Cloudflare, Google, and Amazon AWS revealed that a zero-day vulnerability in the HTTP/2 protocol has been used to mount massive, high-volume DDoS attacks, which they dubbed HTTP/2 Rapid Reset.
Decoding HTTP/2 Rapid Reset (CVE-2023-44487)
In late August 2023, Cloudflare discovered a zero-day vulnerability developed by an unknown threat actor. The vulnerability exploits the standard HTTP/2 protocol—a fundamental piece to how the Internet and most websites operate. HTTP/2 is responsible for how browsers interact with a website, allowing them to “request” to view things like images and text quickly, all at once, no matter how complex the website is.
This new attack works by making hundreds of thousands of “requests” and immediately canceling them. By automating this “request, cancel, request, cancel” pattern at scale, threat actors overwhelm websites and can knock anything that uses HTTP/2 offline.
“Rapid Reset” provides threat actors with a powerful new way to attack victims across the Internet at an order of magnitude larger than anything the Internet has seen before. HTTP/2 is the basis for about 60% of all web applications and determines the speed and quality of how users see and interact with websites.
Based on Cloudflare’s data, several attacks leveraging Rapid Reset were nearly three times larger than the largest DDoS attack in Internet history. At the peak of this DDoS campaign, Cloudflare recorded and handled over 201 million requests per second and mitigated thousands of additional attacks.
Thwarting the attack
Threat actors with record-shattering attack methods have difficulty testing and understanding their effectiveness due to the lack of infrastructure to absorb the attacks. For this reason, they often test against providers to better understand how their attacks will perform.
“While large-scale attacks such as those leveraging vulnerabilities like Rapid Reset can be complex and difficult to mitigate, they provide us unprecedented visibility into new threat actor techniques early in development,” said Grant Bourzikas, CSO at Cloudflare.
“While there is no such thing as ‘perfect disclosure,’ with downtime and bumps along the way, thwarting attacks and responding to breaking incidents requires organizations and security teams to live by the ‘assume breach’ mindset the Cloudflare team fosters. Ultimately, this allows us to be a proud partner that helps make the Internet secure.”
“While this DDoS attack and vulnerability may be in a league of their own, there will always be other zero-day, evolving threat actor tactics, and new novel attacks and techniques—the continuous preparation and response to these is core to our mission to help build a better Internet,” said Matthew Prince, CEO at Cloudflare.
A technical blog post with more details is available here.
Cloudflare engineers say that all providers with HTTP/2 services should assess their exposure to this issue.
“Software patches and updates for common web servers and programming languages may be available to apply now or in the near future. We recommend applying those fixes as soon as possible. For our customers, we recommend patching software and enabling the Application Load Balancer and Google Cloud Armor, which has been protecting Google and existing Google Cloud Application Load Balancing users,” they added.