Google recently helped mitigate the largest distributed denial-of-service (DDoS) attack on record. This series of attacks occurred in August and employed a new HPPT/2 "quick reset" method based on stream multiplexing. The incident lasted only two minutes but generated 398 million requests per second (rps) at its peak.
To put that into perspective, the attack generated more requests than Wikipedia’s total views in September.
Google said it was able to mitigate attacks at the edge of the network, ensuring services and customers were largely unaffected. This attack has been ongoing since August, and as the team learned more details about the methods used, they were able to update systems and strengthen defenses.
The search giant said that any business or individual that delivers HTTP-based workloads to the internet may be at risk, and that services, applications and APIs that can communicate using the HTTP/2 protocol may be vulnerable. Google has provided a patch for the attack, which is tracked as CVE-2023-44487, with a severity score of 7.5 out of 10.
Google has also published an in-depth look at the fast reset technique on its cloud blog for interested users to learn more:
https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps
It is worth mentioning that Google is not the only technology giant to successfully mitigate these new attacks. Amazon and Microsoft have also taken action against rapid reset attacks in recent months, and Cloudflare has also weighed in on the issue.
Most DDoS attacks are designed to disrupt Internet-facing websites and services. By flooding servers with traffic, attackers can overwhelm targets and cause all sorts of problems. A minute or two of downtime may not seem like much, but for large companies running mission-critical applications, it can be a huge headache.