Google repelled a record-breaking DDoS attack – 398 million requests per second
Google reported that it successfully repelled the most powerful DDoS attack in history last August. Its intensity amounted to 398 million requests per second, which is 7.5 times more powerful than the anti-record set last year. The latest wave of attacks began in late August and continues to this day, targeting major infrastructure providers, including Google services
The new series of DDoS attacks used a new Rapid Reset technique based on stream multiplexing, the most important feature of the HTTP/2 protocol. The intensity of the attack reached 398 million requests per second, while last year’s record was “only” 46 million requests per second. For comparison, during this two-minute attack, more queries were generated than Wikipedia articles were read in the entire month of September 2023.
While repelling the attack, a vulnerability in the HTTP/2 protocol was discovered, which was assigned the number CVE-2023-44487 with a rating of 7.5 out of 10 – this vulnerability helped the attackers implement the Rapid Reset technique. To limit the impact of this attack vector, Google recommends that administrators of HTTP/2-enabled servers make sure that patches are installed to close the CVE-2023-44487 vulnerability.
