AWS, Cloudflare and Google observed mass exploits of a novel zero-day vulnerability used to launch distributed denial of service attacks reaching a record-breaking scale, the companies said Tuesday.
Security researchers warned threat actors are exploiting the zero-day vulnerability, HTTP/2 Rapid Reset, to launch a series of attacks. Observations of peak requests per second during the attacks varied widely between AWS, Cloudflare and Google.
Google said the attacks peaked at 398 million requests per second, surpassing the peak DDoS attack observed during 2022, which topped off at 46 million requests per second.
The vulnerability is being tracked as CVE-2023-44487 and has a high severity CVSS score of 7.5, according to Google.
“This zero day provided threat actors with a critical new tool in their Swiss Army knife of vulnerabilities to exploit and attack their victims at a magnitude that has never been seen before,” Cloudflare CSO Grant Bourzikas said Tuesday in a blog post.
The vulnerability allows attackers to make hundreds of thousands of requests and then immediately cancel them at a scale that overwhelms the site, according to Cloudflare.
Cloudflare said it was handling about 201 million requests per second at the peak of this series of attacks.
“One crucial thing to note about the record-breaking attack is that it involved a modestly-sized botnet, consisting of roughly 20,000 machines,” Bourzikas said.
AWS said it detected an unusual spike in requests at 155 million requests per second Aug. 28-29. This new type of HTTP/2 request flood continued through the month of September, according to AWS.
Despite the spectacular nature of some of these attacks, HTTP/2 Rapid Reset remains just an optimization of an older attack method called asymmetric query attacks, according to David Holmes, a principal analyst at Forrester.
Due to the client/server nature of HTTP and most of the web, malicious clients can make very expensive requests using relatively very little compute power or packet space.
“Think about a malicious client requesting your largest PDF a hundred times a second for a couple of hours,” Holmes said via email. “The new rapid reset attack might allow the attacker to request that PDF a thousand times a second instead of a hundred, but either way your web server was going to be toast.”