Largest DDoS attacks ever reported by Google, Cloudflare and AWS

Internet infrastructure providers Google Cloud, Cloudflare and Amazon Web Services have reported the largest ever distributed-denial-of-service (DDoS) attacks.

The DDoS attacks were reported on October 10, with the cloud service providers noting that the attacks were part of a mass exploit of a zero-day vulnerability. The DDoS attacks themselves started during August and are still continuing as of the time of writing.

In a blog post about the DDoS attacks, Google explained that it was the largest DDoS attack “to date”, with the requests per second (rps) peaking at over 398 million, making it seven and a half times larger than the previous record-breaking DDoS attack. Google noted that 398 million rps is equivalent to “more requests than the total number of article views reported by Wikipedia during the entire month of September 2023”.

The DDoS attacks were launched using a threat vector previously unseen. The malicious actors “relied on a novel HTTP/2 “Rapid Reset” technique based on stream multiplexing” and impacted multiple internet infrastructure companies.  

Google explained how this “Rapid Reset” technique works: “The HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately.

“The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth.”

Cloudflare CSO Grant Bourzikas shared in a blog post about the DDoS attack that it is “crucial” to understand that the attack was able to be launched using a “modestly-sized botnet, consisting of roughly 20,000 machines”.  

Bournzikas also note that the zero-day vulnerability “provided threat actors with a critical new tool in their Swiss Army knife of vulnerabilities to exploit and attack their victims at a magnitude that has never been seen before.”

In order to minimize service disruption, companies had to execute DDoS mitigation techniques, including load-balancing. Multiple internet infrastructure companies who were impacted by the DDoS attacked formed a partnership in order to mitigate the overall impact of the attacks on the internet at large. This prevented outages from occurring.