Google Reveals Record-Breaking HTTP/2 Rapid Reset DDoS Attack Threat
In a coordinated disclosure, Google, along with Cloudflare and Amazon Web Services (AWS), has unveiled a novel DDoS technique named the ‘HTTP/2 Rapid Reset’ attack, which has been actively exploited since August, setting new records in the magnitude of distributed denial of service attacks.
Tech giants Google, Cloudflare, and AWS have unveiled a groundbreaking discovery: a new zero-day vulnerability known as the “HTTP/2 Rapid Reset” attack. This highly effective attack leverages a weakness in the HTTP/2 protocol, leading to “hyper volumetric” Distributed Denial of Service (DDoS) attacks of unprecedented magnitude.
Record-Breaking 398 Million Requests per Second Attack Detected
The Magnitude of the Threat:
These recent attacks have shattered all previous DDoS records, with Google reporting a staggering 398 million requests per second (RPS) during the peak of this assault. To put this into perspective, the attack was approximately eight times larger than the largest HTTP-based DDoS attack Google defended against a year ago.
The Vulnerability Explained:
The HTTP/2 protocol, introduced in 2015, was designed to enable efficient opening of multiple data streams simultaneously. Unfortunately, this very feature has become a double-edged sword, as it can be exploited to amplify DDoS attacks. When a computer opens numerous streams over HTTP/2 and then cancels them, the server still processes the requests, while the computer assumes the cancellation has taken effect immediately. This asymmetry allows attackers to generate waves of traffic, overwhelming the target server.
The Attack’s Impact:
Google’s robust cloud infrastructure effectively mitigated the impact of these attacks, leading to no outages and minimal disruption. However, the attack vector, known as HTTP2 “Rapid Reset” or CVE-2023-44487, poses a significant threat to any entity hosting HTTP-based workloads.
Mitigations and Protection:
Google, Cloudflare, and AWS have developed their own mitigations to counter this threat, ensuring protection for their customers. The recommended defenses against this attack include tracking connection statistics and using various signals and business logic to assess the usefulness of each connection. Additionally, HTTP/2 servers should close connections exceeding the concurrent stream limit.
- HTTP/2 Rapid Reset Attack Unleashed: Google, Cloudflare, and AWS jointly disclosed a new zero-day vulnerability known as the ‘HTTP/2 Rapid Reset attack,’ which exploits a weakness in the HTTP2 protocol, particularly concerning hyper-volumetric DDoS attacks.
- Cloud Providers Under Siege: Large cloud providers, including Cloudflare, AWS, and Google, have been facing increasingly massive DDoS attacks in recent months, reaching up to nearly 400 million requests per second (RPS). Google Cloud alone reported a record-breaking 398 million RPS resulting from this attack, demonstrating its devastating power.
- Understanding the Attack: The HTTP/2 Rapid Reset attack leverages the protocol’s ability to cancel previous streams with a RST_STREAM frame. The attacker sends a large number of request streams and immediately cancels each one. This technique allows for an indefinite number of requests in flight, placing a significant burden on the server. Notably, the client incurs minimal costs while the server must perform significant work for canceled requests.
- Record-Breaking DDoS: Google managed to mitigate these new attacks by expanding network capacity. Cloudflare, on the other hand, witnessed an attack size three times larger than their previous record, and it’s alarming that these attacks are accomplished using relatively small botnets comprising around 20,000 machines.
- Future Threats: The rapidly increasing scale of HTTP/2 Rapid Reset attacks is a cause for concern. As botnets grow and attackers employ this method, the attacks are expected to continue breaking even greater records.
- Mitigating the Threat: Countermeasures against HTTP/2 Rapid Reset attacks are essential. Cloud providers and organizations are advised to use available HTTP-flood protection tools and strengthen DDoS resilience with multifaceted mitigations. Addressing the specific protocol vulnerability is challenging, so rate controls and server-side measures are being adopted to mitigate the threat.
- Precautionary Measures: Organizations should verify that servers supporting HTTP/2 are not vulnerable or apply vendor patches. It is imperative to monitor connection statistics and implement mechanisms to close connections exceeding the concurrent stream limit.
The “HTTP/2 Rapid Reset” attack underscores the evolving landscape of cyber threats. While the tech industry is actively working to address this issue, organizations are urged to verify that their servers supporting HTTP/2 are not vulnerable or apply vendor patches. This discovery serves as a stark reminder of the importance of cybersecurity in our interconnected digital world.
The ‘HTTP/2 Rapid Reset’ attack represents a growing threat to online infrastructure, and the collaborative disclosure by Google, Cloudflare, and AWS aims to raise awareness and readiness among organizations to guard against this record-breaking DDoS technique.