Headline
Google, Cloudflare, and AWS Disclose Largest DDoS Attack in History
By Deeba Ahmed Google, Cloudflare, and AWS Disclosed Digital History’s Largest Ever DDoS Attack- Courtesy HTTP/2 Zero-day. This is a post from HackRead.com Read the original post: Google, Cloudflare, and AWS Disclose Largest DDoS Attack in History
The largest DDoS attack on the Internet has occurred, following the exploitation of a new zero-day vulnerability by hackers.
Google, Cloudflare, and AWS have confirmed that unknown adversaries exploited a new zero-day vulnerability called HTTP/2 Rapid Reset to launch digital history’s largest-ever record DDoS attack.
The attack peaked at 398 million RPS, which is 7 times higher than the previous largest DDoS attack recorded by Google.
AWS and Cloudflare had previously recorded DDoS attacks peaking at 200 million RPS.
The zero-day flaw lets adversaries send specially designed HTTP/2 requests to a target server, triggering an extensive response, which is further amplified by sending it to vulnerable IoT devices or misconfigured servers.
This novel technique is based on stream multiplexing.
In this case, threat actors sent amplified traffic to diverse targets, including financial entities, gaming corporations, and government agencies, causing significant damage to several of them.
Three of the world’s leading tech firms, Google, Amazon Web Services (AWS), and Cloudflare, have jointly disclosed a new 0-day flaw exploited by unknown threat actors to launch the largest Distributed Denial of Service attack (DDoS attack) recorded to date.
Dubbed HTTP/2 Rapid Reset, the vulnerability lets attacker send specially designed HTTP/2 requests to their target server and trigger a large-scale response. They can further amplify this response by sending the same request to as many vulnerable IoT devices and misconfigured servers as they want. The vulnerability is tracked as CVE-2023-44487 and has been assigned a CVSS score of 7.5 out of 10, rated High Severity.
The largest ever DDoS attack resulting from HTTP/2 Rapid Reset’s exploitation peaked at 398 million requests per second (RPS), seven times higher than the previous largest attack recorded by Google.
Cloudflare and AWS had previously recorded DDoS attacks peaking at slightly over 200 million RPS. Cloudflare claims to have mitigated over 1,100 other attacks, peaking at 10 million RPS until August 2023, and 184 of them were greater than the company’s previously reported DDoS record of 71 million RPS. These are still startling revelations compared to last year when the highest recorded DDoS attack peaked at 46 million RPS.
A wide range of targets have been identified, including financial institutions, government agencies, and gaming companies. The attack caused massive damage to many of these targets, but most were able to mitigate them through filtering, rate limiting, and other techniques.
In its blog post, Google noted that this is a ‘hyper volumetric novel attack that relies on stream multiplexing. The attack exploits a weakness in the HTTP2 protocol, which lets clients identify the server a previous stream has to cancel by sending an RST_STREAM frame. It is worth noting that the protocol doesn’t require client-server coordination for this cancellation, and the client performs it unilaterally.
The attack is dubbed Rapid Reset because when the RST_STREAM frame is sent from one endpoint right after sending a request frame, the other endpoint starts working and rapidly resets the request. The request gets cancelled later, but the HTTP/2 connection remains open.
HTTP/1.1 and HTTP/2 request and response pattern (Source: Google)
This is a concerning issue because HTTP/2 protocol is a critical element of around 0% of all web apps and facilitates interaction between a browser and a website. It is responsible for determining the quality and speed of how visitors interact with websites.
Exploitation of such a critical protocol indicates that DDoS attack remains a potent and growing threat. Organizations must take necessary steps such as promptly patching systems, upgrading their security mechanisms, and using rate limiting and filtering or at least having an incident response plan to deal with DDoS attacks.
- Cloudflare thwarts largest reported HTTP DDoS attack
- 10 Top DDoS Attack Protection and Mitigation Companies in 2023
- Tiny Mantis Botnet Can Launch More Powerful DDoS Attacks Than Mirai
Related news
Gentoo Linux Security Advisory 202408-10 - Multiple vulnerabilities have been discovered in nghttp2, the worst of which could lead to a denial of service. Versions greater than or equal to 1.61.0 are affected.
Red Hat Security Advisory 2024-1458-03 - Red Hat OpenShift Container Platform release 4.14.18 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-0485-03 - Red Hat OpenShift Container Platform release 4.12.48 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a cross site scripting vulnerability.
Red Hat Security Advisory 2023-7608-03 - Red Hat OpenShift Container Platform release 4.12.45 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2023-7479-01 - Red Hat OpenShift Container Platform release 4.11.54 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2023-7334-01 - An update for rh-varnish6-varnish is now available for Red Hat Software Collections. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-6842-01 - Red Hat OpenShift Container Platform release 4.12.43 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2023-6243-01 - An update for openshift-gitops-kam is now available for Red Hat OpenShift GitOps 1.10.
Red Hat Security Advisory 2023-6022-01 - An update for the varnish:6 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include a denial of service vulnerability.
