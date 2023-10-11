Cloudflare, Google, Microsoft, and Amazon have collectively confirmed their successful mitigation of the most substantial DDoS layer 7 attacks on record, occurring in August and September. However, none of the companies disclosed the specific targets of these attacks. These assaults were made possible by exploiting a zero-day vulnerability found in the HTTP/2 protocol, which the companies have dubbed “HTTP/2 Rapid Reset.”

Google, Amazon and Cloudflare Report Largest DDoS Attacks Ever

The HTTP/2 protocol accelerates webpage loading by enabling numerous simultaneous requests to a website through a single connection. According to Cloudflare, the attacks involved an automated cycle of sending and immediately cancelling “hundreds of thousands” of requests to websites using HTTP/2. This flood of requests overwhelmed the servers, causing them to go offline.

Google reported the most substantial attack, with a peak of over 398 million requests per second, surpassing any previously recorded attack by more than seven times. (The prior record was held by a 2022 attack that peaked at 46 million requests per second.) Cloudflare experienced a peak of 201 million requests per second, another record-breaking figure. Amazon recorded the lowest number of requests, capping at 155 million per second. Microsoft did not disclose its specific figures.

DDoS attacks are a common occurrence. Microsoft reported a large-scale layer 7 attack in June that disrupted Outlook for thousands of users. During the same month, fan-fiction website AO3 also fell victim to DDoS attacks. A group known as Anonymous Sudan claimed responsibility for both incidents. Google provides detailed insights in a blog post for those interested in exploring the technical aspects further.