Largest-ever DDoS leverages ‘Rapid Reset’ zero-day vulnerability

On Tuesday, Google, Cloudflare and Amazon AWS revealed the biggest DDoS attack from August that compressed a month’s worth of Wikipedia traffic into a two-minute surge and exploited a flaw in the basic technology powering the internet to do it.

At its peak, the DDoS campaign described by the tech giants reached more than 398 million requests per second which is more than eight times larger than the biggest DDoS attack previously seen by Google, 46 million RPS or Cloudflare, 71 million RPS.

“For a sense of scale, this two-minute attack generated more requests than the total number of article views reported by Wikipedia during the entire month of September 2023,” Google said Tuesday.

The attack uses a new method that exploits a zero-day vulnerability dubbed “HTTP/2 Rapid Reset,” which takes advantage of the protocol that manages how computers request data from websites.

Cloudflare observed more than 180 instances in which record has been broken by malicious actors using the Rapid Reset vulnerability.

Stephen Gates, Principal Security SME, had this to say:

   “Those in the industry who have worked for decades to defeat DDoS attacks fully realize the challenges of dealing with attacks that take advantage of the way a protocol works, since these are often the most difficult to contend with. DDoS SMEs all agree there are likely dozens of novel protocol- and/or application-layer vulnerabilities sitting out there, ready to be discovered, and used to attack the most vulnerable aspect of the internet – its availability.

   “This attack took advantage of a vulnerability in the way the HTTP2 protocol works, and in doing so, broke every record on the books for generating the most requests per second ever observed. This type of attack would most likely be classified as a reflective style of attack due to reports that said a small number of botnet infected devices (~20k) were able to generate a massive amount of requests due to the way the protocol was built.

    “At one point in time, most people thought DDoS attacks were going to go extinct like the dodo bird. This event serves to remind the industry that DDoS attacks are alive and well and won’t go away anytime soon. It’s only a matter of time before more protocol- and/or application-layer vulnerabilities are discovered and exploited with similar outcomes.”

Clearly defending against DDoS attacks is something that you need to add to your playbook. That includes addressing any vulnerabilities in how traffic is tossed around the Internet. This example illustrates that this is a today problem.

Leave a Reply

%d bloggers like this: