rapid reset attack

rapid reset attack

Google, AWS, and Cloudflare successfully thwarted what has been reported as the most massive DDoS attack on record. The attack exploited a novel DDoS vulnerability known as CVE-2023-44487, linked to the HTTP/2 protocol, which governs internet file transfers.

rapid reset attack
image credit: cloudflare

The vulnerability enabled attackers to reset multiple streams quickly, causing server resource consumption and a denial of service. Google described this attack as “the largest DDoS attack to date,” reaching over 398 million requests per second. Cloudflare recorded a peak of more than 201 million requests per second, almost three times larger than their previous record-setting attack.

rapid reset attack

The attackers were able to orchestrate this significant attack with a relatively small botnet of 20,000 machines, raising concerns about focusing a massive volume of requests on specific targets within the web. Most application layer DDoS attacks observed by Google since late 2021 have been based on HTTP/2, as it offers efficiency but can also make DDoS attacks more effective.

The HTTP/2 protocol’s ability to process requests as concurrent “streams” has made it a prime target for attackers compared to the older HTTP/1.1 protocol, which processes requests sequentially.

This DDoS attack, named “Rapid Reset,” involved opening numerous streams at once, but the attacker canceled each request immediately instead of waiting for responses, enabling an indefinite number of requests in flight without exceeding the limit on concurrent open streams.

rapid reset attack

All three vendors, Google, AWS, and Cloudflare, implemented mitigations to combat the attack and prevent outages. AWS identified the attack within minutes and automatically mitigated it using CloudFront.

Google’s load balancing infrastructure stopped most of the Rapid Reset attacks at the network’s edge. Cloudflare experienced spikes in 502 errors and requests but rapidly responded with changes and mitigations that protected all their customers.

Mitigations include closing the entire TCP connection when abuse is detected and tracking connection statistics, alongside prioritizing connections for built-in HTTP/2 mitigation based on various signals. The vendors have also implemented internal detections and additional mitigations.

Several software vendors, including Apple, Microsoft, and F5, have issued patches alongside this disclosure. Cloudflare noted that the risk of CVE-2023-44487 and Rapid Reset attacks is widespread since it exploits an underlying HTTP/2 protocol weakness affecting all modern web servers.

rapid reset attack

In response, organizations must prioritize ongoing processes for incident management, patching, and evolving security protections to effectively mitigate such threats. Simply applying patches may reduce risk but not necessarily eliminate it, necessitating tailored technology to counter vulnerabilities effectively.

you may like : iphone 15

Leave a Comment

Your email address will not be published. Required fields are marked *