The attack on a Google Cloud Armor customer was equivalent in scale to receiving all of the web’s daily requests to Wikipedia in just 10 seconds

Brokers that utilise cloud services to manage vital business infrastructure should be on high alert after Google Cloud revealed that it had blocked the largest Distributed Denial of Service (DDoS) attack ever this month.

In a blog posted on Google’s website on 18 August 2022 – entitled How Google Cloud blocked the largest Layer 7 DDoS Attack at 46 million reps – the technology giant explained that a Google Cloud Armor customer was targeted with a HTTPS (Hypertext Transfer Protocol Secure) DDoS attack that topped 46 million requests per second on the morning of 1 June 2022.

The post stated: “This is the largest Layer 7 DDoS reported to date – at least 76% larger than the previously reported record.

”To give a sense of the scale of the attack, that is like receiving all the daily requests to Wikipedia – one of the top 10 trafficked websites in the world – in just 10 seconds.”

Rich Belanger, chief technology officer at Applied, told Insurance Times: “This foiled attempt is a proof point to brokers of the critical nature of hosting their technology in a well-maintained and secure cloud environment.

“Applied has been tracking ongoing cyber attacks like HTTPS DDoS – and while we don’t expect them to slow down – we remain vigilant in keeping our brokers’ technology and data safe.”

Applied Systems has worked in partnership with Google since October 2018 – this partnership was expanded in February 2021.

Belanger added: “A large part of our strategy is our ongoing partnership with Google Cloud, as well as an investment with Cloudflare to provide ‘defence-in-depth’ for our customers.”

Cloudflare is a global internet security network that works to bolster secure internet connections and protect businesses online. 

According to Cloudflare, a HTTPS DDoS attack is a type of cyber attack by which an attacker inundates a server with internet traffic to stop users from accessing services and sites associated with the server.

The attack method utilises networks of internet-connected machines that have been infected with malware, allowing them to be controlled remotely by an attacker and used to create massed requests that then cripple a website. 

By flooding a server with HTTPS requests, the target becomes overwhelmed and unable to respond to the traffic – denial of service will then happen for any additional requests from users.

However, in the 1 June attack, Google’s Cloud Armor Adaptive Protection detected the traffic early enough in the attack to alert the customer and “recommend protective rule” to block the malicious signature before it reached the full magnitude.

The customer was able to remain online and continued serving end users, according to Google’s blog post.

Noteworthy characteristics

Google listed some other noteworthy characteristics of the DDoS attack in its blog post:

  • 5,256 source IPs (Internet Protocol) from infected machines from 132 countries contributed to the attack.
  • Four countries accounted for 31% of total attack traffic – Brazil, India, Russia, and Indonesia.
  • The attack leveraged encrypted requests (HTTPS) which would have taken added computing resources to generate.
  • Approximately 22% (1,169) of the source IPs corresponded to Tor exit nodes, which are gateways where encrypted Tor traffic hits the internet.

Knocking down the front door

Alec Miloslavsky, chief executive of EIS Group, likened DDoS attacks to “trying to knock down the front door in full view” because they are quite straightforward to detect.

He continued: “Having said that, Google was able to detect this because of its resources and investment to the cloud offering. But it does show the level of resourcing one must have to withstand something like this.

“The majority of insurance carriers are not utilising public clouds.”

Insurance companies could therefore be vulnerable to DDoS attacks, unless they make investments to protect themselves to the same level that public cloud vendors have made.

Applied System’s Digital Broker Survey confirmed this, highlighting that few brokers in the UK saw the cloud as being of importance or significance.

The survey, which polled 1,819 independent brokers in the UK, Ireland, US and Canada in Q1 2021, found that brokers with revenue between £20m and £25m were the biggest cloud adopters. 

Miloslavsky stressed that the key to using public clouds and capitalising on protection was a cloud native course or platform.

Cloud native refers to the concept of building and running applications that take advantage of distributed computing that is delivered by the cloud.

Miloslavsky alluded to the increasing dangers to insurance carriers by malicious actors and state sponsored attacks – he believes that the DDoS attack detected by Google was one such state sponsored attack.

On 16 August 2022, Lloyd’s of London said that it was considering imposing exclusions in cyber coverage for state-sponsored attacks.

Tom Bennett, team leader for cyber threat analysis at CFC, said that DDoS attacks were mostly either politically motivated or used by hacktivists to target organisations they didn’t agree with. 

He explained: “Right now, the war in Ukraine has inspired DDoS attacks on Russian sites and the Ukrainian government itself is encouraging hacktivists to use this [type of] attack on specific targets.”

On a similar note to Miloslavsky, Bennet said that DDoS attacks were “pretty common”.

Bennett explained that DDoS attacks rarely lead to cyber claims as they are reasonably easy to deal with.

This, Bennett added, is because “shared infrastructure of cloud-based providers allow these attacks to be more easily absorbed and their anti-DDoS protection tools can block traffic through advanced pattern matching”.

He continued: “It’s more common for businesses and individuals to unwittingly be part of a DDoS attack than suffer from one. Failure to patch routers, CCTV cameras or other [internet of things] devices can result in their equipment being infected – allowing a hacker to remotely take over their device and use it as part of an attack.

“Micro SMEs may be susceptible if they’re not using a major cloud-based provider to host their networks but it’s pretty simple to access free anti-DDoS tools to protect themselves.

”It’s certainly worth brokers checking that their clients have these tools in place during any conversation about cyber insurance.”

Defence in depth 

Meanwhile, Bennett added: “Cybercriminals don’t tend to use DDoS attacks as they’re not profitable for them – they might turn to this attack method to try and harass a target who is refusing to pay an extortion demand, but again this is pretty rare.”

He gave the example of one case CFC’s forensic team investigated years ago. The attack was conducted by a company trying to take down a rival and put it out of business – the attackers were not successful and the head of the business was arrested.

However Google recommended: “Attack sizes will continue to grow and tactics will continue to evolve.

”To be prepared, Google recommends using a defence-in-depth strategy by deploying defences and controls at multiple layers of your environment and your infrastructure providers’ network to protect your web applications and services from targeted web attacks.

“This strategy includes performing threat modelling to understand your applications’ attack surfaces, developing proactive and reactive strategies to protect them and architecting your applications with sufficient capacity to manage unanticipated increases in traffic volume.”