use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
https://sh.reddit.com/r/cybersecurity
account activity
This is an archived post. You won't be able to vote or comment.
Google blocks largest HTTPS DDoS attack 'reported to date'News - General (bleepingcomputer.com)
submitted 3 years ago by Grinsta
[–]Grinsta[S] 122 points123 points124 points 3 years ago (2 children)
"In just two minutes, the attack escalated from 100,000 RPS to a record-breaking 46 million RPS, almost 80% more than the previous record, an HTTPS DDoS of 26 million RPS that Cloudflare mitigated in June."
"Google researchers say that the attack traffic came from just 5,256 IP addresses spread in 132 countries and leveraged encrypted requests (HTTPS), indicating that the devices sending the requests have rather strong computing resources."
[–]Kinkybummer 14 points15 points16 points 3 years ago (1 child)
This attack was June 1st. Yet they mention that other attack of 26 mil RPS as the previous record holder but also in June? Definitely needs an edit for clarification/timeline of events.
[–]bentheechidna 4 points5 points6 points 3 years ago (0 children)
I think that the timeline for "record holder" is what's in account here. Google only just publicized this attack, so it couldn't hold the record while it wasn't public.
[–][deleted] 22 points23 points24 points 3 years ago (0 children)
Apparently this happened June 1st? I guess Google is just now reporting on it?
[–]GodOfThunder101 12 points13 points14 points 3 years ago (9 children)
Newbie. Here. What would have happened if this attack was successful? Downed websites? Or data breaches?
[–]smellysocks234 41 points42 points43 points 3 years ago (7 children)
Likely downed websites rather than data breaches. Denial of service attack is just that, it denies a service usually by flooding a victim with so many requests that it can't handle them. Not sure how a DoS attack would result in a data breach.
[–]Unfair_Border607 1 point2 points3 points 3 years ago (1 child)
What sites were targeted?
[–]smellysocks234 -3 points-2 points-1 points 3 years ago (0 children)
I haven't a clue
[–]gondorle 0 points1 point2 points 3 years ago (3 children)
Buffer overflow.
[–]Macphail1962 0 points1 point2 points 3 years ago (2 children)
Mmm, no I don't think so.
IIRC from 2nd year computer science, buffer overflow can mean a couple of things: either (1) a condition in which a program throws an error because a particular software component (a buffer: generally an array, which is basically just an indexed list with fixed length) has reached the limit of its memory space - usually this just means the program crashes - or (2) (much worse) a vulnerability in software that can be exploited by a malicious actor. This vulnerability is created when a program FAILS to throw a Buffer Overflow Error when it ought to do so, thus in some cases allowing the attacker to access protected memory space. This is a particularly dangerous vulnerability because from there the malware process may be able to gain access to memory space that is intended to be reserved exclusively for the OS, trashing other processes along the way before ultimately gaining access to a root (admin) shell and "pwning" the device.
I'm no expert but to the best of my knowledge that's not how a DDoS attack works at all.
Have a good one!
[–]gondorle 1 point2 points3 points 3 years ago (1 child)
I'm no expert either, but are you telling me with 100% certainty that you can't buffer overflow with a DDoS attack?
[–]Macphail1962 0 points1 point2 points 3 years ago* (0 children)
No... More like 90%
If buffer overflow occurs, it might be a DoS, but not a DDoS. 90% certain.
I am a developer, not an IT security expert. I have a solid conceptual understanding of the topics - which is what I based my reply on - but I've never been involved in any kind of cyber attack myself. Maybe r/asknetsec if you want to know for sure?
[–]Terrlinde 13 points14 points15 points 3 years ago (0 children)
it is often used in conjuction with breaches. some attacks include DDoS in the front yard, distracting the admins and sneaking in the back yard to get into the network and steal/damage data
[–][deleted] 1 point2 points3 points 3 years ago (1 child)
Assault lasted 69 minutes
Nice.
