In a startling disclosure on Tuesday, tech behemoths Google, Cloudflare, and Amazon AWS unveiled the magnitude of a Distributed Denial of Service (DDoS) attack that took place in August, likening its volume to a month’s worth of Wikipedia traffic condensed into a two-minute onslaught. The malevolent campaign utilized a novel method exploiting a zero-day vulnerability named “HTTP/2 Rapid Reset,” targeting the foundational technology of the internet.
The ferocity of the assault was unparalleled, peaking at a staggering 398 million requests per second, dwarfing previous records held by Google and Cloudflare at 46 million and 71 million RPS respectively. To grasp the enormity, Google pointed out that the two-minute attack generated more requests than the total number of article views reported by Wikipedia for the entire month of September 2023.
This malicious endeavor employed the “HTTP/2 Rapid Reset” vulnerability, which manipulates the protocol governing data requests between computers and websites. This nefarious technique allowed the attackers to overwhelm systems, setting a new, ominous benchmark in cyber warfare.
The revelation underscores a sinister evolution in DDoS attack strategies, highlighting the imperative for relentless vigilance and robust cybersecurity measures to safeguard the digital frontier.
“Those in the industry who have worked for decades to defeat DDoS attacks fully realize the challenges of dealing with attacks that take advantage of the way a protocol works, since these are often the most difficult to contend with. DDoS SMEs all agree there are likely dozens of novel protocol- and/or application-layer vulnerabilities sitting out there, ready to be discovered, and used to attack the most vulnerable aspect of the internet – its availability.
“This attack took advantage of a vulnerability in the way the HTTP2 protocol works, and in doing so, broke every record on the books for generating the most requests per second ever observed. This type of attack would most likely be classified as a reflective style of attack due to reports that said a small number of botnet infected devices (~20k) were able to generate a massive amount of requests due to the way the protocol was built.
“At one point in time, most people thought DDoS attacks were going to go extinct like the dodo bird. This event serves to remind the industry that DDoS attacks are alive and well and won’t go away anytime soon. It’s only a matter of time before more protocol- and/or application-layer vulnerabilities are discovered and exploited with similar outcomes.”