This is certainly marketing. If they sell DDOS protection, then announcing that they stopped the largest attack ever is an ad.

Sounds like a symbiotic relationship to me. The attackers get to advertise their capability for pulling off attacks, and Google gets to advertise their ability to stop them.

Almost all (but not all) of these attacks are based on some kind of problem that leads to amplification. Advertizing that people should fix these points of exploit help everyone on the internet.

False flag? :)

Maybe Google is responsible for the attack, to be able to publish this blog post! <\tinfoil-hat>

If Google truly went rouge, they could turn all those Chrome installs and Android devices into one gargantuan botnet.

Google is already partly rouge, at least in their logo.

What capabilities did this post reveal the existence of? Not many, beyond it having been mitigated somehow and that it didn't cause an outage. The attackers knew that already, because they'd obviously be able to observe the system during the attack.

As for why to write about it, it's a new type of attack that resulted in almost an order of magnitude increase in attack size. That's interesting and newsworthy by itself, and publishing a concrete number gives people an idea of the size of the problem and the trendlines.

This is also something that needed a CVE, so it was going to be very public anyway. If nothing is written about it, at a minimum Cloud customers will be flooding their support reps with questions about whether the vulnerability applies to them.

> why Google published this

Besides publicity, there is also link to a list of advisories that may be of interest to other cloud operators and users.

https://nvd.nist.gov/vuln/detail/CVE-2023-44487

> Unless this is marketing for Google Cloud?

If you read the article, there are plenty of marketing remarks in there to get you to use Google Cloud

CDN is the ultimate solution for DDoS, so any report about DDoS finally become an ad for CDN

> Unless this is marketing for Google Cloud?

That seems likely here if they're claiming this is the largest DDOS ever.

> We never published...

We? Netflix or Reddit? I know for a fact that Amazon doesn't.

Nowhere that I've ever worked published about attacks. We didn't want to validate the attackers.

At eBay/PayPal we filed patents on our DDOS shield, since it was as far as we knew the first one to exist, but that was about the only public information on it.

At reddit and Netflix we didn't actually have to deal with it because AWS just absorbed (or mitigated) it before it ever hit us. We only had to deal with L7 attacks, which we had shields in place for.