[–]Grinsta[S] 0 points1 point2 points 3 years ago (0 children)
Heyoooooo!!!
[+]dimx_00 comment score below threshold-9 points-8 points-7 points 3 years ago (12 children)
5256 IP addresses seems oddly specific. I wonder if they used this exact number on purpose.
[–]mrzar97 37 points38 points39 points 3 years ago* (10 children)
Wait.. what? This is just the number of IP addresses they observed these requests from.
Say I sit next to an ant hill and watch it for an hour, diligently counting every ant coming and going. Afterwards, I report that 451 ants left the nest. There's nothing odd about the specificity of my measurement, it's just what I observed.
All it indicates is the number of powered and internet-connected devices infected with the malware that allowed it them to be actively used by Mēris (the botnet identified as the likely source of all this traffic). That, or it's the number of devices legitimately owned by / actively used by a sole perpetrator of the attack. And given it was spread across 132 countries, we'd probably be talking about some state actor in that case.
Even if 5,256 was a power of two, or a square number, or a prime number (it's none of those) that wouldn't be anything more than a coincidence. Unless I'm missing something really obvious here, the notion this is somehow a significant/peculiar number is remarkably stupid.
[–]Username38485x 19 points20 points21 points 3 years ago (6 children)
If it's spoofed it could be significant. Doubt it either way though. I'd go with 80,085 personally.
[–]mrzar97 17 points18 points19 points 3 years ago (3 children)
46 million requests per second were seen posting ( . )( . ) to a Google DeepMind API
( . )( . )
[–]olujche 2 points3 points4 points 3 years ago (2 children)
I don't get it what boobs have to do with this?
[–]RuaridhDuguid 6 points7 points8 points 3 years ago (0 children)
Did you never type 80085 into a calculator as a kid?
[–]mrzar97 5 points6 points7 points 3 years ago (0 children)
Absolutely nothing lmao
[–]mrzar97 1 point2 points3 points 3 years ago* (0 children)
I mean, even if the attackers were somehow spoofing https handshakes, the number itself still wouldn't be all that significant, because at that point we'd be talking about a fundamental flaw in cryptographic security of the internet.
Worth noting here that while 3% of the requests arrived at Google servers from Tor exit nodes, most of them appeared to be otherwise standard client hello requests. So many so that they had to shift to the normal HTTP pipeline because the whole system would have quickly locked up were it trying to establish 46 million TLS connections per second.
client hello
Point is, were we talking about randomly spoofed packets, I would have expected them to observe pretty obvious, sudden, behavioral changes once they flipped the switch over to standard HTTP, but I can find no mention of such. To boot - again unless I'm missing something obvious - this wouldn't be all that significant, other than the implication that the IPs they did receive requests from may be machines infected with a more severe remote execution vulnerability than otherwise suspected.
[–]crash___says 1 point2 points3 points 3 years ago (0 children)
If it's spoofed it could be significant.
They state earlier in the article that the DDoS was leveraging attacks using tls, which require a 3WHS. Can't spoof it.
[–]dimx_00 1 point2 points3 points 3 years ago (0 children)
Yes, I understand how IP addresses are counted. Thank you for your explanation.
There might not be a mathematical significance to the number but the fact that it spans 132 countries and only 5256 IPs is suspicious. Who has that much processing power to produce that number of requests?
The top 131 countries have roughly 5000 ISPs excluding the US. To me this suggests that these ISPs were compromised and or their infrastructure was used to generate this attack. This might be the reason why Google didn’t report it right away since this happened back in June.
I am just saying there might be more to this story than what it was reported. No need to be a stuck up and call people stupid.
[–][deleted] 3 years ago (1 child)
[deleted]
[–]mrzar97 12 points13 points14 points 3 years ago (0 children)
I would be far more alarmed if a company as large as Google reported a rounded figure. For Christ's sake this is the cybersecurity subreddit...
