A zero-day vulnerability discovered in an almost universally used web protocol has made it possible for attackers with relatively small botnets to shatter records for DDoS attacks with relative ease. Google and Cloudflare report seeing attacks that are 3x to 5.5x larger than any previously recorded, and some of these record-setters came from a botnet of just about 20,000 devices.
The problem is the HTTP/2 protocol, used by at least 80% of the public-facing internet. The protocol first became available in 2015 and has been widely adopted due to its ability to deliver all of the components of a web page to the viewer immediately, rather than having to queue up several items at a time. However, attackers have found a way to exploit this convenience feature to put a never-before-seen level of strain on websites and servers with only minimal attack assets.
Entire internet vulnerable to new HTTP/2 zero-day vulnerability
The zero-day vulnerability (called “Rapid Reset”) was responsibly disclosed by Cloudflare, in partnership with Google and several other big names in tech. To give an idea of the scale, the Cloudflare disclosure notes that the internet generally sees about one to three billion requests across its entire breadth each second. A large botnet could generate requests in that range by using this technique, dumping an entire internet’s worth of traffic onto just one target.
Cloudflare notes that the zero-day vulnerability impacts “nearly every modern web server.” Unfortunately, there isn’t one clean path to mitigation that fits all comers. The largest cloud services providers have already implemented their own new DDoS attack defenses prior to the disclosure, though for some that means adding expensive capacity beyond the reach of others, and others (such as Amazon) simply won’t tell the public what they did to mitigate the issue.
Cloudflare does offer some useful pointers, such as ensuring defenses for DDoS attacks kick in before the attacks can reach the data center. Operating systems and software should also be updated to the most recent versions. In a pinch, the plug could be pulled on HTTP/2 (and most likely HTTP/3) entirely; HTTP/1.1 is not impacted by the zero-day vulnerability.
DDoS attacks now much larger, easier to pull off
The zero-day vulnerability has been exploited in the wild since August. Cloudflare believes that the attackers (who remain unidentified) have been testing it and other leading cloud providers as a means of determining exactly how much power they’re working with.
It seems to be quite a bit of power. Many of the attacks from August to present have shattered former records for DDoS attacks, with Cloudflare reporting a number that went as high as three times the record for requests per second, and Google disclosing at least one attack that was 5.5 times larger than the old record.
The attack does not require large botnets to be devastating in part because it is extremely simple. It leverages the fact that HTTP/2 requests all of a page’s assets at once, simply requesting them and then canceling the request extremely quickly (thus, “Rapid Reset”). That means DDoS attacks that make 200 million to 398 million requests per second, far above the previous record of 71 million using older techniques.