With a joint announcement, Amazon Web Services (AWS), Cloudflare and Google today signaled the existence of a colossal DDoS attack (Distributed Denial of Service), which has been going on since last August and which exploits a vulnerability inherent in the HTTP/2 protocol.
HTTP/2 is the second version of the HTTP hypertext transfer protocol, commonly used to manage communications between browsers and Web servers. One of the most significant features of HTTP/2 is support for multiplexing. While in HTTP/1.1 requests and responses had to be processed sequentially, HTTP/2 allows multiple sends requests e answers simultaneously on the same link. An approach that significantly improves the efficiency of communication.
What is the HTTP/2 Rapid Reset attack and how does it work
The attack method (HTTP/2 Rapid Reset) exploited by attackers leverages the HTTP/2 functionality known as stream cancellation (flow cancellation). It allows you to stop the transmission of data associated with a given communication flow between client and server without having to shut down the entire connection. This is a feature used to improve communication efficiency and better manage communications Network resources.
However, the researchers discovered a security gap zero-day, classified with the identifier CVE-2023-44487. It abuses a weakness in the HTTP/2 protocol to continually send and cancel requests, overloading the target server or application. The functionality stream cancellation it is used to send quickly, to the server to attacka large number of reset requests (frame RST_STREAM) asking to process then stopping any requests. What results is a real one vandalism which takes the form of a real DoS attack. Which becomes potentially destructive when requests arrive from multiple clients at the same time: this is where the DoS attack becomes distributed or “distributed”.
The consequences of network aggression
AWS, Cloudflare, and Google explain that HTTP/2-compliant proxies or load balancers are particularly susceptible to long sequences of reset requests sent in rapid succession.
Cloudflare says the attacks have resulted in a significant increase in 502 Bad Gateway errors between the company’s systems and end-user servers. The company succeeded in counter attacks DDoS in question using a system designed to handle hypervolumetric attacks called IP Jail: Cloudflare used this to protect their entire infrastructure. The solution adopted “imprisons” them Offensive IPs and prevents them from using HTTP/2 for any Cloudflare domain over a certain period of time.
Amazon claims to have thwarted a large number of attacks based on the exploitation of the HTTP/2 Rapid Reset vulnerability without providing details on their impact. The company was keen to point out that the accessibility of the services has been preserved.
Google note that the protocol, unfortunately, does not require the client and server to coordinate the reset requests in some way, so a malicious user can abuse this scheme.
All three companies agree that the best approach to counteract the attacks HTTP/2 Rapid Reset consists of using all the tools to protect against attacks HTTP-flood available today and strengthen the resilience of infrastructures against DDoS with solutions that act at multiple levels.
In a separate post, Cloudflare explains that the company had to stay on top of things confidentiality on the zero-day in question (for over a month) so as to give time to player of the sector to prepare the appropriate countermeasures.
The volume of attacks from August 2023 to today
To give an idea of the impact on business and operational flow of the various companies, Amazon declared that it had supported DDoS attacks based on the exploitation of HTTP/2 Rapid Reset that reached 155 million requests per second. Even higher values for Cloudflare which speaks of more 200 million requests per second.
Cloudflare points out that the size of the attack is three times higher than the previous record, recorded in February 2023 (71 million requests per second). It is alarming to note that the attackers initiating the attack achieved this effect by using a botnet made up of a relatively small number of machines: just around 20,000 systems.
“There are botnets today made up of hundreds of thousands or millions of machines“, comments Cloudflare. “Given that the entire web typically sees only between 1 and 3 billion requests per second, it is not unthinkable that using this method one could concentrate all the requests of an entire network on a limited number of targets“.
Opening image credit: iStock.com/Olemedia