'Rapid Reset' DDoS attacks exploiting HTTP/2 vulnerability

Google, AWS and Cloudflare stopped what is reportedly the largest DDoS attack ever recorded, according to announcements from the vendors Tuesday.

The attack occurred as a result of a novel DDoS vulnerability, tracked as CVE-2023-44487, that concerns the HTTP/2 protocol, the standardized set of rules for file transference over the internet. According to the vulnerability's page on the National Institute of Standards and Technology website, "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023."

As part of coordinated disclosure, Google Cloud, Amazon Web Services and Cloudflare published blog posts and advisories providing additional technical information regarding the DDoS attack vector. In one of two blog posts published by Google, the tech giant described it as "the largest DDoS attack to date, peaking above 398 million rps [requests per second]."

In Cloudflare's technical breakdown, it tracked a peak of over 201 million requests per second -- nearly three times bigger than the previous record-setting attack it had observed.

"Concerning is the fact that the attacker was able to generate such an attack with a botnet of merely 20,000 machines," wrote Cloudflare engineers Lucas Pardue and Julien Desgats. "There are botnets today that are made up of hundreds of thousands or millions of machines. Given that the entire web typically sees only between 1–3 billion requests per second, it's not inconceivable that using this method could focus an entire web's worth of requests on a small number of targets."

In another blog post dedicated to how the attack and attack vector work, Google engineers Juho Snellman and Daniele Iamartino wrote that the attack, dubbed "Rapid Reset," occurred over a series of months and peaked in August.

The authors said that since the end of 2021, the majority of application layer, or Layer 7, DDoS attacks observed across Google services have been based on HTTP/2, "both by number of attacks and by peak request rates."

"A primary design goal of HTTP/2 was efficiency, and unfortunately the features that make HTTP/2 more efficient for legitimate clients can also be used to make DDoS attacks more efficient," the post read.

HTTP/2 attacks are dominant, Google said, because of the protocol's ability to process requests as multiple concurrent "streams," rather than HTTP/1.1's need to process requests serially. As such, an HTTP/2 attack can execute far more concurrent requests than one exploiting an older protocol.

With Rapid Reset, the attacking client "opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately."

"The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight," the post read. "By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth."

Further technical details are available in blog posts by Google, Cloudflare and Amazon.

Google said its load balancing infrastructure managed to "largely" stop the Rapid Reset attacks at the edge of its network, preventing any outages. Amazon said AWS determined the nature of the attack "within minutes" and its CloudFront content delivery network automatically mitigated the attack.

Cloudflare, meanwhile, said it saw spikes in 502 errors and requests but responded quickly via changes to its stack and mitigations detailed in its technical breakdown. According to the company, "all our customers are protected from this new DDoS attack method without any customer impact."

Regarding mitigations, Google said blocking individual requests would not suffice, and closing the entire TCP connection as soon as abuse was detected is required. Broader mitigations include tracking connection statistics and prioritizing connections for built-in HTTP/2 mitigation of the GOAWAY frame type based on various signals. All three vendors also implemented additional internal detections and mitigations as well.

A spokesperson for AWS told TechTarget Editorial that web servers will be updated to address the issue, and that widespread adoption should provide broader mitigation. Similarly, a Google spokesperson pointed to the fact that a number of software vendors issued patches alongside the Tuesday disclosure. These vendors include Apple, Microsoft, F5 and others.

In the Cloudflare blog post, Pardue and Desgats warned that the risk of CVE-2023-44487 and Rapid Reset attacks was pervasive. "Because the attack abuses an underlying weakness in the HTTP/2 protocol, we believe any vendor that has implemented HTTP/2 will be subject to the attack," they wrote. "This includes every modern web server."

Alex Forster, Cloudflare software engineer for DDoS mitigation, said that although today's public disclosure signaled that patches were issued and the remaining step is for customers to deploy them, managing complex infrastructure is more complicated than running a patch.

"Organizations must turn incident management, patching and evolving security protections into ongoing processes," Forster said. "The patches for each variant of a vulnerability reduce risk but don't always completely eliminate it. In this instance, Cloudflare developed purpose-built technology to mitigate the effects of the zero-day vulnerability."

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.