SecureWorld News

HTTP/2 Rapid Reset Zero-Day Largest DDoS Attack in Internet History

Written by Drew Todd | Thu | Oct 12, 2023 | 11:42 AM Z

In recent months, the cybersecurity world has been shaken by the revelation of a sophisticated and unprecedented cyber threat: the HTTP/2 Rapid Reset Zero-Day vulnerability.

This exploit, tracked as CVE-2023-44487, enabled cybercriminals to orchestrate what has been dubbed the largest Distributed Denial of Service (DDoS) attack ever recorded, targeting multiple internet infrastructure companies. 

HTTP/2, the successor to the widely-used HTTP/1.1 protocol, brought notable advancements in efficiency by allowing multiple concurrent streams within a single connection. This concurrent processing, designed to enhance user experience and optimize data transfers, inadvertently introduced a vulnerability that threat actors ingeniously exploited.

The attackers harnessed the HTTP/2 protocol's concurrent stream processing to overwhelm servers with an unprecedented volume of requests. Dubbed the "Rapid Reset" attack, cybercriminals opened a multitude of streams and swiftly canceled each request, allowing an indefinite number of simultaneous requests. This method efficiently bypassed traditional security measures, flooding servers and disrupting services.

The scale of the Rapid Reset attack was staggering. Google reported peak request rates exceeding 398 million requests per second, while Cloudflare observed a peak of more than 201 million requests per second. These numbers were nearly three times larger than any previous DDoS attack recorded, showcasing the potency of this new attack vector. Google also added this reference point:

"For a sense of scale, this two minute attack generated more requests than the total number of article views reported by Wikipedia during the entire month of September 2023."

Upon the discovery of this vulnerability, tech giants Google, Amazon Web Services (AWS), and Cloudflare swiftly coordinated their efforts to mitigate the attack. Google's sophisticated load-balancing infrastructure managed to halt the attack at the edge of its network, preventing widespread outages.

AWS detected the attack within minutes and automatically initiated mitigative measures through its CloudFront content delivery network. Cloudflare, too, responded promptly, implementing rapid changes to its stack and deploying mitigations to safeguard its clients.

Mitigating the Rapid Reset attack proved to be a formidable challenge. Simply blocking individual requests was insufficient, necessitating the closure of entire TCP connections upon detecting abuse. Broad mitigations involved tracking connection statistics, prioritizing connections for built-in HTTP/2 mitigation, and implementing internal detection and mitigation tools.

Despite the patches issued by various software vendors, managing the intricacies of this Zero-Day highlighted the complexity of modern cybersecurity threats.

Stephen Gates, Principal Security SME at Horizon3.ai, offered his perspective on the monumental DDoS incident:

 "Those in the industry who have worked for decades to defeat DDoS attacks fully realize the challenges of dealing with attacks that take advantage of the way a protocol works, since these are often the most difficult to contend with. DDoS SMEs all agree there are likely dozens of novel protocol- and/or application-layer vulnerabilities sitting out there, ready to be discovered, and used to attack the most vulnerable aspect of the internet—its availability.

This attack took advantage of a vulnerability in the way the HTTP/2 protocol works, and in doing so, broke every record on the books for generating the most requests per second ever observed. This type of attack would most likely be classified as a reflective style of attack due to reports that said a small number of botnet infected devices (~20k) were able to generate a massive amount of requests due to the way the protocol was built.

At one point in time, most people thought DDoS attacks were going to go extinct like the dodo bird. This event serves to remind the industry that DDoS attacks are alive and well and won't go away anytime soon. It's only a matter of time before more protocol- and/or application-layer vulnerabilities are discovered and exploited with similar outcomes."

This incident serves as a call to action for the global cybersecurity community, emphasizing the importance of resilience, adaptability, and cooperation in the face of evolving cyber threats.

Follow SecureWorld News for more stories related to cybersecurity.