Threat actors have been exploiting a zero-day vulnerability in the HTTP/2 protocol since August to launch the largest DDoS attacks ever seen, according to several tech infrastructure giants.
Google, Cloudflare and Amazon Web Services (AWS) released advisories yesterday revealing the cause of the “Rapid Reset” attacks as CVE-2023-44487.
Google said its exploitation enabled malicious actors to launch a series of DDoS attacks that reached a peak of 398 million requests per second (rps). The previous largest was 46 million rps, it added.
Cloudflare revealed that it had mitigated over a thousand such attacks at 10 million rps, including 184 which were bigger than a previous record of 71 million rps.
It claimed that, although some of these attacks were launched using relatively small botnets of just 20,000 machines, the damage inflicted could be much higher if threat actors use larger botnets of hundreds of thousands or even millions of compromised computers.
“Given that the entire web typically sees only between 1-3 billion requests per second, it’s not inconceivable that using this method could focus an entire web’s worth of requests on a small number of targets,” it warned.
Read more on DDoS attacks: Cloudflare Stops Largest HTTP DDoS Attack on Record
The HTTP/2 protocol allows multiple streams to be created over the same TCP connection, thus enabling web pages to be rendered more efficiently than in previous versions, explained OpenSSF.
“In a Rapid Reset attack, the attacker opens multiple new streams and quickly sends RST_FRAMEs to close them. This creates a heavy load on the server as it requires a lot of processing to create and rapidly destroy streams,” it continued.
“The compute capacity required by the server is much higher than that needed by the attacker. This could allow the attacker to cause the server to become overloaded and unresponsive with little effort.”
OpenSSF warned that several variants of this attack had also emerged since its discovery, “all of which take slightly different approaches to opening streams and sending RST_FRAMEs.”
However, all ultimately have the same outcome.
“Until patches are available, an appropriate mitigation strategy would be to close TCP connections with high create/RST_FRAME ratios. The ‘right’ ratio will depend highly on the application and its clients,” it added.
The vulnerability has been kept private until now to allow technology and cybersecurity companies to fix it.
“The good news is that many large technology companies such as Google and Amazon have already implemented mitigations for their customers,” concluded OpenSSF. “However, organizations that manage their own internet presence may have further work to do to secure their infrastructure against Rapid Reset.”