Google recently faced a large-scale DDoS attack that targeted its services and customers. These attacks, which utilized the HTTP/2 protocol, were larger than any previously-reported Layer 7 attacks, with the largest peak reaching 398 million requests per second. Thankfully, Google’s global load balancing infrastructure was able to stop most of the attacks at the network edge, preventing any outages. However, Google’s DDoS Response Team has reviewed the attacks and implemented additional protections to mitigate similar attacks in the future. The attacks utilized a technique called the HTTP/2 Rapid Reset attack, which allows the client to cancel requests immediately after sending them, putting the server under significant strain. Google recommends that all providers with HTTP/2 services assess their exposure to this attack and apply relevant software patches and updates.
https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack