Image: Aidan Granberry (unsplash)
A novel DDoS technique, termed ‘HTTP/2 Rapid Reset’, emerged recently and has surpassed all existing benchmarks since its first observation in August.
The introduction of this zero-day technique was jointly announced by industry leaders Amazon Web Services, Cloudflare, and Google. They shared insights on having successfully thwarted attacks that peaked at 155 million requests per second (Amazon), 201 million rps (Cloudflare), and an astonishing 398 million rps (Google).
Cloudflare disclosed that the scale of these attacks was threefold its previous record set in February 2023, which was at 71 million rps. What’s alarming is that such massive attacks were orchestrated using a fairly modest botnet of just 20,000 machines.
Records further indicate that since its inception in August, over a thousand HTTP/2 Rapid Reset DDoS attacks exceeding 10 million rps have been detected and counteracted by Cloudflare alone. Out of these, 184 have exceeded the earlier record of 71 million rps.
Cloudflare foresees that with larger botnets adopting this innovative method, the HTTP/2 Rapid Reset attacks will likely achieve unprecedented numbers in the future. To put it in perspective, Cloudflare stated that the current internet handles between 1-3 billion requests per second, and such techniques could potentially target a substantial portion of the web’s request volume on a limited number of servers.
Details on HTTP/2 Rapid Reset
This ground-breaking attack capitalizes on a zero-day flaw, labeled CVE-2023-44487. The flaw is rooted in the HTTP/2 protocol, more specifically in its stream cancellation function. The attackers misuse this feature to incessantly dispatch and nullify requests, burdening the targeted server/application, resulting in a denial-of-service condition. The HTTP/2 protocol does encompass defenses to preclude such attacks, but they prove insufficient at times. Bad actors have exploited this aspect since August, inundating servers with an array of HTTP/2 requests and rapid resets, thereby crippling its ability to manage new incoming requests. Google elucidated the subject by mentioning that the client doesn’t need to synchronize with the server during cancellation.
Cloudflare highlighted that HTTP/2 proxies or load-balancers are particularly vulnerable to such concentrated reset requests. Their network was strained to the limit, bearing the brunt before even filtering out the malicious requests. These onslaughts have led to a spike in 502 error alerts among Cloudflare’s clientele.
To counter these threats, Cloudflare leveraged a system termed ‘IP Jail’ which targets offending IPs, restricting their access to HTTP/2 on any Cloudflare domain for a designated time. This mechanism does have a minor downside of slightly reducing performance for legitimate users on the affected IP.
Amazon, while confirming the mitigation of numerous such attacks, refrained from detailing their impact but reassured the uninterrupted service to their customers.
All three companies unanimously recommend that clients strengthen their DDoS defense by integrating a variety of HTTP-flood protection tools.
Lastly, Cloudflare, in a distinct statement, shared that they kept the information on this zero-day undisclosed for over a month, granting security vendors ample time to respond. However, they believed that the time had come for a public disclosure, marking the onset of an intricate game of defense and evasion.