Wednesday, December 25, 2024
HomeCyber Security NewsMassive DDoS Attack Leveraged Zero-Day in HTTP/2 Rapid Reset

Massive DDoS Attack Leveraged Zero-Day in HTTP/2 Rapid Reset

Published on

SIEM as a Service

Multiple Google services and Cloud users were allegedly the target of a unique HTTP/2-based DDoS attack. 

The attack used a cutting-edge method known as HTTP/2 Rapid Reset, a zero-day vulnerability in the HTTP/2 protocol tagged as CVE-2023-44487 that may be used to launch DDoS attacks.

The stated attack magnitudes are: Amazon mitigated attacks at a rate of 155 million requests per second, Cloudflare at 201 million rps, while Google withstood attacks at a record-breaking 398 million rps.

- Advertisement - SIEM as a Service

“These attacks were significantly larger than any previously reported Layer 7 attacks, with the largest attack surpassing 398 million requests per second”, Google said.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Details of the Largest DDoS Attack

In this case, the HTTP/2 protocol allows clients to instruct the server that a previous stream should be canceled by sending an RST_STREAM frame. The protocol does not call for any kind of coordination between the client and server; the client is free to cancel on their own. 

The Rapid Reset attack uses this technique to send and reject requests quickly, evading the server’s concurrent stream limit and overwhelming it without exceeding the specified threshold.

Attacks using numerous HTTP/2 connections that quickly switch between requests and resets are known as HTTP/2 rapid reset attacks.

HTTP/1.1 and HTTP/2 request and response pattern
HTTP/1.1 and HTTP/2 request and response pattern

Each connection can have infinite requests in flight due to the ability to reset streams instantly. This allows a threat actor to send a flood of HTTP/2 requests that can overwhelm a targeted website’s capacity to respond to new incoming requests, effectively shutting it down.

Hence, threat actors can overwhelm websites and take them offline by starting hundreds of thousands of HTTP/2 streams and quickly canceling them at scale over an established connection.

According to Cloudflare, this attack was made possible by exploiting various HTTP/2 protocol features and server implementation specifics.

Any vendor implementing HTTP/2 will likely be vulnerable to the attack since it takes advantage of a flaw in the HTTP/2 protocol. All modern web servers were included in this.

“CVE-2023-44487 is a different manifestation of HTTP/2 vulnerability. However, to mitigate it we were able to extend the existing protections to monitor client-sent RST_STREAM frames and close connections when they are being used for abuse. The legitimate client uses for RST_STREAM are unaffected”, Cloudflare reports.

The attack technique has been shared with web server suppliers by Cloudflare, Google, and AWS; all hope that these companies will roll out updates.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating...

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability...

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber...

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating...

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability...

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber...