Cyber Incident Victim: Google
Date:
Sep 2017
Location:
China
Summary
A nation-state actor launched the largest publicly disclosed DDoS attack against Google, employing multiple methods including UDP amplification via 180,000 exposed servers to target thousands of IP addresses simultaneously. The attack peaked at over 2.54 terabits per second, quadruple the size of the previous record-holder, but failed to disrupt services or infrastructure. Traffic originated from devices using several Chinese internet service providers, though no specific attribution was provided. This incident demonstrated the scale achievable by well-resourced attackers while highlighting the effectiveness of automated defenses in mitigating such threats despite unprecedented volume.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In September 2017, a nation-state actor launched a distributed denial-of-service (DDoS) attack targeting Google’s infrastructure, which lasted several months and became the largest publicly disclosed attack of its kind at the time. The attacker simultaneously targeted thousands of Google IP addresses using multiple methods, including amplification techniques exploiting approximately 180,000 exposed CLDAP, DNS, and SMTP servers. This generated a peak traffic volume exceeding 2.54 terabits per second, quadrupling the scale of the 2016 Mirai botnet attack. The malicious UDP packets originated from devices routed through four Chinese internet service providers, identified by autonomous system numbers (ASNs) 4134, 4837, 58453, and 9394. Google’s security team, led by Security Reliability Engineer Damian Menscher, detected the sustained campaign through network monitoring systems designed to identify anomalous traffic patterns. The attacker employed broad IP targeting in an attempt to circumvent Google’s automated defenses by distributing the attack across numerous endpoints. Despite these efforts, the assault remained unsuccessful throughout its multi-month duration. The scale demonstrated the volumetric capacity available to well-resourced threat actors, exceeding even a 690 million packets-per-second IoT botnet attack Google mitigated in 2020.
Google confirmed the attack caused no service disruptions or infrastructure damage, with automated systems successfully absorbing and filtering the malicious traffic. No customer data or internal systems were compromised during the incident. The company’s post-incident analysis highlighted the importance of over-provisioning defenses to withstand unexpected attack magnitudes and emphasized collaborative mitigation with network providers, vendors, and customers. Network partners assisted in tracing and filtering malicious packets, while vendors contributed patches and vulnerability notifications. Google contrasted this event with Amazon AWS’s 2020 mitigation of a 2.3Tbps attack, noting their own 2017 incident involved significantly higher throughput despite occurring three years earlier. The disclosure aimed to inform defensive preparations across the industry, acknowledging that internet growth simultaneously expands resources available to both attackers and defenders. Security teams documented the attack’s technical parameters to refine capacity planning for future large-scale DDoS scenarios.