Google, Cloudflare, and Amazon recently prevented the largest Distributed Denial of Service (DDoS) attack on record.
Moreover, the attack employed a new technique not seen before, making the attack's prevention even more special.
Amazon defines a DDoS attack as,
A Denial of Service (DoS) attack is a malicious attempt to affect the availability of a targeted system, such as a website or application, to legitimate end users. Typically, attackers generate large volumes of packets or requests ultimately overwhelming the target system. In case of a Distributed Denial of Service (DDoS) attack, and the attacker uses multiple compromised or controlled sources to generate the attack.
Put differently, the attacker will make use of a botnet, as an example, to bombard a targeted website or application with so many requests it cannot hope to process. This effectively renders the website or application unreachable and incapable of rendering any service.
According to a blog article published by Google, the attack was approximately 7.5 times larger than any DDoS previously encountered and was successfully defended against in August of this year. Further, the attack was capable of 398 million requests a second to a potential victim's website.
When Google researchers began to investigate the spike in traffic intended to knock out Google's services and that of clients reliant on those services, they discovered that the attack was using a technique referred to as "Rapid Reset" by leveraging stream multiplexing, a feature of the widely-adopted HTTP/2 protocol.
Stream multiplexing was introduced with HTTP/2 and allows requests to be processed in parallel, compared to HTTP1.1, where requests are processed serially. In theory and practice, HTTP/2 allows the open connection to be better utilized for greater efficiency.
Another feature of HTTP/2 is that the sender can cancel requests without coordinating between the sender and the destination. This feature was abused in the attack as the attacker would send a request and cancel it, leaving the connection open for further exploitation.
In this instance, the attacker sent numerous streams simultaneously, as in the standard HTTP/2 attack, and then the attacker canceled each request immediately.
This then still allows the attacker to have an indefinite amount of streams open, as the connection is still open, and it never exceeds the predetermined limit the server imposes on the streams. Moreover, as the requests were canceled, the attacker spent very little on the costs associated with sending and processing requests.
As to how the attacker could max out at nearly 400 million requests a second, Cloudflare notes that the request and cancel cycle was automated to scale. As no limits were technically exceeded, the cycle could be repeated indefinitely.
CVE-2023-44487 Prompts a Coordinated Response
The susceptibility of HTTP/2 to be abused in this way has been given the vulnerability tracking number of CVE-2023-44487 and has a severity score of 7.5 out of 10; the higher the score out of ten, the more severe the attack.
Google shared their research and findings with Cloudflare and Amazon and, with a coordinated effort, quickly produced and released patches that would prevent threat actor exploitation.
To this extent, Google security researchers stated,
Any enterprise or individual that is serving an HTTP-based workload to the Internet may be at risk from this attack. Web applications, services, and APIs on a server or proxy able to communicate using the HTTP/2 protocol could be vulnerable. Organizations should verify that any servers they run that support HTTP/2 are not vulnerable, or apply vendor patches for CVE-2023-44487 to limit impact from this attack vector. If you are managing or operating your own HTTP/2-capable server (open source or commercial) you should immediately apply a patch from the relevant vendor when available.
The US Justice Department and the Federal Bureau of Investigation (FBI), at a recent conference, noted that DDoS attacks are often carried out against specific online games and against businesses.
Concerning attacks targeting games, these can stem from petty disputes or are done by parties attempting to gain a competitive advantage. Gamers will also use DDoS-for-Hire services in retaliation to petty squabbles.
As for businesses, they are attacked by DDoS-for-hire operations by rival companies to siphon away customers.
As for times in the year when DDoS attacks are more prevalent, Cameron Schroeder, chief of the Cyber and IP crimes Section division at the U.S. Justice Department, stated,
Historically and sort of sociologically, it has been one of the most massive DDoS periods. This is related to factors like kids are home from school or home for holiday break. They have extra time. They may get game consoles for Christmas or Hanukkah or Kwanzaa, and they may get new games and want to try them out…They want to be online. And they get mad when other people are beating them in games. So they decide that maybe they should use one of these services to gain an advantage.