Google says it has blocked the largest ever HTTPS-based distributed-denial-of-service (DDoS) attack in June, which peaked at 46 million requests per second.
To put things in perspective, this is about 76 percent larger than the previous record DDoS attack that Cloudflare thwarted earlier that same month.
These types of security events flood target organizations’ networks with junk traffic, which makes it impossible for them to conduct legitimate business online.
Not only is this the third such record-breaking DDoS flood in the past few months – this includes two earlier HTTPS-based attacks blocked by Cloudflare in April and June – but it comes as Google and other security researchers warn that network-flooding events are getting worse, growing in size and frequency.
Google provided a timeline for what happened on June 1.
The attack began around 09:45 PT (16:45 UTC), with more than 10,000 requests per second (rps) targeting one of its customers’ HTTP(S) Load Balancers. Just eight minutes later, the attack grew to 100,000 rps. Two minutes after that, it hit its peak of 46 million rps.
By then, Google says its Cloud Armor Adaptive Protection service had already detected the attack, generated an alert, and recommended a rule to block the malicious signature, which the customer had deployed into its security policy.
After that, the attack started to dwindle, ending at 10:54 PT (17:54 UTC), according to Kiner and Konduru. “Presumably the attacker likely determined they were not having the desired impact while incurring significant expenses to execute the attack.”
In the description of the incident, the Googlers point out some of the attack’s “noteworthy characteristics” – in addition to its high traffic volume, of course. There’s also a link between it and the earlier Cloudflare-thwarted DDoS flood, which the internet infrastructure biz said looks to be the next phase of Meris attacks.
“The geographic distribution and types of unsecured services leveraged to generate the attack matches the Meris family of attacks,” Kiner and Konduru said.
Like the earlier DDoS attack, the Google-blocked event counted 5,256 source IPs from 132 countries contributing to the attack.
Also, like the earlier record-breaking attack, the June 1 event used HTTPS requests, as opposed to HTTP. These HTTPS-based attacks are more expensive than their HTTP counterparts because it costs more in compute resources to establish a secure TLS connection.
About 22 percent (1,169) of the source IPs corresponded to Tor exit nodes. However, the request volume from those represented only 3 percent of the traffic, according to the Google security researchers.
“While we believe Tor participation in the attack was incidental due to the nature of the vulnerable services, even at 3 percent of the peak (greater than 1.3 million rps) our analysis shows that Tor exit-nodes can send a significant amount of unwelcome traffic to web applications and services,” they noted.
DDoS attacks flood 2022
The attack also comes amid a massive spike in DDoS volume since the beginning of the year.
In a threat analysis report [PDF] published earlier this week, Radware documented a 203 percent increase in the number of these traffic events mitigated per customer during the first six months of 2022, compared to the first six months of last year, and a 239 percent jump compared to the last six months of 2021.
The security firm also said it mitigated 60 percent more DDoS attacks in the first six months of this year compared to the entire 12 months of 2021. Plus the average volume blocked per customer per month in 2022 (between January and June) reached 3.39TB, a 47 percent increase compared to 2021.
In April, Kaspersky released a report saying that DDoS attacks hit an all-time high in the first quarter of this year, jumping 46 percent quarter-over-quarter, with the number of targeted attacks increasing 81 percent.
Both Kaspersky and Radware note that Russia’s invasion of Ukraine, and the cyberattacks that ensued, played a major role in the overall DDoS spike this year. ®