Leading cybersecurity firms, Amazon Web Services, Cloudflare, and Google, have reported mitigating a major zero-day Distributed Denial of Service (DDoS) attack named ‘HTTP/2 Rapid Reset.' Starting in August, this attack has surpassed all records in magnitude, with Cloudflare observing attacks reaching a staggering number of 201 million requests per second (rps) and Amazon reporting 155 million rps.
As per Cloudflare's records, the new attack magnitude is three times bigger than its previous record from February 2023, which registered 71 million rps. Interestingly, this magnitude was achieved using a relatively minor botnet of just 20,000 machines. The company identified and neutralized over a thousand ‘HTTP/2 Rapid Reset' DDoS attacks surpassing 10 million rps, with 184 breaking the previous 71 million rps record.
A Look at the HTTP/2 Rapid Reset Attack Mechanism
The novel ‘HTTP/2 Rapid Reset' attack exploits a zero-day vulnerability identified as CVE-2023-44487. It leverages a flaw in the HTTP/2 protocol that facilitates continuous sending and canceling of requests, thereby overwhelming the target server or application to induce a Denial of Service (DoS) state.
Although HTTP/2 has a feature that regulates the number of simultaneously active streams to prevent DoS attacks, this safeguard isn't sufficient. Hence, protocol developers introduced an efficient parameter called “request cancelation”. However, attackers have been abusing this feature since late August to send a series of HTTP/2 requests and resets (RST_Stream frames) on a server, vastly increasing its processing load and hindering its capacity to respond to new incoming requests.
Mitigation Strategies From Leading Security Providers
The three firms revealed that HTTP/2 proxies or load-balancers are particularly vulnerable to these rapid reset request strings. Cloudflare's network experienced overwhelming stress in the interface between the TLS proxy and its upstream counterpart. This disruption resulted in an increase in 502 error reports among Cloudflare's clients.
Cloudflare mitigated these attacks using a system designed to tackle hyper-volumetric attacks called ‘IP Jail,' which was extended to cover its entire infrastructure. This system temporarily “jails” offending IPs, banning them from utilizing HTTP/2 for any Cloudflare domain. Amazon successfully mitigated dozens of these attacks, maintaining the availability of customer services.
In conclusion, experts recommend increasing HTTP-flood protection tools to counter ‘HTTP/2 Rapid Reset' attacks and enhancing DDoS resilience with multi-faceted mitigations. The companies had kept the zero-day threat a secret for over a month to give security vendors time to respond. However, the information is now public to prompt further action within the security community.
Microsoft's Patch to Mitigate HTTP/2 Rapid Reset
Microsoft has already issued a patch to shore up its services from HTTP/2 Rapid Reset as part of the company's October 2023 Patch Tuesday updates. Microsoft has fixed 104 security issues in its October 2023 Patch Tuesday update, including three zero-day flaws that were being actively exploited by hackers. Among the 104 issues, twelve were rated as ‘critical', meaning they could allow remote attackers to execute arbitrary code on vulnerable systems. Moreover, another forty-five issues were also related to remote code execution, but with lower severity ratings. Microsoft has released patches for all these issues and urged users to update their software as soon as possible.
