Internet infrastructure giants Google, Amazon Web Services (AWS) and Cloudflare announced this week that they successfully defended against what is being called the largest distributed denial-of-service (DDoS) attack ever recorded.
The attack stemmed from a new DDoS vulnerability, designated CVE-2023-44487, in the HTTP/2 protocol. HTTP/2 is the standardized framework governing file transfers across the internet.
The National Institute of Standards and Technology (NIST) described the vulnerability as allowing denial-of-service attacks through the rapid resetting of multiple streams. NIST reported that this vulnerability was actively exploited in the wild from August through October 2023.
Attack Peaks at Over 398 Million Requests Per Second
The massive attack peaked at over 398 million requests per second according to Google, and 201 million requests per second according to Cloudflare. For context, Cloudflare noted that the entire global internet typically sees between 1-3 billion requests per second. This illustrates the unprecedented scale of the attack.
“Concerning is the fact that the attacker was able to generate such an attack with a botnet of merely 20,000 machines,” wrote Cloudflare engineers Lucas Pardue and Julien Desgats. “There are botnets today that are made up of hundreds of thousands or millions of machines. Given that the entire web typically sees only between 1–3 billion requests per second, it’s not inconceivable that using this method could focus an entire web’s worth of requests on a small number of targets.”
Novel HTTP/2 Vulnerability Allowed ‘Rapid Reset’ of Requests
As described in the document, the attack exploited a novel DDoS vulnerability in the HTTP/2 network protocol tracked as CVE-2023-44487. The vulnerability allows attackers to rapidly open and reset numerous streams, allowing near-limitless concurrent requests to flood targets.
“The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight,” explained Google engineers Juho Snellman and Daniele Iamartino in a technical analysis. “By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams.”
This new attack method dubbed “Rapid Reset” allowed attackers to generate enormous volumes of traffic from relatively few compromised devices. Cloudflare engineers observed that the attack was conducted using a botnet of just 20,000 machines.
Also Read: Pig butchering scammers rake in over $1 million through fake crypto trading platforms
Since the end of 2021, the majority of application layer, or Layer 7, DDoS attacks observed across Google services have been based on HTTP/2, “both by number of attacks and by peak request rates.”
“A primary design goal of HTTP/2 was efficiency, and unfortunately the features that make HTTP/2 more efficient for legitimate clients can also be used to make DDoS attacks more efficient,” the Google post read.
DDoS Attacks Conducted Over Several Months, Peaking in August
The Rapid Reset attacks occurred over several months, peaking in August 2023 according to Google. The company said HTTP/2-based attacks have dominated application-layer DDoS events across Google services since late 2021.
Infrastructure Providers Successfully Defend Networks
Despite the unprecedented scale, Google stated that its load balancing infrastructure “largely” stopped the attack at the edge of its network, preventing outages. AWS and Cloudflare also reported successfully defending their infrastructure and customers from the novel attacks.
Also Read: Nigerian national pleads guilty to attempted $6 million BEC scam scheme
Google also added that blocking individual requests would not suffice, and closing the entire TCP connection as soon as abuse was detected is required.
Broader mitigations include tracking connection statistics and prioritizing connections for built-in HTTP/2 mitigation of the GOAWAY frame type based on various signals.
All three companies implemented extensive monitoring, custom mitigation techniques and patched vulnerable software to defend against the new HTTP/2 vulnerability exploitation.
Broad Infrastructure Impact, Patches Now Available
As part of coordinated disclosure, software vendors including Apple, Microsoft and F5 Networks released patches the same day as Google, AWS and Cloudflare published detailed technical analyses of the novel attacks.
However, experts warn the underlying vulnerability in HTTP/2 impacts a broad range of products and services.
“Because the attack abuses an underlying weakness in the HTTP/2 protocol, we believe any vendor that has implemented HTTP/2 will be subject to the attack,” noted Pardue and Desgats of Cloudflare. “This includes every modern web server.”
Ongoing Process to Patch and Mitigate Vulnerabilities
While patches are now available, managing complex infrastructure takes time. Alex Forster, a software engineer at Cloudflare emphasized that mitigating vulnerabilities is an ongoing process.
“Organizations must turn incident management, patching and evolving security protections into ongoing processes,” said Forster. “The patches for each variant of a vulnerability reduce risk but don’t always completely eliminate it.”
Importance of Coordination and Evolving Defenses
The successful defense against the largest DDoS attack on record illustrates the importance of continuous monitoring, evolving mitigations and collaboration between internet infrastructure providers. As attacks grow in scale and sophistication, no single vendor can defend against novel threats alone.
Google, AWS and Cloudflare demonstrated how quickly detecting, analyzing and patching emerging vulnerabilities combined with custom DDoS defenses can protect essential online services from disruption. Their example provides a model for effective coordinated disclosure and mitigation of critical internet infrastructure threats.
