Google absorbed record-breaking 2.5 Tbps DDoS attack in September 2017

Google on Friday revealed that its infrastructure absorbed a 2.5 Tbps DDoS (distributed denial-of-service) attack in September 2017, a record-breaking UDP amplification attack sourced out of several Chinese internet service providers (ISPs).

According to the search giant, the 2017 attack was four times larger than the record-breaking 623 Gbps attack from the Mirai botnet a year earlier and it remains the highest-bandwidth attack reported to date.

"Our infrastructure absorbed a 2.5 Tbps DDoS in September 2017, the culmination of a six-month campaign that utilized multiple methods of attack. Despite simultaneously targeting thousands of our IPs, presumably in hopes of slipping past automated defenses, the attack had no impact," Damian Menscher, Security Reliability Engineer at Google Cloud wrote in a blog post.

The attackers used several networks to spoof 167 Mpps (millions of packets per second) to 180,000 exposed CLDAP, DNS, and SMTP servers, which would then send large responses to us, demonstrating the volumes a well-resourced attacker can achieve, Menscher added.

Even though the DDoS attack didn't cause any impact, Google says it reported thousands of vulnerable servers to their network providers and also worked with them to trace the source of the spoofed packets so they could be filtered.

Further, the post highlighted some innovative ways to defend against these advanced attacks. For instance, customers can deploy Google Cloud Armor to protect their websites and applications from exploit attempts as well as distributed denial-of-service (DDoS) attacks. Further, Cloud Armor WAF provides built-in rules for common attacks as well as the ability to deploy custom rules to drop abusive application layer requests using a broad set of HTTP semantics.

Google recommends individual users to ensure that their computers and IoT devices are patched and secured. On the other hand, businesses are recommended to report criminal activity, ask their network providers to trace the sources of spoofed attack traffic and share information on attacks with the internet community in a way that doesn't provide timely feedback to the adversary.