Internet-Wide Zero-Day Bug Fuels Largest-Ever DDoS Event

An Internet-wide security vulnerability lies at the core of a zero-day attack known as "HTTP/2 Rapid Reset." This attack has given rise to a distributed denial-of-service (DDoS) flood of unprecedented scale, surpassing all previous records. Experts have recognized this as a significant development in the realm of DDoS threats.


Prominent entities such as Amazon Web Services, Cloudflare, and Google Cloud independently witnessed the attack, which consisted of multiple waves of traffic lasting only a few minutes each. The targets were cloud and Internet service providers, and the attack occurred between August 28th and 29th. Although the perpetrators remain unknown, it is evident that they exploited a vulnerability in the HTTP/2 protocol, which is utilized by approximately 60% of all web applications.


In a collaborative effort, AWS, Cloudflare, and Google, alongside other cloud, DDoS security, and infrastructure vendors, worked to mitigate the real-world impact of the Rapid Reset attacks. Measures such as load balancing and other edge strategies were employed. However, this does not guarantee Internet-wide protection. Numerous organizations remain vulnerable to this attack vector and must proactively patch their HTTP/2 instances to achieve immunity from the threat.


According to Alex Forster, Cloudflare's technical lead over DDoS engineering, this pioneering attack vector signifies a noteworthy progression in the landscape of DDoS attacks. Forster emphasizes that DDoS attacks should no longer be dismissed as mere inconveniences, as they were previously perceived. Instead, they should be recognized as a critical avenue for threat actors to disrupt businesses and sow havoc.


The workings of the Rapid Reset DDoS attacks revolve around an exploit tracked as CVE-2023-44487 within the HTTP/2 vulnerability. This vulnerability carries a CVSS score of 7.5 out of 10, indicating a high level of severity.


According to Cloudflare, HTTP/2 plays a fundamental role in the functioning of the Internet and most websites. It facilitates interactions between browsers and websites, enabling them to quickly request and retrieve various elements, such as images and text, regardless of the website's complexity.


The attack technique involves launching hundreds of thousands of simultaneous HTTP/2 requests and promptly canceling them, as per Cloudflare's analysis. By automating this pattern of "request, cancel, request, cancel" at a large scale, threat actors overpower websites, rendering any system reliant on HTTP/2 inaccessible. This information was disclosed in Cloudflare's advisory on the Rapid Reset attacks, posted on October 10th.


During the peak of the campaign in August, Cloudflare witnessed over 201 million requests per second (rps), while some organizations experienced even higher numbers owing to their mitigation efforts. This was triple the size of the previous record-breaking DDoS attack that reached its peak at 71 million rps.


Similarly, Google observed a peak of 398 million rps, surpassing all previous attacks against its resources by seven and a half times. AWS detected a peak influx of more than 155 million rps, specifically targeting the Amazon CloudFront service.


Describing the scale of the attack, Google researchers highlighted that this two-minute peak generated more requests than the total number of article views reported by Wikipedia throughout the entire month of September in order to provide context.


A spokesperson from Google conveyed that although the future of DDoS attacks remains unpredictable, this recent series of attacks aligns with the projected exponential growth, nearly doubling every 18 months. Protection against such attacks requires consistent capacity planning, efficient attack monitoring, and swift response.


It is worth noting that the August tsunami attack was launched using a relatively small botnet, consisting of fewer than 20,000 nodes. This not only emphasizes the power of Rapid Reset as a formidable weapon but also underscores its high efficiency.


Cloudflare's analysis reveals that botnets of significantly larger scales, comprising hundreds of thousands or even millions of machines, are frequently detected. However, the substantial volume of requests generated by a relatively small botnet, with the potential to incapacitate nearly any server or application relying on HTTP/2, highlights the menacing nature of this vulnerability for unprotected networks.


Rapid Reset Mitigation

While the Rapid Reset attacks have not had the critical impact that the cyberattackers behind them may have expected, it is important for companies to take notice of the fact that threat actors were able to pioneer this technique. This is particularly significant given that DDoS attacks continue to be a crucial tool in the arsenal of cyberattackers.


"In the realm of cybersecurity, it is a constant race," explains Forster. "As attackers carry out increasingly sophisticated and impactful attacks, defenders develop cutting-edge methods and technologies to combat them...From today onwards, threat actors will be well aware of the HTTP/2 vulnerability, and exploiting it will become inevitable. This will initiate a race between defenders and attackers – the first to patch versus the first to exploit. Organizations of all sizes should assume that their systems will be tested and must take proactive measures to ensure protection."


Furthermore, despite extensive mitigation efforts by cloud providers and DDoS security vendors following the initial zero-day offensive in August, attackers continue to launch DDoS attempts using the bug on an ongoing basis.


"In those two days, AWS identified and mitigated over a dozen HTTP/2 rapid reset events, and throughout September, this new type of HTTP/2 request flood persisted," stated the cloud giant in a recent post.


According to Google researchers, "any enterprise or individual serving an HTTP-based workload to the Internet may be at risk from this attack. Web applications, services, and APIs hosted on a server or proxy that can communicate using the HTTP/2 protocol could be vulnerable."


They further advised that "organizations managing or operating their own HTTP/2-capable server (open source or commercial) should apply vendor patches for CVE-2023-44487 when available."


While the HTTP/2 Rapid Reset vulnerability may have set a record in terms of its scale, the broader lessons to be learned are not novel, according to Forster. "Incorporate incident management, patching, and the evolution of security protections into ongoing processes. Patches for each variant of a vulnerability reduce the risk but never eliminate it completely."


Forster provided Dark Reading with a list of actionable recommendations to reinforce defenses against Rapid Reset and other DDoS threats:


1. Gain a comprehensive understanding of your external and partner network's external connectivity to address any Internet-facing systems with the mitigations provided by vendors.

2. Assess your existing security protection and the capabilities you have for protecting, detecting, and responding to an attack. Immediately rectify any issues identified within your network.

3. Ensure that your DDoS protection is located outside of your data center, as mitigating a DDoS attack becomes challenging once the traffic reaches your data center.

4. Implement DDoS protection for applications (Layer 7) and ensure the presence of Web Application Firewalls. Additionally, as a best practice, deploy complete DDoS protection for DNS, network traffic (Layer 3), and API firewalls.

5. Deploy patches for web servers and operating systems across all Internet-facing servers. Also, ensure that all automation tools, such as Terraform builds and images, are fully patched to avoid unintentional deployment of older versions on secure images in production.

6. As a last resort, consider disabling HTTP/2 and HTTP/3 (which may also be vulnerable) to mitigate the threat. This measure should only be used as a last resort, as downgrading to HTTP/1.1 can result in significant performance issues.

7. Consider employing a secondary, cloud-based DDoS Layer 7 provider at the perimeter to enhance resilience.