Zero-Day Vulnerability Exploited to Launch Record-Breaking DDoS Attacks
A zero-day vulnerability in the HTTP/2 protocol has been exploited to conduct distributed denial of service (DDoS) attacks at an unprecedented scale. Google mitigated one attack that peaked at 398 million requests per second (rps). The previous record saw 46 million rps at its peak. Record-breaking attacks have also been reported by other cloud giants, such as Amazon Web Services (AWS) and Cloudflare.
HTTP/2 is used by all modern web servers and is critical to how the Internet works. HTTP/2 is used by around 60% of web applications and governs how users interact with websites. The HTTP/2 protocol allows multiple requests to be made quickly for different elements of content within the same connection, which is far more efficient than the HTTP/1.x approach, which establishes multiple parallel TCP connections to retrieve content from a server.
The vulnerability – CVE-2023-44487 – has been dubbed HTTP/2 Rapid Reset and abuses a feature called stream cancellation to launch massive, high-volume DDoS attacks. In a standard HTTP/2 DDoS attack, an attacker opens up as many streams as possible, then sends another batch of requests and repeats that process, causing the server to be overwhelmed and causing a denial of service to legitimate traffic. There are only a certain number of requests that can be sent per connection, so an attacker needs to wait for responses to come in for those requests before sending another batch of requests.
HTTP/2 Rapid Reset takes advantage of the ability to send requests and then quickly cancel them to reset the stream. While the requests are canceled, the connection remains open and this approach gets around the limits on the number of requests per connection. Attackers can send large numbers of requests and perform the reset and never exceed the maximum number of steams permitted by the server. The canceled requests require considerable processing on the server, and it costs time and money to process those requests without having to send anything back. For the attacker, there are almost no costs and a massive DDoS attack can be conducted using relatively small botnets. HTTP/2 Rapid Reset attacks are capable of overwhelming all websites and applications that use HHTP/2.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
While Cloudflare did not experience attacks as large as those reported by Google, they still broke records and were almost three times as large as the biggest attack previously reported on a Cloudflare-protected website. Cloudflare says one attack peaked at 201 million rps, whereas the previous record was 71 million rps. AWS similarly experienced record-breaking DDoS attacks, with its largest attack peaking at 155 million rps. Cloudflare said its record-breaking attack involved a botnet consisting of around 20,000 compromised devices; however, there are botnets that consist of hundreds of thousands of and millions of devices. If these botnets were used for a HTTP/2 Rapid Reset DDoS attack, the attacks would dwarf even the record-breaking attacks experienced so far.
Google explained that its 398 million rps attack saw more requests made in just two minutes than there were Wikipedia article views in the entire month of September 2023. Cloudflare explained that the entire web gets between 1 billion and 3 billion rps. Attackers could leverage this vulnerability to drive similar levels of traffic against a small number of resources if a sufficiently large botnet was used.
HTTP/2 Rapid Reset attacks have been occurring since August 2023 although the threat actor behind the attacks is not known. Several variations of the attacks have been detected, but it is not known whether it is the same threat actor experimenting or more than one threat actor leveraging the vulnerability. Google, AWS, and Cloudflare coordinated the disclosure and waited a month before announcing the vulnerability to provide time for mitigations to be put in place.
Cloudflare says it has implemented mitigations into its existing DDoS protection service, and all customers are protected against these attacks. Google suggests using HTTP-flood protection tools and adopting a multifaceted approach to mitigations.
