that it is the major layer 7 DDoS attack Until now.

The attack peaked at 46 million requests per second, making it 76% more powerful than the record-breaking attack of this type. To give us an idea, the Google Cloud experts who sign the post point out that «It is comparable to receiving all the requests that Wikipedia receives in a day, one of the most trafficked websites in the world, in just 10 seconds«.

This attack peaked in about 10 minutes and began to taper off until it stopped. The entire DDoS attack lasted over an hour – 69 minutes in total. Google Cloud researchers speculate that the attackers stopped when they saw that their efforts were not yielding the results they expected,

As for the technical aspect of the attack, it appears that the botnet used in the attack was quite powerful. For the attack, 5,256 source IPs were used, from a total of 132 countries. The type of attack carried out used encrypted requests, of the HTTPS type, which means that it required additional computing resources, so it was probably quite an expensive operation to carry out.

Of the IPs used as sources, almost a quarter, 22%, corresponded to Tor exit end nodes: 1,169 in total. Of course, its volume of requests was only 3% of the total attack traffic. Experts point out that although they believe that «Tor’s involvement in the attack was coincidental, given the nature of the vulnerable services, even with a 3% peak, which involved more than 1.3 million requests per second, our analysis shows that Tor exit nodes Tor can send a significant number of unwanted traffic to web services and applications«. As for the countries that participated in the attack, the four that did the most were Brazil, India, Russia and Indonesia. In total, they generated 31% of the traffic involved in the attack.

Experts have not been able to specify who the attacker is, or the group of attackers, behind the attack. But according to your impressions, to realize it An attack from the M?ris family has been used. They believe it mainly because of the geographical distribution of the IPs, as well as the types of insecure services that they took advantage of in the attack.

Everything, in short, is identical to the attack patterns used by this family, which is responsible for huge-scale attacks that have regularly broken DDoS-type records. M?ris attacks use unsecured proxies to obfuscate the real origin of the attacks.

The attack stopped at the edge of Google’s network, blocking malicious requests coming in from the client application. Before the attack started, the customer had already configured Adaptive Protection in their security policy Cloud Armorso that the protection system could learn and establish a base model of normal traffic patterns for its service.

Because of this, the adaptive protection systema was able to detect the DDoS attack early in its lifecycle, analyze its incoming traffic, and generate a warning with a recommended protection rule. All before the attack escalated. The client acted on the alert by deploying the recommended, which took advantage of its recently launched rate-limiting feature to “throttle” attack traffic. It chose this option, rather than deny, to reduce the chance of impacting legitimate traffic by limiting attack capacity by turning off most of the attack volume at the edge of Google’s network.

Before deploying the rule in reinforcement mode, it was deployed in preview mode. In this way, the client was able to validate that only unwanted traffic was blocked, while legitimate users could still access the server. As the attack built to its peak, cloud Armor’s suggested rule was already in place, and it set about blocking the bulk of the attack and ensuring that the targeted applications and services remained available.

Photo: Christiaan Colen

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *