A security risk to the entire Internet is at the root of a zero-day attack called “HTTP/2 Rapid Reset,” which resulted in a distributed denial-of-service (DDoS) attack that was orders of magnitude larger than any previous attack ever recorded. It marks a new chapter in the evolution of DDoS threats, researchers noted.
Amazon Web Services, Cloudflare, and Google Cloud each independently observed the attack in question, which featured multiple waves of traffic lasting just minutes each. They targeted cloud and internet infrastructure providers, and the attack took place on August 28-29. Unknown perpetrators are behind the incident, but it is clear that they exploited a bug in the HTTP/2 protocol, which is used in about 60% of all web applications.
AWS, Cloudflare, and Google worked with other cloud, DDoS security, and infrastructure providers in a concerted effort to minimize any real-world impact of the Rapid Reset attacks, primarily using load balancing and other edge strategies. But that doesn’t mean the Internet is protected; many organizations are still susceptible to the attack vector and will need to proactively patch their HTTP/2 instances to be immune to the threat.
The breakthrough attack vector represents an important evolution of the DDoS landscape, according to Alex Forster, Cloudflare’s technical lead for DDoS technology.
“The threat posed by DDoS attacks is evolving rapidly and is far from the low-level annoyance it used to be,” he says. “This attack – the largest in the history of the Internet – shows how important it is to increasingly think about and consider DDoS as a key way for threat actors to disrupt businesses and wreak havoc.”
How the Fast Recovery DDoS attacks work
The attack vulnerability within HTTP/2 is tracked as CVE-2023-44487, and has a high CVSS score of 7.5 out of 10.
According to Cloudflare, HTTP/2 “is a fundamental part of how the Internet and most websites work. HTTP/2 is responsible for how browsers interact with a website, allowing them to ‘request’ to see things like images and text quickly, and all at once no matter how complex the site is.”
The attack technique involves making hundreds of thousands of HTTP/2 requests at once and then immediately aborting them, according to the company’s analysis.
“By automating this ‘request, cancel, request, cancel’ pattern at scale, threat actors overwhelm websites and can knock anything using HTTP/2 offline,” according to Cloudflare’s advisory on the Rapid Reset attacks, published on October 10. .
During the peak of the August campaign, Cloudflare saw more than 201 million requests per second (rps), it said in a media statement to Dark Reading, “with some organizations witnessing even higher numbers due to the timing of their restrictions.” That’s three times the size of the previous record holder, a DDoS attack last year that peaked at 71 million rps.
Google, meanwhile, observed a peak of 398 million rps, seven and a half times greater than any previous attack on its resources; AWS detected a spike of more than 155 million rps directed at the Amazon CloudFront service.
“For a sense of scale, this (peak) two-minute attack generated more queries than the total number of article views reported by Wikipedia for the entire month of September,” Google researchers pointed out in an Oct. 10 post.
“We cannot predict the future of DDoS attacks, but this latest series of attacks moves the trend of observed attacks closer to the expected exponential growth of a doubling every 18 months or so,” a Google spokesperson told Dark Reading. “Defending services from attacks like these requires consistent capacity planning, as well as the ability to monitor for attacks and respond quickly.”
The power of the method is such that in August Tsunami was launched using a moderately large botnet — fewer than 20,000 nodes. This makes Rapid Reset not only a powerful weapon, but also a very effective one.
“Cloudflare regularly discovers botnets that are orders of magnitude larger than this — involving hundreds of thousands and even millions of machines,” according to the company’s analysis. “For a relatively small botnet to send out such a large volume of requests, with the potential to disable almost any server or application that supports HTTP/2, underscores how threatening this vulnerability is to unprotected networks.”
Reduction of fast reset
While the Rapid Reset attacks have not had the critical impact that the cyberattacks behind them might have hoped, the fact that threat actors were able to pioneer the technology in the first place should alert businesses, especially given that DDoS attacks continue to be an important tool in cyber attackers’ arsenals.
“Cybersecurity is a race,” explains Forster. “While attackers are launching ever more sophisticated and powerful attacks, defenders are developing cutting-edge methods and technologies to combat them…After today, threat actors will be aware of the HTTP/2 vulnerability. It will inevitably become trivial to exploit and kick off the race between defenders and attacks — first to patch versus first to exploit. Organizations of all sizes should assume that systems will be tested and take proactive steps to ensure protection.”
And indeed, attackers are launching DDoS attempts on an ongoing basis using the bug, despite extensive restrictions imposed by cloud providers and DDoS security providers in the wake of the initial zero-day offensive in August.
“Over those two days, AWS observed and mitigated over a dozen HTTP/2 fast recovery events and continued throughout the month of September to see this new type of HTTP/2 request flood,” the cloud giant said in a post today.
According to Google researchers, any company or individual serving an HTTP-based workload on the Internet could be at risk from this attack. Web applications, services, and APIs on a server or proxy that can communicate using the HTTP/2 protocol may be vulnerable.”
They added, “Organizations that manage or operate their own HTTP/2-compliant server (open source or commercial) should apply vendor fixes for CVE-2023-44487 when available.”
While the HTTP/2 Rapid Reset vulnerability may have been record-breaking in size, the broader takeaways are not new, Forster adds: “Turn incident management, patching and evolving your security protection into ongoing processes. Patches for every variation of a vulnerability reduce risk, but they never completely eliminate it.”
Forster provided Dark Reading with a list of recommendations that can be used to support defenses against Rapid Reset and other DDoS threats:
- Understand your external network and your partner network’s external connectivity to address any Internet-facing systems with the limitations provided by providers;
- Understand your existing security protections and capabilities you have to protect, detect and respond to an attack, and immediately address any issues you have in your network;
- Make sure your DDoS protection is outside of your data center, because if the traffic is coming to your data center, it will be difficult to mitigate a DDoS attack;
- Make sure you have application DDoS protection (Layer 7) and make sure you have web application firewalls. As a best practice, ensure you have full DDoS protection for DNS, network traffic (Layer 3) and API firewalls;
- Ensure that web server and operating system patches are distributed across all Internet-facing web servers. Also, ensure that all automation such as Terraform builds and images are fully patched, so that older versions of web servers are not deployed in production over the secure images by mistake;
- As a last resort, consider turning off HTTP/2 and HTTP/3 (potentially also vulnerable) to mitigate the threat. This is only a last resort, as downgrading to HTTP/1.1 will cause significant performance issues;
- And consider a secondary, cloud-based DDoS Layer 7 provider at the perimeter for resiliency.
#ZeroDay #Bug #Fuels #Largest #DDoS #Event