In the latest cyber onslaught, a zero-day vulnerability in the HTTP/2 protocol was exploited to orchestrate the largest distributed denial-of-service (DDoS) attack on record, as reported by Cloudflare. This unprecedented attack, exceeding 398 million requests per second, has shattered the previous record of 71 million requests per second. Google, Cloudflare, and AWS collaborated on a coordinated vulnerability disclosure, identifying the flaw as CVE-2023-44487 or Rapid Reset.
The trio had been monitoring unusually large application-layer (layer 7) attacks for months, with the peak of activity observed in August. The objective behind these attacks was to inundate targets with packets, causing legitimate users' systems to go offline.
Cloudflare's analysis uncovered that cybercriminals exploited the HTTP/2 weakness using a relatively small botnet of around 20,000 machines. Noteworthy is that Cloudflare often detects botnets much larger than this, comprising hundreds of thousands or even millions of machines. The fact that a modestly sized botnet could generate such a massive volume of requests underscores the severity of this vulnerability for unprotected networks.
The attack, labeled Rapid Reset, capitalizes on stream multiplexing—a feature of the HTTP/2 protocol that enables multiple HTTP requests on a single TCP connection. Attackers cancel requests in quick succession, overwhelming servers with an unprecedented number of garbage requests. This method allows attackers to flood servers with requests beyond the usual limits, leading to large-scale DDoS attacks that are challenging to mitigate.
Google observed variations of the attack method, indicating potential experimentation by the attackers. Mitigations have been implemented by Cloudflare, AWS, and Google to counter Rapid Reset attacks. Cloudflare has updated its DDoS mitigation service, while AWS Shield and CloudFront have incorporated measures to withstand Rapid Reset assaults.
Google advises against relying solely on GOAWAY frames, as recommended in HTTP/2's specification, for closing connections, suggesting that these frames are not designed to handle the specific activities seen in Rapid Reset attacks. Mitigations may involve tracking connection statistics and utilizing signals and business logic to assess the usefulness of each connection. Recommendations include closing connections that surpass the concurrent stream limit to counter the non-canceling variant of the attack.
As the cybersecurity landscape evolves, the collaboration among major service providers becomes crucial in identifying and mitigating emerging threats to ensure the resilience of online platforms.