Google says it blocked the largest DDoS attack ever detected

DDoS attack
(Image credit: FrameStockFootages / Shutterstock)

Google says has stopped the “largest Distributed Denial of Service” (DDoS) attack ever, and together with industry peers, discovered the vulnerability that made the attack possible in the first place.

In a blog post outlining its work, Google says the blocked attack was 7.5 times larger than the largest-ever recorded DDoS incident. This latest record-setter peaked at 398 million requests per second (rps), up from 46 million rps which was the previous record, established last year. 

“The most recent wave of attacks started in late August and continues to this day, targeting major infrastructure providers including Google services, Google Cloud infrastructure, and our customers,” Google noted.

Rapid reset

To make such a mighty attack possible, the unnamed threat actors deployed a novel HTTP/2 technique dubbed "Rapid Reset" based on stream multiplexing, Google explained. Stream multiplexing is a feature of the “widely-adopted” HTTP/2 protocol, the company said, adding that the technical details can be found on this link.

Soon after detecting the attack, Google introduced additional mitigation strategies and reached out to its industry peers (cloud providers, and similar) who also use the HTTP/2 protocol stack. “We shared intelligence about the attack and mitigation methodologies in real-time as the attacks were underway,” Google said.

Together, they identified a vulnerability in the protocol stack tracked as CVE-2023-44487, a high-severity flaw with a CVSS score of 7.5/10.

Businesses should investigate if their servers running HTTP/2 are not vulnerable, Google says, or in case they are - apply the patch. “If you are managing or operating your own HTTP/2-capable server (open source or commercial) you should immediately apply a patch from the relevant vendor when available,” the company concluded.

DDoS attacks are a common tactic among cybercriminals, in which they disrupt internet-facing websites and services.

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
DDoS Attack
World's largest DDoS attack blocked, Cloudflare claims
An image of network security icons for a network encircling a digital blue earth.
Standing strong against hyper-volumetric DDoS attacks
Web DDoS attacks see major surge as AI allows more powerful attacks
An image of security icons for a network encircling a digital blue earth.
Best DDoS protection of 2025
Flags of Iran, China, Russia and North Korea on a wall. China North Korea Iran Russia alliance
Cybercrime is helping fund rogue nations across the world - and it's only going to get worse, Google warns
DDoS attack
Japan’s largest telco NTT Docomo disrupted by DDoS attack
Latest in Security
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Latest in News
Hisense U8 series TV on wall in living room
Hisense announces 2025 mini-LED TV lineup, with screen sizes up to 100 inches – and a surprising smart TV switch
Nintendo Music teaser art
Nintendo Music expands its library with songs from Kirby and the Forgotten Land and Tetris
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
The iPhone 16 Pro on a grey background
iPhone 17 Pro tipped to get 8K video recording – but I want these 3 video features instead
EA Sports F1 25 promotional image featuring drivers Oscar Piastri, Carlos Sainz and Oliver Bearman.
F1 25 has been officially announced, with this year's entry marking a return for Braking Point and a 'significant overhaul' for My Team mode
Garmin clippd integration
Garmin's golf watches just got a big software integration upgrade to help you improve your game