In a recent announcement, Google has successfully thwarted the largest Distributed Denial of Service (DDoS) attack ever recorded, which occurred in August. This massive assault reached staggering peaks, exceeding 398 million requests per second and was initiated through a previously unknown vulnerability in the HTTP/2 protocol.
DDoS attacks, the method of overloading websites with traffic until they become overwhelmed and go offline, have been on the rise. Federal websites and others experienced a significant wave of DDoS attacks during the previous summer.
Google has now reported its triumph in halting this record-breaking DDoS attack in August 2023, noting peaks of over 398 million requests per second. To put this into perspective, Google emphasized that this two-minute attack generated more requests than the total number of article views reported by Wikipedia for the entire month of September 2023. It’s worth noting that the previous record for such attacks was a “mere” 46 million requests per second.
According to the report, the current wave of attacks commenced at the end of August and continues to persist. These attackers are focusing on major infrastructure operators, including Google’s own services, Google Cloud infrastructure, and the company’s clientele. Similar incidents were also recorded by other cloud providers; for instance, Cloudflare reported an attack with over 201 million requests per second, while AWS documented an attack peaking at 155 million requests per second. Collaboratively with industry partners, these companies are actively researching the attack methodologies and devising countermeasures.
The underlying trigger for this record-breaking DDoS wave was identified as a recently discovered zero-day vulnerability dubbed “Rapid Reset” in the HTTP/2 protocol. Google has assigned it the identifier CVE-2023-44487. This vulnerability centers on the misuse of RST_STREAM frames within a TCP connection. Google explained that this vulnerability allowed a client to unilaterally terminate a previously established HTTP/2 stream, with no need for coordination between the client and server. As a result, the request would be terminated, but the HTTP/2 connection would remain open. Subsequently, the attacker could continuously initiate and abort new streams, leading to system crashes.
The mechanism behind these attacks, known as “rapid reset,” involves the client initiating a server request, promptly aborting it, and continually opening new streams. Google has issued a stern warning that any entity or individual offering HTTP-based workloads on the internet could potentially be vulnerable to this type of attack. Companies are advised to assess the vulnerability of their servers supporting HTTP/2 and apply the necessary vendor patches to mitigate this risk.