Google Cloud Stops Monster DDoS Attack

Distributed Denial of Service (DDoS) attacks don’t need to be big to wreak havoc on a target, but it doesn’t hurt. In the latest biggest of all times attacks, Google fended off an HTTPS DDoS attack, which peaked at 46 million requests per second (RPS). That made it the largest Layer 7, the application layer, DDoS reported to date. It was 76% larger than the previously reported record.
So how big is that? Imagine a day’s worth of requests to Wikipedia hammering down in just 10 seconds.
Yeah, that’s a lot.
Welcome to the 2022 internet. A few weeks earlier, Cloudflare had beat off a then record 26 million RPS DDoS attack. Before that, Cloudflare, in August 2021, handled a 17.2M RPS HTTP DDoS attack. Gigantic DDoS attacks are happening ever more often. These put the top DDoS attacks of the past to shame.
Google Cloud Armor to the Rescue
What happened in the most recent attack is that a Google Cloud Armor customer got hit. It started, innocently enough, at 9:45 a.m. Pacific Time on June 1, 2022, with an attack of over 10,000 RPS on the customer’s HTTP/S Load Balancer. That’s annoying, but not worrisome.
But, not even ten minutes later, when it grew to 100,000 RPS, there could be no mistaking that the company was under attack. Google’s Cloud Armor Adaptive Protection detected the assault and generated an alert containing the attack signature. This signature was based on traffic across several dozen features and attributes. This was helped in no measure by the customer already using Adaptive Protection in their Cloud Armor security policy. This enabled Cloud Armor to have established a baseline normal traffic model.
Subsequently, the alert popped up on the user’s security dashboard with a recommended rule to block traffic with the malicious signature. Not being foolish, they did exactly that. They could have simply blocked traffic, but that would have slowed down their real traffic to a crawl.
After that, the attack ramped up to millions of RPS, to eventually hit a peak of 46 million RPS. But almost none of the malicious traffic got to the customer’s servers. Instead, since Cloud Armor was already blocking the attack traffic at the Google network’s edge, the servers continued to work as normal. No one except the attacker and the security experts even knew the assault was happening.
Over the next few minutes, the attack decreased. It finally ended 69 minutes later at 10:54 a.m. Presumably, the attacker figured out it hadn’t worked.
The Moral of the Story
Now, the moral of the story, according to Google, is that “with Google Cloud Armor, you are able to protect your internet-facing applications at the edge of Google’s network and absorb unwelcome traffic far upstream from your applications.” They’re not wrong. And, if you run web services off the Google Cloud, I recommend you use Google Cloud Armor.
The bigger moral, though, is that no matter whether you run a simple web server on your own bare metal or complex web services for a Fortune 500 company, you need DDoS protection. DDoS attacks are getting both bigger and easier for any jerk to attempt. I recommend, in no particular order, Akamai, Radware, and Cloudflare. And, like Google, the other hypercloud services offer DDoS protection.
Whatever you choose, get something. You’ll be glad you did.