In recent weeks, the DDoS attacks biggest and most dangerous ever. And most of these depend on one HTTP/2 vulnerability.
The news of a new one zero-day vulnerability in the HTTP/2 protocol is worrying users all over the world. Also because the alarm was raised by real international giants, such as Cloudflare, Google, Microsoft e Amazon.
This vulnerability was named HTTP/2 Rapid Reset. It is a’loading accelerationwhich allows you to carry out a large number of simultaneous requests to a single website. All using a single connection.
According to Cloudflare, DDoS attacks have led to millions of requests, which were sent and deleted automatically. In this way a server overload enough to take them offline.
The record of requests recorded by Google corresponds to almost 400 million requests per second: a monstrous figure, seven times higher than any other attack of this type ever recorded.
How the level 7 DDoS attack works
L’DDoS attack referred to in the previous paragraphs is considered level 7. To do this you need to use one botnet which can also be composed of tens of thousands of machines.
The machines use the aforementioned Rapid Reset technique, which exploits a zero-day HTTP/2 vulnerability named CVE-2023-44487. In fact, it is precisely the protocol that speeds up the loading of pages: the functionality is called stream multiplexing and the speedup is generated by simultaneous requests sent via asingle TCP connection.
Always the protocol then sends a communication to the server containing the frame RST_STREAM: in this way it is requested that the communication just sent come right away cancelled.
The Rapid Reset consists of a continuous cycle of sending and deleting of requests, until reaching theresource depletion of the server: one above all his CPU. This way you get quickly or to a page lockor alternatively to a blocking of the service.
How to defend against level 7 DDoS attack
Cloudflare, Google, Microsoft and Amazon have developed patches to install on servers and cloud services, which allow you to combat DDoS attacks.
Users can also use registry keys to limit requests to the server. Or alternatively deactivate the protocol HTTP/2accepting a contextual reduction in performance on the web.
Be careful though, these practices may not defend against all DDoS attacks. In fact, there are some variations to the basic attack level 7.
One of these requires that the request flows are not canceled immediately. But let them rather come open flow batcheswhich cancel out only when new ones are created.
Another variant skips the deletion phase to focus only onsending simultaneous streams of requests. In this case the goal is simply to go beyond the server’s capabilities.
to know more: Computer security: guide to safe browsing on the web