A recent vulnerability in Google’s HTTP/2 protocol has not only exposed the fragility of our interconnected systems but has also led to record-breaking DDoS attacks.
The vulnerability, known as “Rapid Reset,” is a Zero-Day flaw in the HTTP/2 protocol. This has been the epicenter of a series of staggering DDoS attacks. Google, Amazon, and Cloudflare have all reported record-setting attacks based on this vulnerability, with Google experiencing an eye-watering 398 million requests per second (RPS).
To put this into perspective, the volume of requests Google had to fend off within just two minutes exceeded the total number of Wikipedia page views for the entire month of September 2023. Cloudflare, too, had its hands full, dealing with up to 201 million RPS originating from a botnet of merely 20,000 participants.
What makes this HTTP/2 Rapid Reset flaw so perilous is its potential for exploitation. Cloudflare warns that even a relatively small botnet could unleash a torrent of requests capable of crippling almost any server or application supporting HTTP/2.
Amazon Web Services (AWS) also detected an attack peaking at 155 million RPS in late August. Microsoft has been proactive, releasing immediate remedial measures for its IIS, .NET, and Windows platforms.
The vulnerability exploited in the attacks, registered as CVE-2023-44487, allows for the abusive use of RST_STREAM frames within a TCP connection. This enables an attacker to continually open and close new streams, thereby overloading the target system. Google has elaborated on this in a separate blog post, emphasizing the exploitable cost asymmetry between the server and the client.
Companies are advised to update their systems and apply patches to mitigate the risks associated with this vulnerability. Microsoft has also provided some guidelines for online service operators.