Distributed Denial-of-Service (DDoS) attacks are not a new phenomenon, but the recent surge in their volume and intensity has raised many eyebrows. A unique exploit in the HTTP/2 protocol, known as Rapid Reset, has led to record-breaking DDoS attacks, surpassing 100 million requests per second (RPS). This blog post aims to dissect the technical details of this new vulnerability and the subsequent attacks, along with recommended security measures to mitigate such risks.

Technical Details

The HTTP/2 Rapid Reset Vulnerability

The HTTP/2 Rapid Reset vulnerability, officially recognized as CVE-2023-44487, came to light after extensive industry research. This flaw has been weaponized by unknown actors to target major service providers like Amazon Web Services (AWS), Cloudflare, and Google Cloud. Fastly also reported a similar attack peaking at an astonishing 250 million RPS for a brief span of three minutes.

Impact on DDoS Traffic

The recent campaign resulted in a 65% spike in HTTP DDoS attack traffic for Q3 compared to the previous quarter. A 14% rise in L3/4 DDoS attacks was also observed. Notably, the total HTTP DDoS attack requests surged to 8.9 trillion in the quarter, a marked increase from 5.4 trillion in Q2 2023 and 4.7 trillion in Q1 2023.

Botnet Force Multiplier

Cloud platforms are also being used to amplify the attack force. Botnets exploiting the HTTP/2 vulnerability can exert up to 5,000 times more force per node, facilitating hyper-volumetric DDoS attacks. This escalation puts a significant number of industries at risk, including gaming, IT, cryptocurrency, computer software, and telecom sectors.

Geographical Trends in Attacks

Interestingly, the geographical distribution of the attacks shows that the major sources are the U.S., China, Brazil, Germany, and Indonesia for application layer (L7) DDoS attacks. Conversely, the primary targets for HTTP DDoS attacks are the U.S., Singapore, China, Vietnam, and Canada.

Botnets and Geographical Trends

The Role of Botnets

Botnets have always been an essential part of DDoS attacks. However, the HTTP/2 Rapid Reset vulnerability allows these botnets to exert up to 5,000 times more force per node. This feature facilitates what is referred to as hyper-volumetric DDoS attacks.

Most Targeted Industries and Sources of Attacks

Some of the industries most targeted include gaming, IT, cryptocurrency, computer software, and telecom. Countries like the U.S., China, Brazil, Germany, and Indonesia have emerged as major sources of application layer (L7) DDoS attacks. On the other hand, the U.S., Singapore, China, Vietnam, and Canada are primarily on the receiving end of these HTTP DDoS attacks.

Recommendations

Optimal Use of Cloudflare’s HTTP Reverse Proxy

For those using Cloudflare’s CDN/WAF services, it is crucial to ensure full utilization of their protective features. Cloudflare has already equipped its services to safeguard against such HTTP DDoS attacks.

Implementation of Automated, Always-On HTTP DDoS Protection

For organizations not currently using any HTTP DDoS protection or Cloudflare customers using non-HTTP services, the recommendation is straightforward. Implement an automated, always-on HTTP DDoS protection service. This proactive step can significantly enhance your security posture and ensure the uninterrupted operation of your online platforms.

Ending Note

This disclosure has surfaced during a period when the internet is experiencing fluctuations in traffic patterns, partly influenced by global events such as the Israel-Hamas conflict. During such times, Cloudflare has successfully thwarted multiple attack attempts aimed at websites linked to both Israeli and Palestinian entities.

Final Thoughts

Understanding the intricacies of the HTTP/2 Rapid Reset vulnerability is critical for web service providers and organizations that rely heavily on online platforms. The unprecedented scale of these attacks calls for immediate, coordinated action across the industry. By adopting recommended protective measures and staying updated on security advisories, organizations can strengthen their defenses against this new wave of hyper-volumetric DDoS attacks.

Also Read:

Categorized in:

Computer TricksCyber Security

Tagged in:

, , , , , , , ,