Largest-ever DDoS leverages zero-day vulnerability
Distributed denial of service attacks just keep getting bigger. On Tuesday, a coalition of tech giants revealed the biggest one yet, a DDoS campaign from August that compressed a month’s worth of Wikipedia traffic into a two-minute deluge and exploited a flaw in the fundamental technology powering the internet to do it.
At its peak, the DDoS campaign described by Google, Cloudflare and Amazon AWS reached more than 398 million requests per second (RPS) — more than eight times larger than the biggest DDoS attack previously observed by Google, which clocked in at 46 million RPS, according to the firm. The new attack uses a novel method that exploits a zero-day vulnerability dubbed “HTTP/2 Rapid Reset,” which takes advantage of the protocol that manages how computers request data from websites.
“For a sense of scale, this two-minute attack generated more requests than the total number of article views reported by Wikipedia during the entire month of September 2023,” Google said Tuesday.
The DDoS attacks using the vulnerability have been ongoing since August and have targeted major infrastructure providers like Google Cloud, Cloudflare and Amazon Web Services.
The largest DDoS attack previously observed by Cloudflare clocked in at 71 million RPS. But Cloudflare has now observed more than 180 instances in which that record has been broken by malicious actors using the Rapid Reset vulnerability and in excess of an additional 1,000 instances in which DDoS campaigns using the vulnerability have broken the 10 million RPS range.
Cloudflare deems the vulnerability that enabled the massive traffic attack — CVE-2023-44487 — a zero-day, but its exploitation has not been attributed to any specific actor. The exploit takes advantage of a stream cancellation feature used by HTTP/2, which is used by roughly 60 percent of browser traffic.
“The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately,” Google wrote.
The attack is efficient. Only 20,000 botnets were used in the campaign, which is a far cry from the typical number of infected machines used in a DDoS attack, Cloudflare wrote.
“There are botnets today that are made up of hundreds of thousands or millions of machines,” Cloudflare said. “Given that the entire web typically sees only between 1–3 billion requests per second, it’s not inconceivable that using this method could focus an entire web’s worth of requests on a small number of targets.”
Alex Forster, the tech lead for DDoS mitigation at Cloudflare, warned that today’s disclosure sets off a race between who can patch before someone exploits the vulnerability. “Organizations should assume that systems will be tested, and take proactive measures to ensure protection,” Forster said in an email.
Earlier this year, Cloudflare warned of increasingly sophisticated DDoS attacks that can be highly disruptive to organizations unprepared to handle the onslaught of traffic. Cloud-based virtual machines and virtual private servers are helping to enable larger attacks, and denying access to websites represent an easy way for hacktivist groups to deliver political messages.
While larger DDoS attempts are anticipated, the attack announced Tuesday was unexpected even when taking into account the increasing volumes, said Damian Menscher, a security reliability engineer that focuses on DDoS at Google.
