Cloudflare has reported an unprecedented series of hyper-volumetric HTTP distributed denial-of-service (DDoS) attacks that exploited a recently revealed vulnerability known as HTTP/2 Rapid Reset. This flaw (CVE-2023-44487) was disclosed earlier this month. Among the thousands of attacks, 89 surpassed a staggering 100 million requests per second (RPS).
This surge in attacks has led to a 65% increase in HTTP DDoS attack traffic in Q3 compared to the previous quarter. Layer 3 and Layer 4 (L3/4) DDoS attacks also saw a 14% increase. The total number of HTTP DDoS attack requests in the quarter skyrocketed to 8.9 trillion, a significant rise from 5.4 trillion in Q2 2023 and 4.7 trillion in Q1 2023. Q4 2022 saw a total of 6.5 trillion attack requests.
The HTTP/2 Rapid Reset flaw has been utilized by an unknown threat actor to orchestrate DDoS attacks against various providers including Amazon Web Services (AWS), Cloudflare, and Google Cloud. Fastly, another provider, reported countering a similar attack that peaked at about 250 million RPS and lasted roughly three minutes.
According to Cloudflare, 'Botnets that leverage cloud computing platforms and exploit HTTP/2 are able to generate up to x5,000 more force per botnet node.' This increased power allowed the botnets, which ranged from 5-20 thousand nodes, to launch hyper-volumetric DDoS attacks.
Industries most targeted by HTTP DDoS attacks include gaming, IT, cryptocurrency, computer software, and telecom. The U.S., China, Brazil, Germany, and Indonesia were the biggest sources of application layer (L7) DDoS attacks while the U.S., Singapore, China, Vietnam, and Canada were the primary targets.
For the second consecutive quarter, DNS-based DDoS attacks were the most common, accounting for almost 47% of all attacks, a 44% increase compared to the previous quarter. SYN floods were the second most common, followed by RST floods, UDP floods, and Mirai attacks.
Interestingly, there has been a decrease in ransom DDoS attacks. Cloudflare attributes this to threat actors realizing that organizations are not willing to pay the ransoms.
This information comes in the wake of internet traffic fluctuations and a surge in DDoS attacks following the Israel-Hamas conflict, with Cloudflare successfully defending several attack attempts on Israeli and Palestinian websites.