Google has announced that it has successfully mitigated what it says is the largest DDoS attack that’s been recorded to date. The attack, which began in August, reached a peak of 398 million requests per second (RPS), according to Google’s Emil Kiner and Tim April, who published a blog post this week explaining how this particular attack turned out to be 7.5 times larger than the previous record holder from last year (46 million RPS). “This two minute attack generated more requests than the total number of article views reported by Wikipedia during the entire month of September 2023,” they said.
The most recent wave of attacks started in late August and continue to this day, targeting major infrastructure providers including Google services, Google Cloud infrastructure, and our customers. Although these attacks are among the largest attacks Google has seen, our global load-balancing and DDoS mitigation infrastructure helped keep our services running. In order to protect Google, our customers, and the rest of the Internet, we helped lead a coordinated effort with industry partners to understand the attack mechanics and collaborate on mitigations that can be deployed in response to these attacks.
Our investigation revealed that the attack was using a novel “Rapid Reset” technique that leverages stream multiplexing, a feature of the widely-adopted HTTP/2 protocol. We provide further analysis of this new Rapid Reset technique and discuss the evolution of Layer 7 attacks in a companion blog.
