Google has revealed it fought off a 2.5 Tbps distributed denial-of-service (DDoS) attack in 2017, with the company flagging exponential growth in DDoS attack volumes.
“Our infrastructure absorbed a 2.5 Tbps DDoS in September 2017, the culmination of a six-month campaign that utilised multiple methods of attack,” Google Cloud security reliability engineer Damian Menscher said in a blog post.
“Despite simultaneously targeting thousands of our IPs, presumably in hopes of slipping past automated defenses, the attack had no impact. The attacker used several networks to spoof 167 Mpps (millions of packets per second) to 180,000 exposed CLDAP, DNS, and SMTP servers, which would then send large responses to us.
“This demonstrates the volumes a well-resourced attacker can achieve: This was four times larger than the record-breaking 623 Gbps attack from the Mirai botnet a year earlier. It remains the highest-bandwidth attack reported to date, leading to reduced confidence in the extrapolation,” he added.
In separate blog post, Shane Huntley, from Google’s Threat Analysis Group, said: “our Security Reliability Engineering team measured a record-breaking UDP amplification attack sourced out of several Chinese ISPs (ASNs 4134, 4837, 58453, and 9394), which remains the largest bandwidth attack of which we are aware.”
Google’s move to publicly discuss the attack comes as it provides an update on what it’s seeing and how threat actors are changing their tactics in the lead up to the US general election in November and, more broadly, what it’s doing to minimise or mitigate the effects of such attacks, which appear to be on the rise.
“The exponential growth across all metrics is apparent, often generating alarmist headlines as attack volumes grow,” Menscher said, referring to Google’s own data on largest known DDoS attacks, which indicates an exponential increase in such attacks over the past five years or so.
“But we need to factor in the exponential growth of the internet itself, which provides bandwidth and compute to defenders as well. After accounting for the expected growth, the results are less concerning, though still problematic,” he added.
According to Menscher, given the data and observed trends available, security teams — such as Google Cloud’s Threat Analysis Group (TAG) — can extrapolate to determine the spare capacity needed to absorb the largest attacks likely to occur.
“While we can estimate the expected size of future attacks, we need to be prepared for the unexpected, and thus we over-provision our defences accordingly,” he said. “Additionally, we design our systems to degrade gracefully in the event of overload, and write playbooks to guide a manual response if needed.”
Huntley, meanwhile, said that addressing state-sponsored DDoS attacks, such as those seen in the lead-up to the US election, requires a coordinated response from the internet community, with Google working with others to identify and dismantle infrastructure used to conduct attacks.
“Going forward, we’ll also use this blog to report attribution and activity we see in this space from state-backed actors when we can do so with a high degree of confidence and in a way that doesn’t disclose information to malicious actors,” he said.