A unique DDoS attack based on HTTP/2 targeted multiple Google services and cloud users. The attackers utilized an advanced method called HTTP/2 Rapid Reset to exploit a zero-day vulnerability in the HTTP/2 protocol, identified as CVE-2023-44487, which could be used for DDoS attacks.
The reported scale of the attack was as follows: Amazon successfully defended against attacks at a rate of 155 million requests per second, Cloudflare at 201 million RPS, and Google set a record by withstanding attacks at an astonishing 398 million RPS.
Google stated, “These attacks were significantly larger than any previously reported Layer 7 attacks, with the largest attack surpassing 398 million requests per second.”
In this scenario, the HTTP/2 protocol allows clients to terminate a previously sent data stream by sending an RST_STREAM frame to the server without requiring coordination between the client and server. The Rapid Reset attack utilizes this method to quickly send and reject requests, bypassing the server’s simultaneous stream limit and overwhelming it without exceeding the defined threshold.
Attacks that use numerous HTTP/2 connections and rapidly switch between requests and cancellations are referred to as HTTP/2 Rapid Reset attacks. Each connection can have an unlimited number of concurrently running requests, enabling attackers to flood a targeted website with HTTP/2 requests and effectively overload its capacity to respond to new incoming requests, ultimately leading to an outage.
Attackers can achieve this by initiating and canceling hundreds of thousands of HTTP/2 streams on a large scale. Cloudflare noted that this attack was made possible by exploiting various features of the HTTP/2 protocol and specific server implementations, making virtually all modern web servers vulnerable.
Cloudflare reported, “CVE-2023-44487 is another manifestation of the HTTP/2 vulnerability. To mitigate it, we were able to enhance existing protective measures to monitor RST_STREAM frames sent by the client and close connections when they are used for abusive purposes. Legitimate uses of RST_STREAM by the client remain unaffected.”
Cloudflare, Google, and AWS have shared this attack technique with web server providers and hope that these companies will quickly release updates to fix the vulnerability.