Big Tech firms reveal record-breaking DDoS attacks

11 Oct 2023

Image: © ArtemisDiana/Stock.adobe.com

Google said it mitigated a DDoS attack that generated 398m requests per second, while last year’s record was only 46m requests.

Multiple Big Tech companies have shared details about a zero-day vulnerability that is being exploited in massive distributed denial-of-service (DDoS) attacks.

Google, Cloudflare and Amazon all shared details about this vulnerability, along with details about the size of the DDoS attacks they claim to have mitigated in recent months.

This flaw has been dubbed the ‘HTTP/2 Rapid Reset’ attack by these companies, as it exploits a weakness in the HTTP/2 protocol to generate enormous DDoS attacks.

“This zero-day provided threat actors with a critical new tool in their Swiss army knife of vulnerabilities to exploit and attack their victims at a magnitude that has never been seen before,” Cloudflare said in a blogpost.

“While at times complex and challenging to combat, these attacks allowed Cloudflare the opportunity to develop purpose-built technology to mitigate the effects of the zero-day vulnerability.”

A DDoS attack is an attempt to make an online service unavailable by overwhelming it with high volumes of data from multiple sources. Typically, multiple compromised computer systems are used as sources of attack traffic.

Massive attacks

The reports by these companies suggest DDoS attacks have surged dramatically in size thanks to this HTTP/2 weakness. Amazon said it detected one attack in August that peaked at more than 155m requests per second (RPS).

Cloudflare said the biggest attack it observed this year came in at 201m RPS, which was three times larger than a previous record-breaking attack of 71m RPS in February.

“Since the end of August 2023, Cloudflare has mitigated more than 1,100 other attacks with more than 10 million RPS – and 184 attacks that were greater than our previous DDoS record of 71 million RPS,” Cloudflare said.

Google claimed to mitigate the biggest DDoS attack, which reached a peak of 398m RPS.

“For a sense of scale, this two-minute attack generated more requests than the total number of article views reported by Wikipedia during the entire month of September 2023,” Google Cloud said in a blogpost.

These attacks are far larger than a record-breaking attack observed by Cloudflare in June 2022, which clocked in at only 26m RPS – a figure that seemed substantial at the time. Google said last year’s largest-recorded DDoS attack peaked at 46m RPS.

“The most recent wave of attacks started in late August and continue to this day, targeting major infrastructure providers including Google services, Google Cloud infrastructure and our customers,” Google Cloud said.

While the scale of these attacks are growing, there is also evidence that the number of DDoS attacks are on the rise. A recent report by Netscout claims there were 7.9m DDoS attacks in the first half of the year, with the rise linked to geopolitical issues.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com