Google, Cloudflare, And Amazon Prevent Record-Breaking DDoS Attack

Google, Cloudflare, and Amazon recently prevented the largest Distributed Denial of Service (DDoS) attack on record.

Moreover, the attack employed a new technique not seen before, making the attack's prevention even more special.

Google, Cloudflare, And Amazon Prevent Record-Breaking DDoS Attack

Amazon defines a DDoS attack as,

A Denial of Service (DoS) attack is a malicious attempt to affect the availability of a targeted system, such as a website or application, to legitimate end users. Typically, attackers generate large volumes of packets or requests ultimately overwhelming the target system. In case of a Distributed Denial of Service (DDoS) attack, and the attacker uses multiple compromised or controlled sources to generate the attack.

Put differently, the attacker will make use of a botnet, as an example, to bombard a targeted website or application with so many requests it cannot hope to process. This effectively renders the website or application unreachable and incapable of rendering any service.

According to a blog article published by Google, the attack was approximately 7.5 times larger than any DDoS previously encountered and was successfully defended against in August of this year. Further, the attack was capable of 398 million requests a second to a potential victim's website.

When Google researchers began to investigate the spike in traffic intended to knock out Google's services and that of clients reliant on those services, they discovered that the attack was using a technique referred to as "Rapid Reset" by leveraging stream multiplexing, a feature of the widely-adopted HTTP/2 protocol.

Stream multiplexing was introduced with HTTP/2 and allows requests to be processed in parallel, compared to HTTP1.1, where requests are processed serially. In theory and practice, HTTP/2 allows the open connection to be better utilized for greater efficiency.

Another feature of HTTP/2 is that the sender can cancel requests without coordinating between the sender and the destination. This feature was abused in the attack as the attacker would send a request and cancel it, leaving the connection open for further exploitation.

In this instance, the attacker sent numerous streams simultaneously, as in the standard HTTP/2 attack, and then the attacker canceled each request immediately.

This then still allows the attacker to have an indefinite amount of streams open, as the connection is still open, and it never exceeds the predetermined limit the server imposes on the streams. Moreover, as the requests were canceled, the attacker spent very little on the costs associated with sending and processing requests.

As to how the attacker could max out at nearly 400 million requests a second, Cloudflare notes that the request and cancel cycle was automated to scale. As no limits were technically exceeded, the cycle could be repeated indefinitely.

Google has provided a technical explanation of the attack technique, making for interesting reading. Likewise, Cloudflare also published a highly technical article.

CVE-2023-44487 Prompts a Coordinated Response

The susceptibility of HTTP/2 to be abused in this way has been given the vulnerability tracking number of CVE-2023-44487 and has a severity score of 7.5 out of 10; the higher the score out of ten, the more severe the attack.

Google shared their research and findings with Cloudflare and Amazon and, with a coordinated effort, quickly produced and released patches that would prevent threat actor exploitation.

To this extent, Google security researchers stated,

Any enterprise or individual that is serving an HTTP-based workload to the Internet may be at risk from this attack. Web applications, services, and APIs on a server or proxy able to communicate using the HTTP/2 protocol could be vulnerable. Organizations should verify that any servers they run that support HTTP/2 are not vulnerable, or apply vendor patches for CVE-2023-44487 to limit impact from this attack vector. If you are managing or operating your own HTTP/2-capable server (open source or commercial) you should immediately apply a patch from the relevant vendor when available.

The US Justice Department and the Federal Bureau of Investigation (FBI), at a recent conference, noted that DDoS attacks are often carried out against specific online games and against businesses.

Concerning attacks targeting games, these can stem from petty disputes or are done by parties attempting to gain a competitive advantage. Gamers will also use DDoS-for-Hire services in retaliation to petty squabbles.

As for businesses, they are attacked by DDoS-for-hire operations by rival companies to siphon away customers.

As for times in the year when DDoS attacks are more prevalent, Cameron Schroeder, chief of the Cyber and IP crimes Section division at the U.S. Justice Department, stated,

Historically and sort of sociologically, it has been one of the most massive DDoS periods. This is related to factors like kids are home from school or home for holiday break. They have extra time. They may get game consoles for Christmas or Hanukkah or Kwanzaa, and they may get new games and want to try them out…They want to be online. And they get mad when other people are beating them in games. So they decide that maybe they should use one of these services to gain an advantage.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal