A series of record-setting DDoS attacks that took place in August have been traced to a novel zero-day vulnerability involving the HTTP/2 protocol, used by web browsers to request assets from sites.
The DDoS attacks were discovered due to the threat actors choosing to use Cloudflare, the leading connectivity cloud company, as a sort of testing grounds to gauge performance. Cloudflare made the disclosure after implementing new measures to prevent exploitation of the flaw on its own servers, but many organizations will need to issue their own patches in anticipation of a wave of exploitation that is about to develop. The zero-day vulnerability is being tracked as CVE-2023-44487 and has already been patched by Microsoft and major Linux distributions among others.
New flaw creates potential for “earth-shaking” DDoS attacks
HTTP/2 Rapid Reset is a major zero-day vulnerability in that it ups the potential scale of DDoS attacks; Cloudflare reports that the attacks logged in August were bigger than any ever seen before, the worst of them three times larger than the previous record.
The HTTP/2 protocol allows web browsers to request all of the files and assets associated with a page at once, rather than loading components one at a time. The zero-day vulnerability repeatedly requests all of these assets and then immediately cancels the request, automatically repeating this process hundreds of thousands of times on a single site. Cloudflare reports that the attackers were making over 200 million requests per second in total at the peak of their August campaign. In total, the company reports over 1,100 attacks at over 10 million requests since August, and 184 that broke the pre-Rapid Reset record of 71 million requests. Google has since reported a DDoS attack of 398 million requests per second on its cloud servers.
The key to exploiting this new zero-day vulnerability is botnets. However, the botnet only has to be of a relatively modest size to generate massive attacks. Cloudnet notes that a botnet of just 20,000 devices was responsible for several of the record-breaking DDoS attacks it has logged since August. And unless they are renting the botnet, attackers essentially pay nothing to send these attacks. The victims can end up paying massive bills due to the gigantic volume of junk processing, however.
Despite the massive scope of these initial DDoS attacks, Cloudflare says that only a small number of customers experienced intermittent 4xx and 5xx errors until the new mitigation measures were put in place.
Zero-day vulnerability will need to be addressed by every modern web server
As Cloudflare notes, the entire internet generally fields about one to three billion requests every second. The largest botnets, which are in the neighborhood of a million devices, could easily replicate this level of traffic but direct it at just one website.
Any vendor that has implemented HTTP/2, which describes essentially every modern web server, is going to have to take action to mitigate this zero-day vulnerability. And ideally as soon as possible, before widespread DDoS attacks begin rolling out as threat actors with botnet access figure out how to replicate the technique.
As to how to mitigate this zero-day vulnerability, Google simply added edge capacity. Amazon was also tested by the hackers, and won’t go public with their response. Fortunately, the Cloudflare vulnerability disclosure is accompanied by some more practical advice for smaller organizations. Cloudflare advises CSOs to ensure that protection from DDoS attacks resides outside of the data center, ensure that protection for Layer 7 and Web Application Firewalls are in place, and ensure that complete DDoS protection is in place for Layer 3 network traffic, DNS and API firewalls. Web servers, operating systems and automation also need to be patched to the most recent versions. In an emergency scenario, an organization could disable HTTP/2 and HTTP/3 (HTTP/1.1 is not impacted but naturally there will be a substantial performance hit in most cases).
Some added advice from Google includes tracking connection statistics and applying business logic to determine the relative usefulness of each connection, and setting a cutoff for connections from which a large percentage of requests are canceled. The non-canceling variant of the attack can also be blunted by having HTTP/2 servers close connections that exceed the concurrent stream limit.
The zero-day vulnerability is revealed at a particularly unfortunate time, as DDoS attacks are back in the news again due to the Israel-Hamas conflict. A number of groups that have spent over a year DDoSing organizations in Ukraine are now pivoting to attacking Israel, such as KillNet and Anonymous Sudan. These groups no doubt read the news of this vulnerability with great interest.
Stephen Gates, Principal Security SME at Horizon3.ai, notes that Rapid Reset is a wake-up call for organizations that may have believed DDoS attacks were dying out as a threat: “Those in the industry who have worked for decades to defeat DDoS attacks fully realize the challenges of dealing with attacks that take advantage of the way a protocol works, since these are often the most difficult to contend with. DDoS SMEs all agree there are likely dozens of novel protocol- and/or application-layer vulnerabilities sitting out there, ready to be discovered, and used to attack the most vulnerable aspect of the internet – its availability … At one point in time, most people thought DDoS attacks were going to go extinct like the dodo bird. This event serves to remind the industry that DDoS attacks are alive and well and won’t go away anytime soon. It’s only a matter of time before more protocol- and/or application-layer vulnerabilities are discovered and exploited with similar outcomes.”

