Wednesday, June 19, 2024

Massive DDoS Attack Leveraged Zero-Day in HTTP/2 Rapid Reset

Multiple Google services and Cloud users were allegedly the target of a unique HTTP/2-based DDoS attack. 

The attack used a cutting-edge method known as HTTP/2 Rapid Reset, a zero-day vulnerability in the HTTP/2 protocol tagged as CVE-2023-44487 that may be used to launch DDoS attacks.

The stated attack magnitudes are: Amazon mitigated attacks at a rate of 155 million requests per second, Cloudflare at 201 million rps, while Google withstood attacks at a record-breaking 398 million rps.

“These attacks were significantly larger than any previously reported Layer 7 attacks, with the largest attack surpassing 398 million requests per second”, Google said.


Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Details of the Largest DDoS Attack

In this case, the HTTP/2 protocol allows clients to instruct the server that a previous stream should be canceled by sending an RST_STREAM frame. The protocol does not call for any kind of coordination between the client and server; the client is free to cancel on their own. 

The Rapid Reset attack uses this technique to send and reject requests quickly, evading the server’s concurrent stream limit and overwhelming it without exceeding the specified threshold.

Attacks using numerous HTTP/2 connections that quickly switch between requests and resets are known as HTTP/2 rapid reset attacks.

HTTP/1.1 and HTTP/2 request and response pattern
HTTP/1.1 and HTTP/2 request and response pattern

Each connection can have infinite requests in flight due to the ability to reset streams instantly. This allows a threat actor to send a flood of HTTP/2 requests that can overwhelm a targeted website’s capacity to respond to new incoming requests, effectively shutting it down.

Hence, threat actors can overwhelm websites and take them offline by starting hundreds of thousands of HTTP/2 streams and quickly canceling them at scale over an established connection.

According to Cloudflare, this attack was made possible by exploiting various HTTP/2 protocol features and server implementation specifics.

Any vendor implementing HTTP/2 will likely be vulnerable to the attack since it takes advantage of a flaw in the HTTP/2 protocol. All modern web servers were included in this.

“CVE-2023-44487 is a different manifestation of HTTP/2 vulnerability. However, to mitigate it we were able to extend the existing protections to monitor client-sent RST_STREAM frames and close connections when they are being used for abuse. The legitimate client uses for RST_STREAM are unaffected”, Cloudflare reports.

The attack technique has been shared with web server suppliers by Cloudflare, Google, and AWS; all hope that these companies will roll out updates.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.


Latest articles

Amtrak Data Breach: Hackers Accessed User’s Email Address

Amtrak notified its customers regarding a significant security breach involving its Amtrak Guest Rewards...

Chrome Security Update – Patch for 6 Vulnerabilities

Google has announced a new update for the Chrome browser, rolling out version 126.0.6478.114/115...

Hackers Weaponize Windows Installer (MSI) Files to Deliver Malware

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by a threat actor group,...

Hackers Using VPNs To Exploit Restrictions & Steal Mobile Data

Hackers are offering "free" mobile data access on Telegram channels by exploiting loopholes in...

New PhaaS Platform Lets Attackers Bypass Two-Factor Authentication

Several phishing campaign kits have been used widely by threat actors in the past....

Stuxnet, The Malware That Propagates To Air-Gapped Networks

Stuxnet, a complex worm discovered in 2010, targeted Supervisory Control and Data Acquisition (SCADA)...

Threat Actors Claiming Breach of AMD Source Code on Hacking Forums

A threat actor named " IntelBroker " claims to have breached AMD in June...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles