Google says it has blocked another huge DDoS attack

Google claims to have stopped on of the largest Distributed Denial of Service (DDoS) attacks ever seen.

In a blog post, the company’s Senior Product Manager for Cloud Armor, Emil Kiner, and Technical Lead Satya Konduru, said its tool stopped a Layer 7 HTTPS DDoS attack that peaked at 46 million requests per second (rps), making it 76% larger compared to the previous record-holder. 

“To give a sense of the scale of the attack, that is like receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds,” the blog explained.

Tor exit nodes used

The attack reached its peak some ten minutes in but lasted more than an hour (69 minutes). The researchers speculate that the attackers stopped when they saw that their efforts weren’t producing the desired outcome. 

From the technical side of things, it seems the botnet used in the attack was relatively powerful. All in all, 5,256 source IPs were used, originating from 132 countries. 

The attack used encrypted requests (HTTPS), meaning it took extra computing resources to generate – it was quite an expensive endeavor. Almost a quarter (22%) of all source IPs (1,169) corresponded to Tor exit node endpoints, although their request volume represented just 3% of all attack traffic. 

“While we believe Tor participation in the attack was incidental due to the nature of the vulnerable services, even at 3% of the peak (greater than 1.3 million rps) our analysis shows that Tor exit-nodes can send a significant amount of unwelcome traffic to web applications and services,” they added.

The top four countries contributed almost a third (31%) of the total attack traffic. 

Google’s experts could not definitely confirm the threat actor behind the attack, but are under the impression that this was the work of Mēris, given that the geographic distribution and the types of unsecured services leveraged in the attack match its patterns.