New technique leads to largest DDoS attacks ever, Google and Amazon say

Amazon, Google and Cloudflare said they detected the largest distributed denial-of-service (DDoS) attacks on record in August due to a newly discovered vulnerability.

The companies explained on Tuesday morning that a bug tracked as CVE-2023-44487 allowed threat actors a fresh angle for overwhelming websites with a flood of traffic, making them temporarily unavailable to users. Exploitation of the vulnerability is known as an HTTP/2 Rapid Reset Attack.

The issue affects HTTP/2 protocol — a pivotal piece of Internet infrastructure that governs how most websites operate. The attacks have not been attributed to any known hacking group.

Google’s Juho Snellman and Daniele Iamartino said the tech giant mitigated an attack in August that was more than eight times as large as the previous record. It involved 398 million requests per second (RPS).

In August 2022 they had reported stopping an attack that peaked at 46 million requests per second. That one was equivalent to “receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds,” they said.

The incidents involving the HTTP/2 vulnerability “were largely stopped at the edge of our network by Google's global load balancing infrastructure and did not lead to any outages. While the impact was minimal, Google's DDoS Response Team reviewed the attacks and added additional protections to further mitigate similar attacks,” Snellman and Iamartino said.

“In addition to Google's internal response, we helped lead a coordinated disclosure process with industry partners to address the new HTTP/2 vector across the ecosystem.”

Senior Amazon security officials Tom Scholl and Mark Ryland said that between August 28-29, 2023, [they witnessed an attack](https://aws.amazon.com/blogs/security/how-aws-protects-customers-from-ddos-events/ peaking at over 155 million requests per second. Cloudflare said it saw an attack reach a peak of 201 million requests per second.

Cloudflare, which provides internet infrastructure security, discovered the HTTP/S zero-day vulnerability in August.

Automating a dangerous pattern

HTTP/2 manages how browsers interact with websites, allowing them to “request” to view things like images and text quickly, and all at once no matter how complex the website, according to Cloudflare officials.

An older version of the protocol, HTTP/1.1, could only read a request, process it, write a response, and only then read and process the next request — while HTTP/2 can handle multiple concurrent streams on a single connection.

“This new attack works by making hundreds of thousands of ‘requests’ and immediately canceling them,” Cloudflare said. “By automating this ‘request, cancel, request, cancel’ pattern at scale, threat actors overwhelm websites and are able to knock anything that uses HTTP/2 offline.”

The August attack alarmed experts, who noted that HTTP/2 is the part of about 60% of all web applications and determines the speed and quality of how users see and interact with websites.

Cloudflare partnered with Google and Amazon to share technical details on CVE-2023-44487. Since August, Google said it has seen variations of the attack using the vulnerability, including ones where a hacker “opens a batch of streams at once, waits for some time, and then cancels those streams and then immediately opens another large batch of new streams.”

Each company urged all providers who have HTTP/2 services to assess their exposure and apply security patches as soon as possible. Each company has implemented new features into their own platforms to mitigate some of the technical aspects of the attack patterns. They also made recommendations for users of HTTP/3, a newer version of the protocol.

While the FBI and Justice Department believe most DDoS attacks are launched in response to disputes over business or gaming, a cybersecurity firm claimed last month that it identified and thwarted a massive distributed attack targeting a prominent American financial institution.