Google’s HTTP/2 Vulnerability Leads to Record-Breaking DDoS Attacks

A Google HTTP/2 protocol flaw led to record-breaking DDoS attacks, affecting giants like Amazon and Cloudflare. The vulnerability, dubbed "Rapid Reset," allowed attackers to overload servers with unprecedented request volumes, prompting urgent industry responses.

A recent vulnerability in Google’s HTTP/2 protocol has not only exposed the fragility of our interconnected systems but has also led to record-breaking DDoS attacks.

The vulnerability, known as “Rapid Reset,” is a Zero-Day flaw in the HTTP/2 protocol. This has been the epicenter of a series of staggering DDoS attacks. Google, Amazon, and Cloudflare have all reported record-setting attacks based on this vulnerability, with Google experiencing an eye-watering 398 million requests per second (RPS).

To put this into perspective, the volume of requests Google had to fend off within just two minutes exceeded the total number of Wikipedia page views for the entire month of September 2023. Cloudflare, too, had its hands full, dealing with up to 201 million RPS originating from a botnet of merely 20,000 participants.

What makes this HTTP/2 Rapid Reset flaw so perilous is its potential for exploitation. Cloudflare warns that even a relatively small botnet could unleash a torrent of requests capable of crippling almost any server or application supporting HTTP/2.

Amazon Web Services (AWS) also detected an attack peaking at 155 million RPS in late August. Microsoft has been proactive, releasing immediate remedial measures for its IIS, .NET, and Windows platforms.

The vulnerability exploited in the attacks, registered as CVE-2023-44487, allows for the abusive use of RST_STREAM frames within a TCP connection. This enables an attacker to continually open and close new streams, thereby overloading the target system. Google has elaborated on this in a separate blog post, emphasizing the exploitable cost asymmetry between the server and the client.

Companies are advised to update their systems and apply patches to mitigate the risks associated with this vulnerability. Microsoft has also provided some guidelines for online service operators.

Bhasker Das
Bhasker Das
Bhasker Das, with a master's in Cybersecurity, is a seasoned editor focusing on online security, privacy, and protection. When not decrypting the complexities of the cyber world, Anu indulges in his passion for chess, seeing parallels in strategy and foresight.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

More from this stream