A new DDoS technique named 'HTTP/2 Rapid Reset' has been actively exploited as a zero-day since August, breaking all previous records in magnitude.
A new DDoS technique named 'HTTP/2 Rapid Reset' has been actively exploited as a zero-day since August, breaking all previous records in magnitude.
The announcement of the zero-day technique is part of a coordinated announcement made today by Amazon Web Services, Cloudflare, and Google, which reported mitigating attacks reaching 155 million requests per second (Amazon), 201 million requests per second (Cloudflare), and a record-breaking 398 million requests per second (Google).
An attack affecting layer seven was detected in late August 2023, the companies said in a coordinated disclosure. The cumulative susceptibility to this attack has been identified as CVE-2023-44487, with a CVSS score of 7.5 out of 10.
The size of the attack mitigated by Cloudflare is three times that of its previous record, from February 2023 (71 million RPs), and it is alarming that this was achieved by a relatively small botnet consisting of 20,000 machines.
Cloudflare believes that HTTP/2 Rapid Reset attacks will continue to break records as more threat actors deploy more expansive botnets and employ this new attack method.
The HTTP/2 Rapid Reset vulnerability is a zero-day flaw found in the HTTP/2 protocol, which can be exploited to launch DDoS attacks. HTTP/2 multiplexes requests over a single TCP connection, resulting in concurrent streams.
The attacker continuously sends and cancels requests by exploiting HTTP/2's stream cancellation feature, overwhelming the target server/application and imposing a DoS condition.
To prevent DoS attacks, HTTP/2 features a safeguard in the form of a parameter that limits the number of concurrently active streams; however, this is not always effective. Protocol developers introduced a more efficient method called "request cancellation," which does not destroy the entire connection but can be abused.
Since August, malicious actors have abused this feature by sending a flood of HTTP/2 requests and resets (RST_Stream frames) to a server, asking it to process each of these requests and perform rapid resets, overriding the server's capacity to handle new requests. In Google's post on the issue, it is noted that the protocol does not require the client and server to coordinate cancellations, as the client can cancel unilaterally.
The client may also assume that the cancellation will take effect when the server receives the RST_STREAM frame before any other data from the TCP connection is processed.
Cloudflare's clients have reported an increase of 502 error reports due to these attacks.
A system called IP Jail, which Cloudflare has expanded to cover its entire infrastructure, eventually mitigated these attacks.
According to Amazon, dozens of these attacks have been mitigated without giving any information regarding their impact. However, Amazon emphasizes that customer service availability has not been affected.
The three firms conclude that the best way to combat HTTP/2 Rapid Reset attacks is to use all available HTTP flood protection tools and bolster their DDoS resilience with multifaceted mitigation measures.
In light of the fact that this tactic abuses the HTTP/2 protocol, there is currently no general solution that prevents attackers from employing this type of DDoS attack.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?