sb-au logo
Story image

Google Cloud observes spike in DDoS volumes in last two years

29 Oct 2020

Google Cloud has seen an ‘exponential’ rise in distributed denial of service (DDoS) attacks over the past decade, but the biggest attacks have only occurred in the past couple of years.

Google Cloud security reliability engineer Damian Menscher recently took a deep dive into DDoS threats, with the aim of sharing trends that will ultimately help to protect Google’s services to its customers.

“With a DDoS attack, an adversary hopes to disrupt their victim's service with a flood of useless traffic. While this attack doesn't expose user data and doesn't lead to a compromise, it can result in an outage and loss of user trust if not quickly mitigated,” explains Menscher.

There are plenty of ‘nicknames’ for DDoS attacks such as Tsunami, javascript injection, Smurf, HULK, and even one called XMAS tree. Some of these threats may have creative names, but the damage they can inflict can pull networks down for hours, days, or weeks.

Google has tracked the biggest attacks in the last decade - in 2020 an IoT botnet conducted a 690 Mpps (megapackets per second) attack and another flooded networks with 6 Mrps (megarequests per second). 

In September 2017, Google absorbed a 2.5 Tbps (Terabit per second) attack on its infrastructure - the highest ever bandwidth attack reported to date. 

The attack didn’t make a dent in Google’s operations - but the company did report ‘thousands’ of vulnerable servers to network providers, and it also worked with network providers to figure out where the spoofed packets were coming from.

“The attacker used several networks to spoof 167 Mpps (mega packets per second) to 180,000 exposed CLDAP, DNS, and SMTP servers, which would then send large responses to us,” explains Menscher. 

“This demonstrates the volumes a well-resourced attacker can achieve: This was four times larger than the record-breaking 623 Gbps attack from the Mirai botnet a year earlier.”

He adds that any DDoS mitigation strategy must include sufficient capacity to absorb large attacks.

Menscher shared details of how Google uses Cloud Armour integration with its Cloud Load Balancing service, both of which help with DDoS mitigation.

The load balancer can filter different types of DDoS attack, while Cloud Armor provides rules for common attacks.

Google also developed Cloud Armor Managed Protection, a service that provides end-users with the ability to reduce DDoS and application security risks.

Menscher says that individuals should keep their devices patched and up to date.

“Businesses should report criminal activity, ask their network providers to trace the sources of spoofed attack traffic, and share information on attacks with the internet community in a way that doesn't provide timely feedback to the adversary.”

“By working together, we can reduce the impact of DDoS attacks.”