DDoS attack exploits HTTP/2 rapid reset vulnerability

Cloudflare announced Thursday that it has successfully mitigated thousands of high-volume HTTP distributed denial-of-service (DDoS) attacks that exploited a recently disclosed vulnerability called HTTP/2 Rapid Reset. Among these attacks, 89 exceeded the 100 million requests per second (RPS) mark.

In a report shared with The Hacker News, the web infrastructure and security company stated, “The campaign contributed to an overall 65% increase in HTTP DDoS attack traffic in the third quarter compared to the previous quarter. Similarly, L3/4 DDoS attacks increased by 14%.”

During the quarter, the total number of HTTP DDoS attack requests increased to 8.9 trillion, compared to 5.4 trillion in Q2 2023 and 4.7 trillion in Q1 2023. In Q4 2022, the number of attack requests was 6.5 trillion.

The vulnerability in question, HTTP/2 Rapid Reset (CVE-2023-44487), was publicly disclosed this month following a coordinated industry-wide release. That release revealed DDoS attacks carried out by an unknown actor who exploited the vulnerability to attack various providers, including Amazon Web Services (AWS), Cloudflare and Google Cloud.

Fastly reported in its own release on Wednesday that it had mitigated a similar attack that reached about 250 million RPS and lasted about three minutes.

Cloudflare also noted, “Botnets utilizing cloud computing platforms and exploiting HTTP/2 can generate up to x5,000 more power per botnet node. This allows them to perform hyper-volumetric DDoS attacks with a small botnet of 5-20,000 nodes alone.”

The most targeted industries in HTTP DDoS attacks were gaming, IT, cryptocurrency, computer software and telecommunications. The United States, China, Brazil, Germany and Indonesia were identified as the main sources of application layer (L7) attacks.

On the receiving end of HTTP DDoS attacks, the main targets were the United States, Singapore, China, Vietnam and Canada.

In addition, Cloudflare reported that DNS-based DDoS attacks were the most prevalent for the second consecutive quarter, accounting for nearly 47% of all attacks, an increase of 44% from the previous quarter. SYN floods ranked second, followed by RST floods, UDP floods and Mirai attacks.

One notable change was the decrease in ransomware DDoS attacks, which Cloudflare attributed to attackers realizing that organizations were less likely to pay ransoms.

This information is related to fluctuations in internet traffic and an increase in DDoS attacks following the Israel-Hamas conflict, during which Cloudflare successfully defended against several attempted attacks targeting Israeli and Palestinian websites.

Scroll to Top