An attacker tried to hit one of their customers with a lot of requests. At least 76% larger than the previously reported record, it was described as the largest attack of its kind reported to date. It's like getting all the daily requests to Wikipedia in just 10 seconds. Around 9:45 a.m., starts. An attack of more than 10,000 requests per second began targeting our customer's load balancer. The attack increased to 100,000 requests per second. The cloud armor adaptive protection detected the attack and generated an alert containing the attack signature. There was a recommended rule to block the signature. The cloud armor-recommended rule was put into the customer's security policy and immediately blocked the attack traffic. The attack grew from 100,000 rps to 46 million rps in 2 minutes. The target workload continued to operate normally since Cloud armor was blocking the attack traffic. The attack began to diminish in size over the next few minutes. The attacker probably decided they weren't having the desired impact and spent a lot of money to do it. Adding computing resources would have made it possible for the attack to be accomplished. The use of HTTP Pipelining was necessary to inspect the traffic and mitigate the attack, but it required only a few handshakes. The attack was stopped by blocking the malicious requests from the customer's application.
While 22% of the source IPs corresponded to Tor exit nodes, the actual traffic coming from Tor nodes represented just 3% of attack traffic, the blog post points out. And ultimately despite the attack, "the customer's service stayed online and continued serving their end-users."