Skip to main content
close search
site logo

Cloud giants sound alarm on record-breaking DDoS attacks

Google, AWS and Cloudflare warned the HTTP/2 Rapid Reset attacks are beyond anything ever recorded.

Published Oct. 10, 2023
David Jones's headshot
Reporter
Header image for "43% of Audit Executives Rank Cybersecurity Controls as 2023's Lead Risk"
Colin Anderson Productions pty ltd

AWS, Cloudflare and Google observed mass exploits of a novel zero-day vulnerability used to launch distributed denial of service attacks reaching a record-breaking scale, the companies said Tuesday.

Security researchers warned threat actors are exploiting the zero-day vulnerability, HTTP/2 Rapid Reset, to launch a series of attacks. Observations of peak requests per second during the attacks varied widely between AWS, Cloudflare and Google.

Google said the attacks peaked at 398 million requests per second, surpassing the peak DDoS attack observed during 2022, which topped off at 46 million requests per second

The vulnerability is being tracked as CVE-2023-44487 and has a high severity CVSS score of 7.5, according to Google. 

“This zero day provided threat actors with a critical new tool in their Swiss Army knife of vulnerabilities to exploit and attack their victims at a magnitude that has never been seen before,” Cloudflare CSO Grant Bourzikas said Tuesday in a blog post.

The vulnerability allows attackers to make hundreds of thousands of requests and then immediately cancel them at a scale that overwhelms the site, according to Cloudflare.

Cloudflare said it was handling about 201 million requests per second at the peak of this series of attacks.

“One crucial thing to note about the record-breaking attack is that it involved a modestly-sized botnet, consisting of roughly 20,000 machines,” Bourzikas said.

AWS said it detected an unusual spike in requests  at 155 million requests per second Aug. 28-29. This new type of HTTP/2 request flood continued through the month of September, according to AWS.

Despite the spectacular nature of some of these attacks, HTTP/2 Rapid Reset remains just an optimization of an older attack method called asymmetric query attacks, according to David Holmes, a principal analyst at Forrester.

Due to the client/server nature of HTTP and most of the web, malicious clients can make very expensive requests using relatively very little compute power or packet space.

“Think about a malicious client requesting your largest PDF a hundred times a second for a couple of hours,” Holmes said via email. “The new rapid reset attack might allow the attacker to request that PDF a thousand times a second instead of a hundred, but either way your web server was going to be toast.”

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell