On October 10, 2023, cloud computing companies AWS, Cloudflare, and Google jointly announced that they had observed a new DDoS technique dubbed HTTP/2 Rapid Reset being exploited in the wild since August 2023. The attacks observed reached between 155 and 398 million requests per second (RPS), more than quadrupling the previous record of 71 million RPS.
The technique takes advantage of a zero-day vulnerability in the HTTP/2 protocol, designated CVE-2023-44487. In basic terms, the attack doubles up on HTTP requests by continuously sending open and reset stream requests to the target webserver. The number of open streams within a TCP session is usually limited to 100.
However, because a reset request is sent immediately after the open request, the threat actor never exceeds this limit. They can then hammer a target with the open/reset stream combination, using all their available bandwidth. Processing all of these requests consumes the resources of the target server, leading to a denial-of-service condition.
Fortunately, AWS, Cloudflare, and Google were all able to implement mitigations to prevent these attacks from affecting their client base. They also issued guidance for web server software companies which have already begun working on patches.
Source: Bleeping Computer
Analysis
This new DDoS technique is an excellent example of the cat-and-mouse game between threat actors and solutions providers. Threat actors are consistently looking for methods to increase the effects of their DDoS attacks, while solutions providers implement controls to mitigate this activity.
In this case, it would appear threat actors discovered and deployed the HTTP/2 Rapid Reset technique that anti-DDoS solutions providers weren’t currently protecting their clients from, and as a result, set a new record for DDoS attack magnitude.
So far, Field Effect has been unable to identify any known DDoS groups using, or claiming to use, this method. However, it’s likely that other groups will adopt the technique and use it against targets with no or unpatched DDoS protection services.
Mitigation
Having a firewall will not stop the high volume of traffic generated during a DDoS attack using HTTP/2 Rapid Reset. To properly reduce the risk that this type of DDoS attack poses, organizations should deploy specific DDoS prevention solutions specifically designed and capable of countering various types and volumes of DDoS attacks.
Field Effect recommends that organizations running HTTP/2 services apply patches as soon as they are available for their specific application.
Related articles
