Google fends off DDoS attack with record peak of 398 million requests per second

Google says it has repelled the largest DDoS attack in its history. The company managed to fend off an HTTP/2 attack that achieved 398 million requests per second, the largest known DDoS attack ever recorded.

Google writes that it registered the attack in August on its own Cloud infrastructure. The company says that at the end of that month a series of attacks began that it still sees and manages to fend off to this day. The highlight occurred in August itself; In two minutes, Google saw an attack that reached twice a peak amount of data of 398 million requests per second against the infrastructure.

It is not known who carried out the attack, but Google has made more details about the attack public and shared it with other companies. They can use the signature of the attack to detect it early and repel or redirect it.

According to Google, this is an attack on the HTTP/2 protocol. Although that protocol is more often abused for DDoS attacks, in this case the attackers abused a new technique based on a vulnerability in that protocol. Google calls this the ‘Rapid Reset’ attack. The company has registered the vulnerability as CVE-2023-44487. The company has there too wrote a blog post about it.

Rapid Reset is a Layer 7 attack in which a DDoS attack can be performed by attacking the HTTP/2 protocol. HTTP/2 lets browsers send requests to websites to load content, for example. With HTTP/2, unlike an earlier version of the protocol, it is possible to start multiple streams with the same connection. This should ensure faster throughput of content, but the new bug exploits that principle by making hundreds or thousands of requests at the same time and immediately stopping them. As a result, the maximum number of requests that an attacker can make no longer depends on the so-called round trip time of requests.

Google says the attackers have experimented with multiple variations of Rapid Reset. In some cases, the attackers waited a while before stopping the streams or tried to send multiple streams at the same time.

The attack is not only the largest Google has ever detected, but the largest DDoS attack ever reported. In 2022, the company recorded the previous dubious record; then a DDoS attack took place that peaked at 46 million requests per second. At 398 million rps, the new attack is more than 7.5 times larger than the previous one. DDoS attacks seem to have grown exponentially in recent years. For example, Cloudflare saw a record attack of 15.3 million rps in 2022, but less than a year later the company saw one of 71 million.