Google, Cloudflare and AWS are battling a new wave of record-breaking DDoS attacks caused by a zero-day vulnerability in the HTTP/2 protocol dubbed ‘rapid reset’.
The new vulnerability, tracked as CVE-2023-44487, was brought to light this morning in coordinated announcements from the three cloud giants.
They warn that the flaw allows threat actors to carry out “hyper volumetric" DDoS attacks as high as 201 requests per second (rps) – smashing the previous 71 rps record from February.
"There are botnets today that are made up of hundreds of thousands or millions of machines," Cloudflare said in a blog post published today.
"Given that the entire web typically sees only between 1–3 billion requests per second, it's not inconceivable that using this method could focus an entire web's worth of requests on a small number of targets."
Cloudflare revealed that the size of the attack is three times bigger than its previous record, from February 2023 (71 million trips), and it was concerned g that this was achieved using a relatively small botnet of just 20,000 machines
It is confident that as further threat actors employ more expansive botnets along with this new attack method, HTTP/2 Rapid Reset attacks will continue to break even greater records.
“Barrage of attacks”
First detected in August, the vulnerability has since been exploited to launch a “barrage of attacks targeting Google, AWS and Cloudflare in recent months.
AWS said it saw spikes of DDoS Rapid Reset attacks between August 28 and 29, with the peak hitting 155 million rps. Over those two days, the cloud services giant mitigated more than a dozen such attacks.
Meanwhile, Google researchers said the company saw a two-minute Rapid Reset DDoS attack in August generate 398 million rps, more than seven times the size of the previous largest one it blocked last year, which hit 46 million rps.
"The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending an RST_STREAM frame, Google explained in a blog post.
The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed.
Cloudflare explained that HTTP/2 proxies or load-balancers are particularly susceptible to those long strings of reset requests sent quickly. Its network was overwhelmed at the point between the TLS proxy and its upstream counterpart, so the damage was done before the bad requests reached the block point.
These attacks, it says, have led to an increase in 502 error reports among Cloudflare's clients. It eventually mitigated these attacks using a system designed to handle hyper-volumetric attacks called 'IP Jail,' which the the cloud provider expanded to cover its entire infrastructure.
“Rapid Reset”
The zero-day attack uses HTTP/2’s stream cancellation feature to send a request and then immediately cancel it over and over.
“This attack is called Rapid Reset because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request,” said Juho Snellman, staff software engineer, and Daniele Iamartino, staff site reliability engineer at Google.
“The request is cancelled, but leaves the HTTP/2 connection open.” By explicitly cancelling the requests, the attacker never exceeds the limit on the number of concurrent open streams.
“The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth.”
