Security News > 2023 > October > New DDoS Attack is Record Breaking: HTTP/2 Rapid Reset Zero-Day Reported by Google, AWS & Cloudflare
Find out what security teams should do now, and hear what Cloudflare's CEO has to say about this DDoS. Google, AWS and Cloudflare have reported the exploitation of a zero-day vulnerability named HTTP/2 Rapid Reset and tracked as CVE-2023-44487, which is currently used in the wild to run the largest Distributed Denial of Service attack campaigns ever seen.
The HTTP/2 Rapid Reset attack works by leveraging HTTP/2's stream cancellation feature: The attacker sends a request and cancels it immediately.
Cloudflare reported a peak at 201 million requests per second and mitigated more than 1,100 other attacks with more than 10 million RPS, and 184 attacks greater than the previous DDoS record of 71 million RPS. Google reported the biggest attack, which reached a peak of 398 millions RPS using the HTTP/2 Rapid Reset technique.
As stated by Google in its blog post about the DDoS attack, "For a sense of scale, this two minute attack generated more requests than the total number of article views reported by Wikipedia during the entire month of September 2023.".
Figure B. When we asked CloudFlare CEO and co-founder Matthew Prince about the number of bots needed to launch such attacks, he said that it needed, "Between 10,000 - 20,000 nodes in the botnet, which is relatively small. That's concerning because botnets today with hundreds of thousands or millions of nodes are common. And this attack should scale linearly with the number of nodes in the botnet. It may be possible to generate an attack larger than the estimated legitimate traffic volume of the web but all focused on a single victim. That's something that even the largest organizations would not be able to handle without appropriate mitigation."
From another Cloudflare blog post: "Because the attack abuses an underlying weakness in the HTTP/2 protocol, we believe any vendor that has implemented HTTP/2 will be subject to the attack. This included every modern web server."
News URL
https://www.techrepublic.com/article/http2-rapid-reset-ddos-attack/
Related news
- Apple fixes two new iOS zero-days exploited in attacks on iPhones (source)
- DarkGate Malware Exploited Recently Patched Microsoft Flaw in Zero-Day Attack (source)
- CISA: Here’s how you can foil DDoS attacks (source)
- Crafting Shields: Defending Minecraft Servers Against DDoS Attacks (source)
- Google: Spyware vendors behind 50% of zero-days exploited in 2023 (source)
- Miscreants are exploiting enterprise tech zero days more and more, Google warns (source)
- Google fixes Chrome zero-days exploited at Pwn2Own 2024 (source)
- Zero-day exploitation surged in 2023, Google finds (source)
- Google Chrome Beta Tests New DBSC Protection Against Cookie-Stealing Attacks (source)
- Google fixes two Pixel zero-day flaws exploited by forensics firms (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-10 | CVE-2023-44487 | Resource Exhaustion vulnerability in multiple products The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | 7.5 |