What developers can learn from the largest DDoS attack in history

What developers can learn from the largest DDoS attack in history

This past October, Google Cloud disclosed that it had successfully mitigated the largest Distributed Denial of Service (DDoS) attack in history – and that this DDoS attack had been hitting businesses since August.

What made it the worst DDoS to date? It was the volume. At its peak, the attack counted over 398 million requests per second (rps). To compare, the worst recorded DDoS attack up to that point, detected in 2022, reached 46 million rps.

The fall 2023 attack, then, was eight times bigger than its predecessor as the record breaker. As staggering as the scale was, it was also right on trend with how DDoS attacks have been evolving in recent years.

In this case, cybercriminals were able to launch the DDoS after they discovered a zero-day vulnerability on the HTTP/2 protocol. In a worst-case scenario, this type of exploit can flood traffic and disrupt services. While it won’t compromise data, it can take a vulnerable website or app offline.

Looking back at it a half year later, what does the largest DDoS attack so far teach software developers about preventing DDoS?

Patch vulnerabilities regularly

A zero-day vulnerability made the attack at hand as effective as it was. It’s now known as HTTP/2 Rapid Reset, or CVE-2023-44487, and it can overwhelm servers that rely on HTTP/2 protocols.

Patching flaws early is one of the best forms of defence against DDoS and other attacks. During this process, special attention has to be given to high-risk vulnerabilities. 

Unpatched vulnerabilities are among the leading causes of cyber attacks, yet many teams overlook patches for years on end. With known flaws, businesses can automate this process to fix them within the system early. But how can you promptly patch zero-day weaknesses? These are threats that are still unknown. Tools can’t detect them because they don’t know such weaknesses exist. 

Plus, it can take some time until the patch is released for the latest zero-day exploits. While you wait for the patch for HTTP/2 Rapid Reset, Microsoft suggests: 

  • Protecting your site with WAF
  • Implementing defences for layer 7 DDoS attacks
  • Setting up rate-limiting rules to block unwanted traffic
  • Blocking malicious IP addresses
  • Disabling HTTP/2 protocol

Approach cybersecurity proactively

Google is in position to discover and mitigate attacks before they get out of control, simply  because they continually monitor their security. They keep developing better defence mechanisms. That is, they use proactive measures to continually improve their security.

If your dev team applies patches regularly, adheres to DDoS mitigation best practices and maintains an updated incident response plan, then you’re in good shape when it comes to reactive measures. However, this might not be enough to protect your environment from high-risk flaws.

To stop DDoS from disrupting your system on this level, you need more.

Start here to implement a more proactive approach to security:

  • Monitor network traffic to keep an eye on any surges in traffic
  • Use behavioural analysis solutions to detect abnormal traffic patterns
  • Set traffic filtering rules to stop malicious traffic

As a result, proactive cybersecurity helps you discover vulnerabilities early – before they escalate into damaging, and costly, attacks.

Set up layered defences within your infrastructure

In his recap of the largest attack, Cloud Armor’s Emil Kiner notes that thanks to load balancing measures and DDoS mitigation infrastructure, Google was able to keep everything operational, with zero downtime.

In a contrasting example, when OpenAI experienced a DDoS attack in November 2023, users complained of repeated outages throughout the entire day.

Having a comprehensive mitigation infrastructure and layers of security makes a difference here. Only having WAF is not enough to mitigate DDoS early. For example, here are a few measures that the Google team says it relies on:

  • Customised security policies
  • Adaptive protections to analyse traffic patterns
  • Rate limiting to restrict the volume of requests
  • Global load balancing for the distribution of traffic

Besides proper infrastructure, it’s important to have a multi-faceted cybersecurity program that combines versatile proactive and reactive measures.

Collaborate with peers in your industry

What this case teaches us is that it’s important to collaborate with other players in your industry. 

To mitigate the attack, Google shared information and intelligence about the attacks with industry stakeholders. This includes software maintainers and cloud providers.

Here, Google, Cloudflare, and AWS worked together to investigate and stop the attack before it caused long downtimes for vulnerable customers. They coordinated their efforts and shared intelligence, strategy, and expertise to stop the attack early.

This is important for the mitigation of large-scale attacks such as this one. They could handle the threat early and use the most effective measures to do so.

How can other companies be collaborative like this, too? Build a community to foster a supportive environment in your industry. Exchange knowledge and practices with other companies.

Collaborate with industry partners to mitigate attacks in real-time.

Adapt and evolve defences to prevent DDoS attacks

When a major company suffers a DDoS attack, it can be difficult to understand why WAF and other defences didn’t promptly stop the attack.

As you can see here, it’s difficult to prepare the company against more sophisticated attacks. If they exploit zero-day vulnerabilities, we’re talking about a flaw that your security system couldn’t possibly have anticipated.

The bottom line of the worst DDoS attack? Just like DDoS attacks are getting more advanced every year, your defences need to also keep evolving.

Besides applying standard cyber hygiene such as regular patching, approach the security with proactive measures. Have multi-faceted security infrastructure. Collaborate with others if you can.

Tags: , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *