Google Mitigated the Largest DDoS Attack to Date, Peaking Above 398 Million RPS

Cyber Security Threat Summary:
Google says it mitigated a series of DDoS attacks reaching a peak of 398 million requests per second (rps), which is nearly 9 times bigger than the largest-recorded DDoS attack last year, peaking at 46 million rps. The latest set of attacks started in August and are still ongoing. According to Google, the attacks rely on a novel technique dubbed “Rapid Reset” which leverages stream multiplexing, a feature of the widely-adopted HTTP/2 protocol.

“The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame… This attack is called Rapid Reset because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open. The HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately,” stated researchers in a recent blog post.

In short, the ability to open a batch of streams and cancel the streams immediately allows an HTTP/2 connection to have an indefinite number of requests, further allowing threat actors to overwhelm targeted servers and applications, effectively taking down websites and other internet services. To provide a magnitude of the attack strength generated by this technique, google reported that a two-minute attack generated more requests than the total number of article views reported by Wikipedia during the entire month of September 2023.

Security Officer Comments:
The susceptibility of this new technique is being tracked as CVE-2023-44497, which received a CVSS score of 7.5/10, indicating a high level of severity. The implications for the attack vector are severe considering that any enterprise or individual serving a HTTP-based workload to the internet is at risk of being targeted. According to W3Techs, 35.6% of all websites use HTTP/2 protocol, leaving many web applications and services susceptible. As such it is imperative for organizations running servers that support HTTP/2 to ensure that they are not vulnerable and apply patches issued for CVE-2023-44497 from the relevant vendor when available.

Suggested Correction(s):
While defending against DDoS attacks can be challenging, organizations should implement loader balancers and limit internet access to web applications to reduce potential impact. Utilizing web application firewalls is key which can be used to block unwanted traffic and IP addresses and ranges that are deemed malicious. To defend against potential “Rapid reset” attacks, organizations can also create custom rules to automatically block and rate-limit HTTPS attacks from known signatures.

(Google) Mitigations for this attack vector can take multiple forms, but mostly center around tracking connection statistics and using various signals and business logic to determine how useful each connection is. For example, if a connection has more than 100 requests with more than 50% of the given requests canceled, it could be a candidate for a mitigation response. The magnitude and type of response depends on the risk to each platform, but responses can range from forceful GOAWAY frames as discussed before to closing the TCP connection immediately. To mitigate against the non-cancelling variant of this attack, we recommend that HTTP/2 servers should close connections that exceed the concurrent stream limit. This can be either immediately or after some small number of repeat offenses.