Google Cloud reports the largest DDoS attack on record
Picture: Google.
DDoS attacks (distributed denial of service attacks) are probably the least sophisticated cyber attacks, but they can still do great damage. Today, Google and other major cloud companies have spotted and reported the largest DDoS attack on record.
Last August, Google Cloud was hit by the largest DDoS attack in history. The digital onslaught had then reached the unprecedented figure of 398 million requests per second (RPS). To understand the magnitude of this figure, Google explains that it means that Google Cloud received more requests per second than Wikipedia during the entire month of September 2023.
In other words, it’s huge. The attack on Google Cloud, which used a new technique – the so–called “quick reset” – was 7.5 times larger than all previously recorded DDoS attacks. In 2022, the “largest DDoS attack ever recorded” had reached “only” 46 million RPS.
A coordinated response
Google is not the only one who has been affected. Cloudflare, one of the leading Content Delivery Network (CDN), and Amazon Web Services (AWS), the largest cloud service provider in the world, also said they had been victims of an attack. Cloudflare repelled an attack of 201 million RPS, while AWS withstood an attack of 155 million RPS.
These DDoS attacks, which target the main infrastructure providers, began at the end of August and “continue to this day,” according to Google. Despite the scale and intensity of these attacks, the global load balancing and DDoS mitigation infrastructure of large technology companies has made it possible to effectively counter the threat and ensure uninterrupted service to their customers.
In the wake of these attacks, companies coordinated a cross-sectoral response, sharing their information and mitigation strategies with other cloud providers and software maintainers. This collaborative effort has resulted in the development of fixes and mitigation techniques that most major infrastructure providers have already adopted.
Rapid Reset
The so-called “Rapid Reset” technique exploits the stream multiplexing function of the HTTP/2 protocol, which constitutes the last step in the evolution of Layer 7 attacks. This attack works by pushing multiple logical connections to be multiplexed on a single HTTP session.
This is an “upgrade” of the HTTP 1 functionality.x, in which each HTTP session was logically distinct. So, as the name suggests, an HTTP/2 fast reset attack consists of multiple HTTP/2 connections with requests and resets one after the other. If you have implemented the HTTP/2 protocol for your website or internet services, you are a potential target.
In practice, the fast reset attack consists of transmitting a series of requests for several streams, followed immediately by a reset for each request. The targeted system will analyze and act on each request, generating logs for a request that is then reset or canceled. Thus, the targeted system wastes time and money generating these logs, even if no network data is sent back to the attacker. A malicious actor can abuse this process by issuing a massive volume of HTTP/2 requests, thus overwhelming the targeted system.
This is actually an accelerated version of a very old type of attack: the DDoS attack by flooding HTTP requests. To defend against this type of attack, it is necessary to implement an architecture that helps to specifically detect unwanted requests and adapt to absorb and block these malicious HTTP requests.
The vulnerability exploited by the attackers has been identified as CVE-2023-44487.
How to protect yourself from it?
Organizations and individuals who use HTTP-based workloads on the internet are advised to check the security of their servers and apply the vendor’s patches for CVE-2023-44487 in order to mitigate similar attacks. The fixes are being routed. But until they are installed on a large scale, other Rapid Reset type attacks should take place.
Most companies do not have the necessary resources to deal with such attacks. To be able to repel them, we would need extensive and powerful DDoS defense services, such as Amazon CloudFront, AWS Shield, Google Cloud Armor or CloudFlare Magic Transit.
This attack will eventually be fixed, but in the meantime, similar attacks will occur, probably very soon. Remember, “security is not a product, it is a process”.
Source: ZDNet.com