46 million https requests in one second – this is how a botnet tried to bring a server application to its knees. This is a record for DDoS on layer 7.
DDoS attacks are rapidly becoming more frequent and larger. The arms race between attackers and defenders continues. Google reports a new record for DDoS on Layer 7: The Mēris botnet is believed to have sent up to 46 million requests for HTTPS connections per second to Google Cloud from 132 countries. The company compares the flood of data packets with all Wikipedia calls for an entire day, concentrated to ten seconds. According to its own statements, Google was able to fend off the attack.
On June 1st, Google observed a DDoS attack from no fewer than 5,256 IP addresses. From initially a good 10,000 https requests per second to an https load balancer, the flood of data soon swelled to 100,000. Google’s advertising report says that the systems recommended a defensive measure to the unnamed Google Cloud customer, which they implemented after a short test phase.
This apparently annoyed the perpetrators. In the two minutes after effective mitigation kicked in, attackers sent millions of requests per second to Google Cloud, peaking at 46 million per second. This exceeded the previously known maximum value of a Layer 7 DDoS attack by three quarters: In June, Cloudflare was able to fend off a maneuver with up to 26 million requests per second. The perpetrators are said not to have had any notable success this time either. After a total of 69 minutes, the spook was over.
Expensive attack fizzles out
Such an enormous attack with encrypted connections is not only a burden for the target systems and upstream networks, but also requires considerable computing resources on the attacker’s side. Botnet operators who make “their” systems available for such crimes are well paid for it. Therefore, Google suspects, the attacker soon gave up. The attack was therefore expensive, but ineffective.
Google attributes almost a third of the attack to IP addresses in just four of the 132 countries: Indonesia, Brazil, Russia and India. Google recognized 22 percent of all source addresses as Tor exit nodes. However, they were responsible for only three percent of the attack volume, i.e. a comparatively modest contribution. However, at 46 million requests per second, three percent is still more than 1.3 million per second.
DDoS briefly explained
The acronym DDoS stands for Distributed Denial of Service. In denial-of-service attacks, routers, servers or software running on them are maliciously flooded with data packets in order to overload these systems. Legitimate users can then only use the affected systems with difficulty or not at all. The attackers are mostly motivated by blackmail (for example: “As long as you don’t pay, I’ll keep going, and your customers won’t be able to buy anything from you”), political reasons (protests, sabotage), IT wars, or the attempt by the Exercising overload specific malfunctions. In a second step, such malfunctions can allow access to a system or allow manipulation, for example of prices.
Simple denial of service attacks are very rare. The target system can be easily defended by discarding all data packets coming from the attacker. In addition, the attack power would be limited to the maximum performance of the starting system. Today, attacks are almost always distributed: the data packets do not come from a single source, but from many different starting points at the same time. This makes it difficult to distinguish between connection requests from legitimate users and those from attackers, and allows for significantly larger floods of data on the target system.
For example, botnets, networked devices (Internet of Things, IoT), insecure proxies, or faulty servers that can be tricked into responding to small requests with large data packets to the wrong addresses are misused for the attacks. DoS attacks are possible at all seven levels of the OSI model; Layer 3 (e.g. via the Internet Control Message Protocol ICMP), Level 4 (SYN packets) and 7 (http(s) connection setups) are common.
