Between August 28 and 29, Amazon Web Services, Cloudflare, and Google Cloud each independently observed DDoS flood attacks, in which multiple waves of traffic occurred, each lasting only a few minutes. The attacks target cloud and network infrastructure providers. Unknown perpetrators are behind the incident, but it is clear that they exploited a vulnerability in the HTTP/2 protocol, tracked as CVE-2023-44487, which is of high severity. The CVSS score is 7.5 out of 10. This incident is called a "HTTP/2 Rapid Reset" zero-day attack.
According to Cloudflare, HTTP/2 is fundamental to how the internet and most websites operate. HTTP/2 is responsible for how browsers interact with websites, allowing browsers to quickly "request" content such as images and text, and do it all in one go, no matter how complex the website is.
Cloudflare said the HTTP/2 rapid reset attack technique involves making hundreds of thousands of HTTP/2 requests at once and then immediately canceling them. Cloudflare's October 10 advisory on rapid reset attacks explains that by automating this "request, cancel, request, cancel" pattern at scale, threat actors can overwhelm websites and enable anyone using HTTP/ 2's website is offline.
The HTTP/2 protocol is used in approximately 60% of web applications. It is understood that Cloudflare received more than 201 million requests per second (rps) during the peak period of activity in August. Cloudflare said some organizations are seeing higher request numbers when taking mitigation measures. The peak of DDoS attacks in 2022 was 71 million rps, and the 201 million rps received by Cloudflare was three times the number last year.
At the same time, Google observed a peak of 398 million rps, seven and a half times the previous attack on its resources; AWS detected a peak of more than 155 million rps against the Amazon CloudFront service.
In its post, Google pointed out that to put the scale into perspective, the two-minute attack generated more requests than the total number of article views reported by Wikipedia for the entire month of September.
Quick reset is not only a powerful weapon, but an efficient one as well. AWS, Cloudflare, and Google work with other cloud, DDoS security, and infrastructure providers to minimize the impact of rapid reset attacks, primarily through load balancing and other edge strategies. But that doesn't mean the network is protected. Many organizations remain vulnerable to attack vectors and require proactive patching of HTTP/2 to stay protected from threats.
Cloudflare stated that this incident represents an important evolution in the DDoS attack landscape and is also the largest scale observed so far. The company believes that for a relatively small botnet to be able to output such a large number of requests, it has the potential to bring down almost any server or application that supports HTTP/2, which highlights the vulnerability of CVE-2023-44487 to uninfected servers. How threatening are the protected networks?
So far, HTTP/2 fast reset attacks have not had the significant impact that the cyber attackers behind them hoped for. This attack technique needs to be paid close attention to because DDoS attacks remain an important part of the cyber attackers' arsenal. tool.
After the disclosure of CVE-2023-44487, cloud providers and DDoS security vendors implemented multiple mitigation measures following the initial zero-day offensive in August, but attackers continue to exploit the vulnerability to launch DDoS attempts. Over the course of two days, AWS observed and mitigated more than a dozen HTTP/2 rapid reset events, and continued to see this new HTTP/2 request flood throughout September.
Google said that any business or individual that provides HTTP workloads to the Internet may be at risk of this attack. Web applications, services, and APIs on servers or agents that communicate using the HTTP/2 protocol may be vulnerable. In particular, organizations that manage or operate their own servers that support HTTP/2 should patch CVE-2023-44487 as soon as possible.