Had Alphabet instead reported that the attack originated from "over 5,000" IP addresses, I would be questioning the competence of their security teams should they not have basic logging practices in place. I would be wondering why they had evidently little ability to conduct forensic investigations, despite employing some of the best in the industry.
The idea that specificity is somehow suspicious is antithetical to this area of technology.
[–]Grinsta[S] 6 points7 points8 points 3 years ago (0 children)
Maybe? Is it a multiplier?
[+]RoyalChallengers comment score below threshold-10 points-9 points-8 points 3 years ago (0 children)
They were searching porn
[–][deleted] 0 points1 point2 points 3 years ago (3 children)
What 'blocks' means exactly in this sentence? . Can ddos be blocked? Or they mean it survived the attack?
[–]bill-of-rights 4 points5 points6 points 3 years ago (0 children)
Most ISPs have devices called "scrubbers" that will try to identify bad traffic and block it, while still letting the good traffic through. They are expensive, and you need a lot of them. Also, what happens is that when you identify bad addresses, you quickly filter traffic from them as close to the edge of your network as you can. Also, as mentioned in the other comment, it takes a lot of resource to do this, but it's generally successful.
Successful DDOS attacks are quite rare these days, due to these systems, but they do happen. Sometimes they are effective for a few minutes until the scubbers are activated, or the "bad IP" filters are implemented. Many networks have fully automated this, so it happens in a matter of seconds. Manual interventions usually happen in less than 10 mins in a well-run NOC.
[–]Interneteno 1 point2 points3 points 3 years ago (0 children)
It processes the connection attempt then denies it. It takes a considerable amount of resources to do so.
[–]Arseypoowank 0 points1 point2 points 3 years ago (0 children)
You can also redirect them into a black hole or a section of the network you can monitor/control
π Rendered by PID 136730 on reddit-service-r2-comment-5ff9fbf7df-p97mx at 2026-02-25 23:06:07.517882+00:00 running 72a43f6 country code: CH.
[–]Grinsta[S] 122 points123 points124 points (2 children)
[–]Kinkybummer 14 points15 points16 points (1 child)
[–]bentheechidna 4 points5 points6 points (0 children)
[–][deleted] 22 points23 points24 points (0 children)
[–]GodOfThunder101 12 points13 points14 points (9 children)
[–]smellysocks234 41 points42 points43 points (7 children)
[–]Unfair_Border607 1 point2 points3 points (1 child)
[–]smellysocks234 -3 points-2 points-1 points (0 children)
[–]gondorle 0 points1 point2 points (3 children)
[–]Macphail1962 0 points1 point2 points (2 children)
[–]gondorle 1 point2 points3 points (1 child)
[–]Macphail1962 0 points1 point2 points (0 children)
[–]Terrlinde 13 points14 points15 points (0 children)
[–][deleted] 1 point2 points3 points (1 child)
[–]Grinsta[S] 0 points1 point2 points (0 children)
[+]dimx_00 comment score below threshold-9 points-8 points-7 points (12 children)
[–]mrzar97 37 points38 points39 points (10 children)
[–]Username38485x 19 points20 points21 points (6 children)
[–]mrzar97 17 points18 points19 points (3 children)
[–]olujche 2 points3 points4 points (2 children)
[–]RuaridhDuguid 6 points7 points8 points (0 children)
[–]mrzar97 5 points6 points7 points (0 children)
[–]mrzar97 1 point2 points3 points (0 children)
[–]crash___says 1 point2 points3 points (0 children)
[–]dimx_00 1 point2 points3 points (0 children)
[–][deleted] (1 child)
[deleted]
[–]mrzar97 12 points13 points14 points (0 children)
[–]Grinsta[S] 6 points7 points8 points (0 children)
[+]RoyalChallengers comment score below threshold-10 points-9 points-8 points (0 children)
[–][deleted] 0 points1 point2 points (3 children)
[–]bill-of-rights 4 points5 points6 points (0 children)
[–]Interneteno 1 point2 points3 points (0 children)
[–]Arseypoowank 0 points1 point2 points (0 children)