Google claims it blocked the largest HTTPS-based DDoS attack in June

Google mitigated a massive distributed denial of service (DDoS) attack involving Hypertext transfer protocol secure (HTTPS) requests on one of its customers in the first week of June, the Alphabet company said in a blog post.  

The number of HTTPS requests during the attack reached a record high of 46 million requests per second, making it the largest Layer 7 DDoS attack to date, according to Google. The attack was 76% larger than the DDoS attack that was blocked by Cloudflare during the same month. In that attack, Cloudflare saw 26 million requests per second.  

According to Google, this is equivalent to all the daily requests on Wikipedia in just 10 seconds. 

A DDoS attack occurs when hackers disrupt the normal traffic of a web server by overwhelming it with large volumes of Internet traffic. In HTTPS-based DDoS attacks, hackers use HTTP requests to target the servers. An HTTPS request includes information required by web browsers to load a website.  

HTTPS is a more secure version of HTTP, an internet protocol used to send data between a web browser and a website.  

Layer 7 means the application layer, which is one of the top layers in the data processing hierarchy of an app or website.  

Google further said that the detection and prevention of the attack to its Cloud Armor Adaptive Protection tool, which analysed the traffic early in the attack lifecycle and alerted the customer, and also shared the attack signature to block the attack. Google claims that despite the attack, the customer's service remained online and continued to serve customers successfully.  

The customer chose to throttle the request instead of denying the requests to mitigate the impact on legitimate traffic. This allowed them to contain the attack by dropping most of the attack volume at Google’s network edge.  

The attack occurred from multiple geographic locations and used different types of unsecured services to generate malicious requests, which Google believes is the modus operandi of the Mēris family of attacks. Google found that 5,256 source IPs from 132 countries were used in the attack, out of which four countries accounted for almost 31% of the total traffic.