Cloudflare on Thursday said it mitigated thousands of hyper-volumetric HTTP distributed denial-of-service (DDoS) attacks that exploited a recently disclosed flaw called HTTP/2 Rapid Reset, 89 of which exceeded 100 million requests per second (RPS). "The campaign contributed to an overall increase of 65% in HTTP DDoS attack traffic in Q3 compared to the previous quarter," the web infrastructure
Red Hat Security Advisory 2023-6059-01 - Red Hat OpenShift Pipelines Client tkn for 1.12.1 has been released. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5982-01 - An update for foreman_ygg_worker, puppet-agent, qpid-proton, and yggdrasil is now available for Satellite Client 6 for RHEL 6, Satellite Client 6 for RHEL 7, Satellite Client 6 for RHEL 8, and Satellite Client 6 for RHEL 9. Issues addressed include code execution and denial of service vulnerabilities.
Red Hat Security Advisory 2023-5974-01 - An update for network-observability-console-plugin-container, network-observability-ebpf-agent-container, network-observability-flowlogs-pipeline-container, network-observability-operator-bundle-container, and network-observability-operator-container is now available for NETWORK-OBSERVABILITY-1.4.0-RHEL-9. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5973-01 - Red Hat AMQ Streams 2.5.1 is now available from the Red Hat Customer Portal. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5715-01 - An update for the nginx:1.20 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5712-01 - An update for the nginx:1.20 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5951-01 - An update is now available for Red Hat OpenShift Service Mesh 2.3 for RHEL 8.
Red Hat Security Advisory 2023-5950-01 - An update is now available for Red Hat OpenShift Service Mesh 2.2 for RHEL 8.
Red Hat Security Advisory 2023-5929-01 - An update for tomcat is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5869-01 - An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5864-01 - An update for grafana is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5849-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5841-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5840-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5837-01 - nghttp2 contains the Hypertext Transfer Protocol version 2 client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5809-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.
Red Hat Security Advisory 2023-5801-01 - Migration Toolkit for Runtimes 1.2.1 Images. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5783-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector, the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.7.5 serves as a replacement for Red Hat JBoss Web Server 5.7.4. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References section. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5710-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET 6.0 to SDK 6.0.123 and Runtime 6.0.23. Issues addressed include a denial of service vulnerability.
Debian Linux Security Advisory 5522-3 - A regression was discovered in the Http2UpgradeHandler class of Tomcat 9 introduced by the patch to fix CVE-2023-44487 (Rapid Reset Attack). A wrong value for the overheadcount variable forced HTTP2 connections to close early.
Red Hat Security Advisory 2023-5770-01 - nghttp2 contains the Hypertext Transfer Protocol version 2 client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5768-01 - nghttp2 contains the Hypertext Transfer Protocol version 2 client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5764-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5711-01 - nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5709-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET 7.0 to SDK 7.0.112 and Runtime 7.0.12. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5708-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET 6.0 to SDK 6.0.123 and Runtime 6.0.23. Issues addressed include a denial of service vulnerability.
Debian Linux Security Advisory 5522-2 - The patch to address CVE-2023-44487 (Rapid Reset Attack) was incomplete and caused a regression when using asynchronous I/O (the default for NIO and NIO2). DATA frames must be included when calculating the HTTP/2 overhead count to ensure that connections are not prematurely terminated.
Plus, many of the world’s largest cloud providers are warning of a vulnerability that attackers exploited in August to launch the largest distributed denial-of-service attack on record.
Cisco Talos is actively tracking the novel distributed denial-of-service (DDoS) attacks cloud services provider Cloudflare disclosed earlier this week. The techniques described in Cloudflare’s blog post resulted in a record-breaking DDoS attack and could facilitate much larger attacks in the future. CVE-2023-44487 CVE-2023-44487, a vulnerability in the
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see ...
Debian Linux Security Advisory 5522-1 - Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.
Microsoft has released its Patch Tuesday updates for October 2023, addressing a total of 103 flaws in its software, two of which have come under active exploitation in the wild. Of the 103 flaws, 13 are rated Critical and 90 are rated Important in severity. This is apart from 18 security vulnerabilities addressed in its Chromium-based Edge browser since the second Tuesday of September. The two
Microsoft today issued security updates for more than 100 newly-discovered vulnerabilities in its Windows operating system and related software, including four flaws that are already being exploited. In addition, Apple recently released emergency updates to quash a pair of zero-day bugs in iOS.
swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new `Channel`s to serve the traffic. This can easily overwhelm an `EventLoop` and prevent it from making forward progress. swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.
Amazon Web Services (AWS), Cloudflare, and Google on Tuesday said they took steps to mitigate record-breaking distributed denial-of-service (DDoS) attacks that relied on a novel technique called HTTP/2 Rapid Reset. The layer 7 attacks were detected in late August 2023, the companies said in a coordinated disclosure. The cumulative susceptibility to this attack is being tracked as CVE-2023-44487,
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Summary Summary Beginning in September 2023, Microsoft was notified by industry partners about a newly identified Distributed Denial-of-Service (DDoS) attack technique being used in the wild targeting HTTP/2 protocol. This vulnerability (CVE-2023-44487) impacts any internet exposed HTTP/2 endpoints. As an industry leader, Microsoft promptly opened an investigation and subsequently began working with industry partners for a coordinated disclosure and mitigation plan.