Google says it stopped the largest DDoS attack ever recorded in June

One of Google’s customers was targeted with the largest distributed denial of service (DDoS) attack ever recorded, according to a report the company released this week.

Attributed to Google Cloud Armor Senior Product Manager Emil Kiner and Technical Lead Satya Konduru, the report details the June 1 incident, in which a Google customer was hit with a series of HTTPS DDoS attacks, peaking at 46 million requests per second. 

To put it in perspective, they compared the attack to “receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds.”

“This is the largest Layer 7 DDoS reported to date — at least 76% larger than the previously reported record,” they wrote.


A chart of the attack (Google)

In June, Cloudflare announced it had stopped the largest HTTPS distributed denial of service (DDoS) attack ever recorded at 26 million requests per second, surpassing a then-record attack of 17.2 million requests, which at the time was almost three times larger than any previous volumetric DDoS attack ever reported in the public domain.

Both Cloudflare and Google have expressed concerns about the evolution of DDoS attacks in recent years as they grow in frequency and exponentially in size.

“Today’s internet-facing workloads are at constant risk of attack with impacts ranging from degraded performance and user experience for legitimate users, to increased operating and hosting costs, to full unavailability of mission critical workloads,” Kiner and Konduru explained. 

The engineers said the attack started at 9:45 a.m. PST on June 1 and featured more than 10,000 requests per second. Within eight minutes, it grew to 100,000 requests per second. According to the report, Cloud Armor Adaptive Protection detected the attack and issued a "recommended rule" to block the incoming traffic, which the target's security team put into place.

Two minutes later, the attack grew to its peak of 46 million requests per second before ending a little over an hour later.

"Presumably the attacker likely determined they were not having the desired impact while incurring significant expenses to execute the attack," they wrote.

The hackers behind the attack used more than 5,000 source IPs from 132 countries to launch the attack, with the top 4 countries – Brazil, India, Russia and Indonesia – contributing about 31% of the total attack traffic.


Image: Google

Google attributed the attack to the Mēris botnet, which was behind some of 2021's largest DDoS attacks. The botnet consists of an estimated 250,000 malware-infected devices.

Named after the Latvian word for “plague,” Mēris botnet operators typically send threatening emails to large companies asking for ransom payments in exchange for an end to their DDoS attack. 

If victims don’t pay, the hackers use their botnet in attacks that start small and grow as a way to pressure victims into paying. 

For several months, Mēris was the largest DDoS botnet on the internet, breaking the record for the largest volumetric DDoS attack twice in 2021, once in June and then again in September

In September, the cybersecurity division of Russian telecom giant Rostelecom said it managed to take down part of Mēris – 45,000 bots – after identifying a mistake by the malware’s creators.

But Google said this week that the geographic distribution and types of unsecured services leveraged to generate the attack matches the Mēris family of attacks.

“Known for its massive attacks that have broken DDoS records, the Mēris method abuses unsecured proxies to obfuscate the true origin of the attacks,” Kiner and Konduru said.

“Attack sizes will continue to grow and tactics will continue to evolve.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.