The newly discovered 'HTTP/2 Rapid Reset' DDoS technique has been exploited as a zero-day since August, setting new records in attack volume. The news was jointly announced by Amazon Web Services, Cloudflare, and Google, who have been mitigating attacks reaching up to 155 million and 201 million requests per second respectively. Cloudflare stated that the scale of the attack is three times larger than its previous record set in February 2023. What is alarming is that these attacks were executed using a relatively small botnet of around 20,000 machines.
Since late August, Cloudflare has identified and mitigated over a thousand 'HTTP/2 Rapid Reset' DDoS attacks that exceeded 10 million requests per second, with 184 surpassing the previous record of 71 million requests per second. Cloudflare anticipates that as more threat actors utilize larger botnets in conjunction with this new attack technique, HTTP/2 Rapid Reset attacks will continue to set new records. "There are botnets today that are made up of hundreds of thousands or millions of machines," commented Cloudflare. "Given that the entire web typically sees only between 1–3 billion requests per second, it's not inconceivable that using this method could focus an entire web's worth of requests on a small number of targets."
The attack exploits a zero-day vulnerability in the HTTP/2 protocol, known as CVE-2023-44487. In essence, the attack method abuses the stream cancellation feature of HTTP/2 to continuously send and cancel requests, thereby overwhelming the target server/application and causing a denial of service. The HTTP/2 protocol has a parameter that limits the number of concurrently active streams to prevent DoS attacks, but this is not always effective. As a result, protocol developers introduced a more efficient measure called 'request cancelation', which doesn't terminate the entire connection but can be exploited.
Since late August, malicious actors have been abusing this feature to send a barrage of HTTP/2 requests and resets on a server, asking it to process each one and perform rapid resets, which overwhelms its ability to respond to new incoming requests. According to Google, "The protocol does not require the client and server to coordinate the cancelation in any way, the client may do it unilaterally."
Cloudflare noted that HTTP/2 proxies or load-balancers are especially vulnerable to these long strings of reset requests sent quickly. The company's network was overwhelmed at the point between the TLS proxy and its upstream counterpart, so the damage was done before the malicious requests reached the block point. These attacks have led to an increase in 502 error reports among Cloudflare's clients. Cloudflare eventually mitigated these attacks using a system designed to handle hyper-volumetric attacks called 'IP Jail', which was expanded to cover its entire infrastructure. This system 'jails' offending IPs and prevents them from using HTTP/2 for any Cloudflare domain for a period of time, causing a minor performance drop for legitimate users sharing the jailed IP.
Amazon reported that it mitigated dozens of these attacks without providing any details on their impact, but noted that their customer services remained available. All three companies agreed that the best strategy for clients to counter HTTP/2 Rapid Reset attacks is to use all available HTTP-flood protection tools and strengthen their DDoS resilience with multi-layered mitigations. In a separate post, Cloudflare explained that they had to keep the zero-day secret for over a month to give security vendors and stakeholders time to respond to the threat before it became known to more threat actors and the 'cat and mouse' game began. "We've kept the information restricted until today to give as many security vendors as possible the opportunity to react," explained Cloudflare. "However, at some point, the responsible thing becomes to publicly disclose zero-day threats like this. Today is that day."