Cloudflare, Google and AWS revealed on Tuesday that a new zero-day vulnerability named ‘HTTP/2 Rapid Reset’ has been exploited by malicious actors to launch the largest distributed denial-of-service (DDoS) attacks in internet history.
Cloudflare started analyzing the attack method and the underlying vulnerability in late August. The company says an unknown threat actor has exploited a weakness in the widely used HTTP/2 protocol to launch “enormous, hyper-volumetric” DDoS attacks.
One of the attacks seen by Cloudflare was three times larger than the record-breaking 71 million requests per second (RPS) attack reported by company in February. Specifically, the HTTP/2 Rapid Reset DDoS campaign peaked at 201 million RPS.
In Google’s case, the company observed a DDoS attack that peaked at 398 million RPS, more than seven times the largest attack the internet giant had previously seen.
Amazon saw over a dozen HTTP/2 Rapid Reset attacks over the course of two days in late August, with the largest peaking at 155 million RPS.
The new attack method abuses an HTTP/2 feature called ‘stream cancellation’, by repeatedly sending a request and immediately canceling it.
“By automating this trivial ‘request, cancel, request, cancel’ pattern at scale, threat actors are able to create a denial of service and take down any server or application running the standard implementation of HTTP/2,” Cloudflare explained.
The company noted that the record-breaking attack aimed at its customers leveraged a botnet of only 20,000 compromised devices. The web security firm regularly sees attacks launched by botnets powered by hundreds of thousands and even millions of machines.
The underlying vulnerability, which is believed to impact every web server implementing HTTP/2, is tracked as CVE-2023-44487 and it has been assigned a ‘high severity’ rating with a CVSS score of 7.5.
Cloudflare and Google have published blog posts providing technical details on the HTTP/2 Rapid Reset attack. AWS has also published a blog post describing the HTTP/2 Rapid Reset attacks it has observed.
The companies said their existing DDoS protections were largely able to handle HTTP/2 Rapid Reset, but they have implemented additional mitigations for this attack method. Web server software companies have been warned and they have started developing patches that should prevent exploitation of the vulnerability.
“Any enterprise or individual that is serving an HTTP-based workload to the Internet may be at risk from this attack,” Google warned. “Web applications, services, and APIs on a server or proxy able to communicate using the HTTP/2 protocol could be vulnerable. Organizations should verify that any servers they run that support HTTP/2 are not vulnerable, or apply vendor patches for CVE-2023-44487 to limit impact from this attack vector.”