How Google Foiled the Largest DDoS Attack by Chinese Hackers


Google says it fended off a 2.5 Tbps DDoS attack which was carried out by Chinese hackers, making it the biggest DDoS attack ever on record. The Mountain View tech giant made the information public in a blog post and said IT security’s age-old problem is only getting bigger. The company reports DDoS attacks are running rampant and outlines the steps needed to mitigate future attacks.

Google disclosed an attempted takedown of its services from three years ago in a blog post Opens a new window on Friday. The company revealed that it absorbed a massive 2.5 Tbps distributed denial of service (DDoS) attack in September 2017, which, if successful, would’ve been the biggest DDoS attack ever recorded.

The high-bandwidth state-sponsored attack was carried out by Chinese hackers and involved 167 Mpps (millions of packets per second) to 180,000 exposed CLDAP, DNS, and SMTP servers, all of which would then send high volume responses to Google. Google’s Security Reliability Engineering team recorded this DDoS attack and sourced them out of several Chinese ISPs (ASNs 4134, 4837, 58453, and 9394).

Damian MenscherOpens a new window , Security Reliability Engineer at Google, said, “This demonstrates the volumes a well-resourced attacker can achieve: This was four times larger than the record-breaking 623 Gbps attack from the Mirai botnet a year earlier. It remains the highest-bandwidth attack reported to date, leading to reduced confidence in the extrapolation.”

A DDoS attack generally involves high volumes of spoofed traffic passing through the target networking infrastructure as well as shared communications protocols and interface methods used by hosts in a communications network.  The goal is to distract and divert IT defenses by overwhelming the enterprise network traffic.

While DDoS attacks rarely cause data leaks, they can chip away at the victim organization’s brand value and trust.

Some of the signs of a DDoS attack, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISAOpens a new window ), are:

The DDoS attack on Google ultimately proved ineffective, but the search giant found several vulnerabilities in servers that it reported to respective network providers and worked with them to trace the attacks.

The disclosure is in line with the upward trend in DDoS attacks — around 83% of organizations witnessed a DDoS attack within the last two years itself.

See Also: Confronting the Rise of Website, Application and DDoS Attacks

Shane HuntleyOpens a new window , Director of Google’s Threat Analysis Group, said, “While it’s less common to see DDoS attacks rather than phishing or hacking campaigns coming from government-backed threat groups, we’ve seen bigger players increase their capabilities in launching large-scale attacks in recent years.”

Google categorized the attacks as follows:

  • bps network bits per second: attacks targeting network links
  • pps network packets per second: attacks targeting network equipment or DNS servers
  • rps HTTP(S) requests per second: attacks targeting application servers

Source: Google

Some of the other large-scale DDoS attacks included the one thwarted by AmazonOpens a new window , which had a bitrate of 2.3 Tbps, as well as the ones mitigated by NeustarOpens a new window (1.17 Tbps), and AkamaiOpens a new window (1.44 Tbps).

Rory DuncanOpens a new window , Security Go to Market Leader at NTT Ltd, told Infosecurity MagazineOpens a new window , “DDoS attacks are increasing in size partly because it is easier: cyber-criminals are now able to compromise more endpoints with commercialized DDoS services. In addition, organizations have more capacity than ever before to “absorb” or mitigate DDoS attacks, which means that basic volumetric DDoS attacks need to be bigger to overwhelm defenses. In response, our adversaries are also constantly evolving their techniques – and automation is a tool used on both sides of the battle.”

According to CISA, an organization under a DDoS attack should:

  • “Contact the network administrator to confirm whether the service outage is due to maintenance or an in-house network issue. Network administrators can also monitor network traffic to confirm the presence of an attack, identify the source, and mitigate the situation by applying firewall rules and possibly rerouting traffic through a DoS protection service.”
  • “Contact your ISP to ask if there is an outage on their end or even if their network is the target of the attack and you are an indirect victim.”

Google highlighted the need for a collective resolve to mitigate future DDoS threats and is working with “others in the internet community to identify and dismantle infrastructure used to conduct attacks.”

Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!