Massive DDoS Attack Leveraged Zero-Day in HTTP/2 Rapid Reset

Multiple Google services and Cloud users were allegedly the target of a unique HTTP/2-based DDoS attack. 

The attack used a cutting-edge method known as HTTP/2 Rapid Reset, a zero-day vulnerability in the HTTP/2 protocol tagged as CVE-2023-44487 that may be used to launch DDoS attacks.

The stated attack magnitudes are: Amazon mitigated attacks at a rate of 155 million requests per second, Cloudflare at 201 million rps, while Google withstood attacks at a record-breaking 398 million rps.

“These attacks were significantly larger than any previously reported Layer 7 attacks, with the largest attack surpassing 398 million requests per second”, Google said.

FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Free Demo

Details of the Largest DDoS Attack

In this case, the HTTP/2 protocol allows clients to instruct the server that a previous stream should be canceled by sending an RST_STREAM frame. The protocol does not call for any kind of coordination between the client and server; the client is free to cancel on their own. 

The Rapid Reset attack uses this technique to send and reject requests quickly, evading the server’s concurrent stream limit and overwhelming it without exceeding the specified threshold.

Attacks using numerous HTTP/2 connections that quickly switch between requests and resets are known as HTTP/2 rapid reset attacks.

Each connection can have infinite requests in flight due to the ability to reset streams instantly. This allows a threat actor to send a flood of HTTP/2 requests that can overwhelm a targeted website’s capacity to respond to new incoming requests, effectively shutting it down.

Hence, threat actors can overwhelm websites and take them offline by starting hundreds of thousands of HTTP/2 streams and quickly canceling them at scale over an established connection.

According to Cloudflare, this attack was made possible by exploiting various HTTP/2 protocol features and server implementation specifics.

Any vendor implementing HTTP/2 will likely be vulnerable to the attack since it takes advantage of a flaw in the HTTP/2 protocol. All modern web servers were included in this.

“CVE-2023-44487 is a different manifestation of HTTP/2 vulnerability. However, to mitigate it we were able to extend the existing protections to monitor client-sent RST_STREAM frames and close connections when they are being used for abuse. The legitimate client uses for RST_STREAM are unaffected”, Cloudflare reports.

The attack technique has been shared with web server suppliers by Cloudflare, Google, and AWS; all hope that these companies will roll out updates.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.