A zero-day vulnerability in the HTTP/2 protocol is being actively exploited by threat actors to launch massive DDoS attacks. Google, Cloudflare and Amazon Web Services (AWS) have all reported attacks exploiting the vulnerability and have recently issued security advisories. The DDoS attacks are the largest ever seen, with Google reporting an attack that peaked at 398 million requests per second (rps), which smashed the previous record of 46 million rps. To put the attack into perspective, the attack generated more requests in 2 minutes than the number of article views Wikipedia received for the entire month of September 2023.
Cloudflare has also confirmed that it has seen record-breaking attacks, with the largest at 184 million rps, breaking the previous record of 71 million rps. Cloudflare has mitigated more than a thousand 10 million+ rps attacks since the vulnerability first started to be exploited in August. While these attacks have been record-breaking in scale, for the most part, they have been conducted using relatively small botnets of around 20,000 infected machines. If a botnet was used that consisted of hundreds of thousands of infected devices, the damage would be considerable. In its security advisory, Cloudflare pointed out that the entire web typically sees between 1-3 billion requests per second. If a sufficiently large botnet was used to exploit the vulnerability, the equivalent of the entire web’s worth of requests could be focused on a small number of targets.
Cloudflare said its current protections were largely able to absorb the brunt of these attacks, and while there was some impact on customer traffic, it has been able to fine-tune its methods to stop attacks on Cloudflare customers without impacting its systems. Google, AWS, and Cloudflare collaborated in a coordinated disclosure of the attacks and the vulnerability and all have now implemented fixes. The delay in disclosing the vulnerability has allowed security vendors to implement appropriate mitigations before the vulnerability became more widely known and could be exploited by a larger number of actors.
The vulnerability, CVE-2023-44487, is a weakness in the HTTP/2 protocol. The HTTP/2 protocol allows multiple streams to be created over the same TCP connection and helps to render web pages more efficiently, and any vendor that has implemented HTTP/2 will likely be affected. The vulnerability is exploited in what has been termed a Rapid Reset attack. An attacker opens multiple new streams and sends RST-FRAMEs to close them. Since it requires a lot of processing to create and cancel streams, servers can easily get overwhelmed. This means that relatively small botnets can be used for massive DDoS attacks.