Google Was Targeted by Largest DDoS Attack


This week Google revealed that in 2017 it was subjected to the largest distributed denial of service (DDoS) attack on record, clocking in at 2.5 Tbps. Previously, the largest known DDoS attack targeted Amazon Web Services, in February 2020. An attack of such magnitude is significant not only because it set a new record, but also because hundreds of millions of people depend on the various Google services, either for work or personal use. Fortunately, Google was able to mitigate the attack; other organizations may not be so well-defended.

Google’s reasons for disclosing the attack

The public and cybersecurity community need to know about such attacks to be prepared for the growing threat. Other organizations have experienced massive DDoS attacks, both prior to and since 2017, so one can only speculate why Google waited three years to publicly disclose that it had been targeted by such a large attack.  Although, they were diligent enough, at the time, to report the incident to law enforcement and also work with network providers to trace the source of the spoofed packets. One reason many companies don’t want to publicly disclose that they have been targeted, is their concern about losing customer trust, or provoking copycat attacks.

Google blames Chinese state actors for attack

Google released two related blog posts, one from their Threat Analysis Group (TAG), which emphasized the increasing trend of nation-state hacker groups using DDoS attacks, and another post from the Google Cloud team which stressed that DDoS attacks would intensify in the coming years, as internet bandwidth also increases. 

Google’s Threat Analysis Group reported that “our Security Reliability Engineering team measured a record-breaking UDP amplification attack sourced out of several Chinese ISPs (ASNs 4134, 4837, 58453, and 9394), which remains the largest bandwidth attack of which we are aware.”  The TAG blog post further states: “Addressing state-sponsored DDoS attacks requires a coordinated response from the internet community, and we work with others to identify and dismantle infrastructure used to conduct attacks. Going forward, we’ll also use this blog to report attribution and activity we see in this space from state-backed actors when we can do so with a high degree of confidence and in a way that doesn’t disclose information to malicious actors.”

Terabit-sized attacks are increasing…

Google’s public announcement of the attack it fended off is a sharp reminder that malicious actors can now more easily execute extremely high-volume attacks, for two key reasons: there are millions of IoT devices that can be easily harnessed into botnets, and telecoms providers have expanded their mobile data networks, whether 4G or 5G, to increase bandwidth. (5G networks increase attack surfaces exponentially because they are connecting more powerful, 5G-enabled, devices that have the capacity to generate much higher volumes of traffic).

…But short-duration, sub-saturating attacks are the most common

Interestingly, the Google Cloud team blog post noted that “The exponential growth across all metrics is apparent, often generating alarmist headlines as attack volumes grow. But we need to factor in the exponential growth of the internet itself, which provides bandwidth and compute [sic] to defenders as well. After accounting for the expected growth, the results are less concerning, though still problematic.”

At Corero we consistently find that the overwhelming majority of attacks are, in fact, short and sub-saturating, which require a specialist DDoS mitigation solution that is able to automatically detect such attacks among normal traffic, and remove them with surgical precision. This has proven to be a significant challenge for legacy DDoS protection solutions, that often fall short when it comes to effectively detecting and mitigating smaller, and increasingly sophisticated, attacks.  When larger attacks do strike, this can be dealt with using a hybrid solution; combing the fast, accurate, on-premises protection with automatic redirection to a cloud scrubbing service which has the capacity to remove the majority of any attack packets which would have caused link saturation.

For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s diverse deployment models, click here.  If you’d like to learn more, please contact us.

Sean Newman is VP Product Management, responsible for Corero’s product strategy. Sean brings over 25 years of experience in the security and networking industry, to guide Corero’s growing leadership in the real-time DDoS protection market. Prior to joining Corero, Sean’s previous roles include network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.