The tech giant issued a warning, emphasizing that any enterprise or individual using HTTP/2 for web applications, services, and APIs could be vulnerable.
Cloudflare began analyzing the attack method and the underlying vulnerability in late August. The company reports that an unknown threat actor exploited a weakness in the widely used HTTP/2 protocol to launch “enormous, hyper-volumetric” DDoS attacks.
Cloudflare observed one of the attacks, which was three times larger than the record-breaking 71 million requests per second (RPS) attack the company reported in February. Specifically, the HTTP/2 Rapid Reset DDoS campaign peaked at 201 million RPS.
Google, in its case, witnessed a DDoS attack that reached a peak of 398 million RPS, surpassing by over seven times the largest attack the internet giant had previously encountered.
Amazon faced more than a dozen HTTP/2 Rapid Reset attacks over two days in late August, with the largest one peaking at 155 million RPS.
This new attack method exploits an HTTP/2 feature called ‘stream cancellation,’ involving the repetitive sending of a request followed by immediate cancellation.
Cloudflare explained, “Threat actors can create a denial of service and disrupt any server or application running the standard implementation of HTTP/2 by automating this simple ‘request, cancel, request, cancel’ pattern at scale.”
The company reported that the record-breaking attack against its customers utilized a botnet with only 20,000 compromised devices. This stands out because the web security firm frequently encounters attacks launched by botnets powered by hundreds of thousands or even millions of machines.
The underlying vulnerability, believed to affect every web server implementing HTTP/2, carries the designation CVE-2023-44487 and holds a ‘high severity’ rating, with a CVSS score of 7.5.
Both Cloudflare and Google have published blog posts providing technical insights into the HTTP/2 Rapid Reset attack, with AWS also sharing a blog post describing the HTTP/2 Rapid Reset attacks it has observed.
These companies mentioned that their existing DDoS protections generally effectively handled HTTP/2 Rapid Reset attacks but have implemented additional measures to mitigate this attack method. They have alerted web server software companies, which have started developing patches to prevent the exploitation of this vulnerability.
Google issued a warning, stating, “Any enterprise or individual serving an HTTP-based workload to the Internet may face a risk from this attack. Web applications, services, and APIs hosted on a server or proxy capable of communicating via the HTTP/2 protocol could be vulnerable. Organizations should confirm that any servers they operate, supporting HTTP/2, are not vulnerable or should apply vendor patches for CVE-2023-44487 to reduce the impact of this attack vector.”
Related story:
