In a historic turn of events, a severe security flaw in the HTTP/2 protocol has been mercilessly exploited, leading to the largest Distributed Denial of Service (DDoS) attack in history. Major tech giants, including Google, AWS, and Cloudflare, managed to thwart the attack, but the incident has raised grave concerns.
The Record-Breaking DDoS Assault
Unveiling the magnitude of this attack, Google, AWS, and Cloudflare reported that it’s indeed the largest DDoS assault ever encountered. This assault emerged from a novel vulnerability, tagged as CVE-2023-44487, lurking in the HTTP/2 protocol, a vital set of internet file transfer rules. The vulnerability allowed cybercriminals to manipulate and overload servers by canceling numerous request streams promptly.
Detailed Disclosure
In response to this threat, Google Cloud, Amazon Web Services, and Cloudflare collaborated in a coordinated disclosure strategy. They published informative blog posts and advisories to shed light on the intricate details of the DDoS attack vector. Google’s blog post described the assault, named “Rapid Reset,” as having unfolded over several months, reaching its zenith in August. It has been noted that most application layer DDoS attacks across Google services have been rooted in HTTP/2 since late 2021. The efficiency of HTTP/2, aimed at enhancing user experience, ironically paved the way for these cyber onslaughts.
The Power of HTTP/2
HTTP/2’s dominance in these attacks stems from its capacity to process multiple concurrent requests, a significant departure from HTTP/1.1’s sequential request handling. This unique feature empowers HTTP/2 to execute a far greater number of concurrent requests compared to older protocols.
Rapid Reset Technique
The “Rapid Reset” technique involves the attacker opening a multitude of streams simultaneously, but rather than waiting for responses, the attacker cancels each request immediately. This method allows each connection to host an endless stream of requests, solely dependent on network bandwidth, rather than round-trip time.
Widespread Vulnerability
A spokesperson from AWS underlined the need for web servers to be updated comprehensively to address the issue and provide broader mitigation. Cloudflare emphasized that the risk of CVE-2023-44487 and Rapid Reset attacks is widespread, affecting every modern web server due to their implementation of HTTP/2.
Historical Attack Technique
Cloudflare, Google, and AWS jointly revealed a zero-day vulnerability known as ‘HTTP/2 Rapid Reset’ that led to the colossal DDoS attacks. This vulnerability exploits the HTTP/2 protocol, known for its stream cancellation feature. Malicious actors automated a pattern of sending and immediately canceling requests, leading to massive server overloads and takedowns.
HTTP/2’s Stream Multiplexing
HTTP/2 employs stream multiplexing, enabling multiple simultaneous requests over a single TCP connection. This innovative feature drastically improved the utilization of each connection, as opposed to the serial request handling of HTTP/1.1. The capability to open numerous concurrent streams on a single TCP connection is a defining feature of HTTP/2, allowing requests to be processed in parallel.
Coordinated Disclosure and Mitigation
Cloudflare, Google, Microsoft, and Amazon worked diligently to mitigate these massive DDoS attacks. They collectively managed to protect their infrastructure from these unprecedented Layer 7 attacks. The attacks exploited a zero-day vulnerability in the HTTP/2 protocol known as ‘HTTP/2 Rapid Reset.’ By sending and canceling requests at an alarming rate, attackers overwhelmed servers, causing service disruptions.
Rapid Reset Attack Method
The Rapid Reset attacks were characterized by rapidly sending and canceling a multitude of requests to websites employing HTTP/2. This process led to server overloads and outages, demonstrating the severity of the vulnerability.
The Vulnerability’s Mechanics
The vulnerability leverages the HTTP/2 feature known as ‘stream cancellation.’ Attackers automated the process of sending requests and immediately canceling them, flooding servers and incapacitating them. This relentless cycle caused servers to interpret and act upon requests that were promptly canceled by the client, effectively crippling the targeted websites.
Conclusion
In conclusion, the recent large-scale DDoS attacks have brought to light the critical need for continuous vigilance and mitigation against emerging threats. The collaboration and swift response from tech giants like Google, AWS, and Cloudflare have managed to thwart this unprecedented assault. However, this incident underscores the ongoing challenges in ensuring the security and resilience of the internet infrastructure.
Follow our Twitter Account for Daily Insights on Technology
https://twitter.com/IronedTech
Don’t Forget more News at