According to Google, the geographic distribution of the DDoS attack suggests that it might have been launched through a Mēris botnet.
On June 1st, 2022, Google blocked history’s largest HTTPS DDoS attack, targeting one of its customers’ internet services hosted via Google Cloud, the technology giant revealed this week.
The attackers used HTTPS-based requests and eventually could launch the largest Layer 7 DDoS attack reported to date. According to Google’s technical lead Satya Konduru and product manager Emil Kiner, the attack peaked at 46 million rps (requests per second).
Konduru and Kiner stated that the attack’s scale was so massive that it felt like “receiving all the daily requests to Wikipedia in just 10 seconds.” For your information, Wikipedia is among the world’s top ten most trafficked websites.
Attack Details
The IT giant reported that the attack occurred at 09:45 and targeted a Cloud Armor customer’s HTTP/S Load Balancer with over 10,000 rps. Around 8 minutes later, the attack scale increased to 100,000 rps; just 2 minutes later, it peaked at 46 million rps.
The attack lasted 69 minutes or until 10:54 a.m. The attack originated from roughly 5,256 source IPs located in 132 countries. Around 31% of the attack traffic was contributed by the top four countries and 22% or 1,169 of the source IPs linked to Tor exit nodes, but the request volume from these nodes contributed to only 3% of the overall attack traffic.
“While we believe Tor participation in the attack was incidental due to the nature of the vulnerable services, even at 3% of the peak (greater than 1.3 million rps) our analysis shows that Tor exit nodes can send a significant amount of unwelcome traffic to web applications and services.”
Google
The Mēris Connection
The analysis of the attack’s unsecured services and geographic distribution revealed that it might have been launched through a Mēris botnet. The Mēris botnet comprises hundreds of thousands of compromised internet modems and routers, most of which are from MikroTik.
The botnet was created due to a vulnerability in MikroTik products allowing a hacker to control the devices remotely. Here, it is worth noting that in September 2021, the same botnet was used in a large-scale DDoS attack on Yandex, the Russian search engine and tech giant.
In March 2022, the same botnet was also used in a massive 2.5 million RPS (requests per second) ransom DDoS attack Imperva by cyber security company Imperva.
How was the Attack Blocked?
The Layer 7 DDoS attack was blocked at the “edge of Google’s network with the malicious requests blocked upstream from the customer’s application,” researchers reported. Before the attack was launched, the targeted customer had configured Adaptive Protection in their Cloud Armor security policy to establish normal traffic patterns’ baseline model for their service.
Adaptive Protection could detect the attack in its initial phase and analyze incoming traffic. It then generated an alert with a suggested protective rule-all before the attack’s peaking. Accoding to Google, the customer quickly deployed the suggested rule leveraging Cloud Armor’s newly launched rate, hence, controlling the capabilities of the attack throttle.
“Over the next few minutes, the attack started to decrease in size, ultimately ending 69 minutes later at 10:54 a.m. Presumably, the attacker likely determined they were not having the desired impact while incurring significant expenses to execute the attack.”
This attack was 76% more powerful than the attack Cloudflare addressed in June. That attack, which held the record for the largest HTTPS DDoS attack, peaked at 26 million rps.