Cloudflare, Google, Microsoft and Amazon all suffered DDoS Layer 7 attacks in the past month. The attacks were enormously powerful due to a zero-day vulnerability in the HTTP/2 protocol.
Hackers managed to exploit a vulnerability in the HTTP/2 protocol to start DDoS attacks. Cloudflare, Google, Microsoft and Amazon all reported that they were able to successfully avert these attacks. They call the cause of the attacks the “HTTP/2 Rapid Reset.
How it works.
In a blog, Google explains exactly how ‘HTTP/2 Rapid Reset’ works. HTTP/2 was intended as a more efficient Internet protocol. Only the elements that make the protocol efficient are also exploitable by hackers for Layer 7 DDoS attacks.
In essence, a Rapid Reset sends a ‘stream’ to a website and then quickly cancels that operation. A ‘stream’ is basically a two-way traffic set up between user and server to exchange requests. To work efficiently for the end user, the ‘stream’ is never established due to the cancellation, but the HTTP/2 connection remains open in the meantime to handle the ‘streams’.
Hackers exploit this by sending many ‘streams’ and quickly following them with cancellations. The requests received no response from the server because they were cancelled quickly enough, leaving the hacker with less downlink bandwidth.
The protocol has a limit to block such attacks, but hackers work around this limit via a Rapid Reset. In theory, only a hundred “streams” may be sent at a time from a single TCP connection, but the cancellation makes the “stream” not count toward this limit. Since the server on the receiving end does have a connection open in the meantime, a rapid succession of Rapid Reset requests can overwhelm the server.
398 million requests per second
Google reported experiencing the heaviest attack in August. In it, the number of requests reached 398 million per second. According to the search giant, the attack was seven times larger than the heaviest attack it experienced before. At Cloudflare, the attacks also immediately pulled in the record, with 201 million requests per second. Moreover, the previous record had only been there since February, coming in at 70 million requests per second.
Also read: DDoS attacks changing from targeting IoT to VPS infrastructure