October 10, 2023 at 04:46PM
Cloudflare reported that the largest distributed denial-of-service (DDoS) attack ever recorded was launched using a zero-day vulnerability in the HTTP/2 protocol. The attack surpassed 398 million requests per second, more than five times larger than the previous record. Google, Cloudflare, and AWS have disclosed the vulnerability and implemented mitigations to protect against future Rapid Reset attacks. The attack exploited a weakness in HTTP/2 by using a small botnet to generate a flood of requests, overwhelming servers and causing them to go offline. Rapid Reset attacks involve sending and canceling requests to flood servers with unnecessary work.
Summary of Meeting Notes:
During the meeting, it was discussed that Cloudflare had reported the exploitation of a zero-day vulnerability in the HTTP/2 protocol, resulting in the largest distributed denial-of-service (DDoS) attack ever recorded. The attack surpassed 398 million requests per second, more than five times larger than the previous record. Google, Cloudflare, and AWS coordinated the vulnerability disclosure and identified the flaw as CVE-2023-44487 or Rapid Reset.
The three service providers have been monitoring unusually large application-layer (layer 7) attacks for several months, with activity peaking in August. The aim of the attacks was to overwhelm targets with packets, causing systems to go offline for legitimate users.
Cloudflare’s analysis revealed that cybercriminals were utilizing a smaller than usual botnet of approximately 20,000 machines to exploit the vulnerability in HTTP/2. This allowed them to generate a significant number of requests per second, posing a major threat to unprotected networks.
To prevent future Rapid Reset attacks, all three service providers have published mitigations and implemented new technology.
The meeting also discussed the working mechanism of Rapid Reset attacks. The attacks leverage the stream multiplexing feature of the HTTP/2 protocol, which allows multiple HTTP requests to be sent on a single TCP connection. Attackers exploit this feature by sending requests in streams and quickly resetting them, flooding the server with a large number of requests without exceeding the maximum streams allowed.
Google identified several variants of Rapid Reset attacks, and while some may bypass certain mitigations, they are less effective compared to the original method.
Mitigations for Rapid Reset attacks involve tracking connection statistics and using various signals and business logic to determine the usefulness of each connection. It is recommended to limit stream creation and close connections that exceed the concurrent stream limit to mitigate against these attacks.
Cloudflare, AWS, and Google have taken measures to counter Rapid Reset attacks and protect their platforms and customers.