HTTP/2 Rapid Reset: AWS and Google confirm record-breaking DDoS attack

AWS and Google have confirmed that the biggest distributed denial of service (DDoS) attacks ever seen have been ongoing since August. Although neither Amazon or Google has stated which customers were targeted, they have detailed a zero-day vulnerability in the HTTP/2 Rapid Reset protocol that enables the DDoS exploit.

Cloudflare and Microsoft also published details about these attacks. Meanwhile, the US Cybersecurity & Infrastructure Security Agency has called for organisations to apply patches when available and consider configuration changes among other mitigations.

What is the HTTP/2 Rapid Reset?

The Rapid Reset attacks are exploiting a zero-day vulnerability in the HTTP/2 protocol. The latest statistics show that 35% of all websites employ HTTP/2, which allows for server push to send resources before a client requests them. It also allows multiplexing of multiple requests across a single connection.

It’s this ability to allow simultaneous multiple requests from one connection that the zero-day, CVE-2023-44487, exploits. It enables an attacker to send and cancel requests in such a way as to drown the target server in traffic. Labelled as HTTP/2 Rapid Reset, the exploit allows relatively small botnets to initiate stunning numbers of DDoS attacks.

“This event serves to remind the industry that DDoS attacks are alive and well and won’t go away anytime soon,” Stephen Gates, principal security for SME at Horizon3.ai, said. “It’s only a matter of time before more protocol or application-layer vulnerabilities are discovered and exploited with similar outcomes.”

How big is the HTTP/2 Rapid Reset DDoS attack?

So, how big is this attack? For starters, Google Cloud recorded 398 million requests per second. That’s seven times bigger than anything it had encountered previously.

Amazon saw attacks peak at 155 million per second, and Cloudflare hit 201 million. (Microsoft hasn’t attributed any numbers to the attacks it has seen.)

All of this, apparently, originating from a botnet of around 20,000 machines rather than the hundreds of thousands that are usually associated with the largest DDoS attacks.

Should you be concerned? Jamie Scott, founding product manager at Endor Labs, thinks so. “SaaS services, ecommerce sites and critical online information services are those that could see the biggest impact,” Scott warned.

“For many organisations, service availability directly translates to revenue and the denial of that availability is a direct hit to their top line.”

How to mitigate HTTP/2 Rapid Reset attacks

“If you run a publicly accessible HTTP/2 service without DDoS protections,” Scott said, “you should monitor your commercial and open source web proxy and web server solutions for any patches available and update as soon as possible.

“Updates have started becoming available for many open-source solutions the morning of October 10.”

These attacks, along with this week’s news of a cURL vulnerability that means almost every device connected to the internet will need to be patched, emphasise how important it is for businesses of all size to implement a clear, well-defined security plan.