In brief: Google recently helped mitigate the largest distributed denial of service (DDoS) attack ever recorded, and was it ever a doozy. The series of attacks took place back in August and utilized a novel HPPT/2 "Rapid Reset" approach based on stream multiplexing. The event lasted just two minutes but at its peak, generated 398 million requests per second (rps).
To put that into perspective, the attack generated more requests than the total number of articles viewed on Wikipedia for the entire month of September.
Google said it was able to mitigate the attack at the edge of its network to ensure services and customers remained largely unaffected. The attacks have been going on since August and as the team understood more details about the methodology used, they were able to update their systems and harden their defenses.
The search giant said any enterprise or individual that serves an HTTP-based workload to the Internet could be at risk, and that services, apps, and APIs that can communicate using the HTTP/2 protocol may be vulnerable. Patches are available for the attack, which is being tracked as CVE-2023-44487 with a high severity score of 7.5 out of 10.
Google also posted a deeper dive on the Rapid Reset technique over on its cloud blog for those interested in learning more.
It is worth mentioning that Google is not the only tech giant that has successfully mitigated these new types of attacks. Amazon and Microsoft have also taken action against Rapid Reset attacks in recent months. Cloudflare chimed in on the subject as well but for some reason, the site has blocked me on my home and cellular connection.
Most DDoS attacks are waged in an attempt to disrupt Internet-facing sites and services. By flooding servers with traffic, an attacker can overwhelm a target and cause all sorts of problems. A minute or two of downtime may not seem like much but for huge companies running mission critical applications, it can be a major headache.