New DDoS Attack is Record Breaking: HTTP/2 Rapid Reset Zero-Day Reported by Google, AWS & Cloudflare

A vulnerability in the HTTP/2 network protocol is currently being exploited, resulting in the largest DDoS attack in history. Learn what security teams should do now and hear what Cloudflare’s CEO has to say about this DDoS.

Google, AWS And Cloud flare have reported and prosecuted the exploitation of a zero-day vulnerability called HTTP/2 Rapid Reset CVE-2023-44487which is currently used in the wild to power the largest Distributed denial of service attack campaigns that ever existed. Any organization or individual that uses servers that provide HTTP/2 to the Internet is vulnerable.

Jump to:

What is HTTP/2?

HTTP/2, also known as HTTP/2.0, is a major overhaul of the HTTP network protocol used to transfer data between computers and web servers. HTTP/2 was designed to make web applications faster, more efficient and more secure.

A fundamental difference to HTTP/1.1 lies in its multiplexing capabilities. In HTTP/1.1, parallel communication required multiple connections, resulting in inefficiency and increased latency. HTTP/2 allows multiple requests and responses to be sent and received in parallel over a single TCP connection.

What is the HTTP/2 Rapid Reset attack?

The HTTP/2 rapid reset attack exploits HTTP/2’s stream cancel feature: the attacker sends a request and immediately cancels it.

Automating this send/cancel process at scale leads to a DDoS attack that attackers have carried out using multiple bots (Figure A).

Figure A

HTTP/1.1 and HTTP/2 attacks.
HTTP/1.1 and HTTP/2 attacks. Image: Google

DDoS on an unprecedented scale

Amazon observed and responded to more than a dozen HTTP/2 rapid reset attacks over a two-day period in late August, with the most powerful attack hitting its infrastructures at 155 million requests per second. Cloudflare reported a peak of 201 million requests per second and repelled more than 1,100 additional attacks at more than 10 million RPS, with 184 attacks exceeding the previous DDoS record of 71 million RPS.

Google reported the largest attackwhich reached a peak of 398 million RPS using the HTTP/2 Rapid Reset technique (Figure B). As Google noted in its blog post about the DDoS attack: “To illustrate the scale, this two-minute attack generated more queries than the total number of article views reported by Wikipedia for the entire month of September 2023.”

Figure B

The peak of the HTTP/2 rapid reset attack is 398 million RPS.
The peak of the HTTP/2 rapid reset attack is 398 million RPS. Image: Google

When we asked Matthew Prince, CEO and co-founder of Cloudflare, about the number of bots required to launch such attacks, he said that “between 10,000 and 20,000 nodes are required in the botnet, which is relatively small.” That’s concerning , as botnets are now widespread and have hundreds of thousands or millions of nodes. And this attack should scale linearly with the number of nodes in the botnet. It may be possible to generate an attack larger than the web’s estimated legitimate traffic volume (1-3 billion requests per second), but focused on a single victim. This is something that even the largest companies would not be able to manage without appropriate mitigation measures.”

From another Cloudflare blog post“Because the attack exploits an underlying vulnerability in the HTTP/2 protocol, we expect that any provider that has implemented HTTP/2 will be vulnerable to the attack.” This included any modern web server.”

Cross-industry response coordination

Google coordinated a cross-industry response with other cloud providers and software maintainers that implement the HTTP/2 protocol stack. The coordination enabled the sharing of information and mitigation methods in real time as the attacks continued.

This gave rise to patches and other mitigation techniques. Out of Google blog post: “The collaboration helped pave the way for today’s coordinated responsible disclosure of new attack methodology and potential vulnerabilities for a variety of common open source and commercial proxies, application servers and load balancers.”

Here’s how to mitigate this HTTP/2 DDoS attack threat

Vendor patches for CVE-2023-44487 are available and should be deployed as quickly as possible. It is also recommended to ensure that all automations such as Terraform builds and images are fully patched so that older versions of web servers are not accidentally deployed to production over the secure versions.

As a last resort, organizations could disable HTTP/2, but that could be a bad idea for companies that need good web performance. Prince explained, “For organizations that care about web performance, HTTP/2 remains a major advantage over HTTP/1.1.” Many of the responsive, app-like web(s) that consumers have come to expect require HTTP/2 or HTTP/3. It is possible to mitigate this attack vector and still reap the benefits of a modern web protocol. For most companies, disabling HTTP/2 should only be a last option.”