Internet-Wide Zero-Day Bug Fuels Largest-Ever DDoS Event

An Internet-wide security vulnerability is at the root of a zero-day attack dubbed "HTTP/2 Rapid Reset," which resulted in a distributed denial-of-service (DDoS) flood that was orders of magnitude larger than any previous attack ever recorded. It marks a new chapter in the evolution of DDoS threats, researchers noted.

Amazon Web Services, Cloudflare, and Google Cloud each independently observed the attack in question, which featured multiple waves of traffic that lasted for just minutes each. They targeted cloud and Internet infrastructure providers, and the attack took place over Aug. 28–29. Unknown perpetrators are behind the event, but it's clear that they exploited a bug in the HTTP/2 protocol, which is used in about 60% of all Web applications.

AWS, Cloudflare, and Google worked with other cloud, DDoS security, and infrastructure vendors in a coordinated effort to minimize any real-world impact of the Rapid Reset attacks, mainly with load balancing and other edge strategies. But that doesn't mean the Internet is protected; plenty of organizations are still susceptible to the attack vector and will need to proactively patch their HTTP/2 instances to be immune to the threat.

The pioneering attack vector represents an important evolution of the DDoS landscape, according to Alex Forster, Cloudflare's technical lead over DDoS engineering.

"The threat of DDoS attacks is evolving quickly, and are far from a low-level annoyance that they used to be thought of as," he says. "This attack – the largest in the history of the Internet – shows just how critical it is to increasingly pay mind to and consider DDoS as a key way for threat actors to disrupt businesses and wreak havoc."

How the Rapid Reset DDoS Attacks Work

The susceptibility to the attack within HTTP/2 is tracked as CVE-2023-44487, and it carries a high-severity CVSS score of 7.5 out of 10.

According to Cloudflare, HTTP/2 is "a fundamental piece to how the Internet and most websites operate. HTTP/2 is responsible for how browsers interact with a website, allowing them to 'request' to view things like images and text quickly, and all at once no matter how complex the website."

The attack technique involves making hundreds of thousands of HTTP/2 requests at once, then immediately canceling them, according to the company's analysis.

"By automating this 'request, cancel, request, cancel' pattern at scale, threat actors overwhelm websites and are able to knock anything that uses HTTP/2 offline," according to Cloudflare's advisory on the Rapid Reset attacks, posted on Oct. 10.

Read the rest of this article on Dark Reading.

Related articles: