Massive DDoS Attack Leveraged Zero-Day in HTTP/2 Rapid Reset

Multiple Google services and Cloud users were allegedly the target of a unique HTTP/2-based DDoS attack. 

The attack used a cutting-edge method known as HTTP/2 Rapid Reset, a zero-day vulnerability in the HTTP/2 protocol tagged as CVE-2023-44487 that may be used to launch DDoS attacks.

The stated attack magnitudes are: Amazon mitigated attacks at a rate of 155 million requests per second, Cloudflare at 201 million rps, while Google withstood attacks at a record-breaking 398 million rps.

“These attacks were significantly larger than any previously reported Layer 7 attacks, with the largest attack surpassing 398 million requests per second”, Google said.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Details of the Largest DDoS Attack

In this case, the HTTP/2 protocol allows clients to instruct the server that a previous stream should be canceled by sending an RST_STREAM frame. The protocol does not call for any kind of coordination between the client and server; the client is free to cancel on their own. 

The Rapid Reset attack uses this technique to send and reject requests quickly, evading the server’s concurrent stream limit and overwhelming it without exceeding the specified threshold.

Attacks using numerous HTTP/2 connections that quickly switch between requests and resets are known as HTTP/2 rapid reset attacks.

HTTP/1.1 and HTTP/2 request and response pattern

Each connection can have infinite requests in flight due to the ability to reset streams instantly. This allows a threat actor to send a flood of HTTP/2 requests that can overwhelm a targeted website’s capacity to respond to new incoming requests, effectively shutting it down.

Hence, threat actors can overwhelm websites and take them offline by starting hundreds of thousands of HTTP/2 streams and quickly canceling them at scale over an established connection.

According to Cloudflare, this attack was made possible by exploiting various HTTP/2 protocol features and server implementation specifics.

Any vendor implementing HTTP/2 will likely be vulnerable to the attack since it takes advantage of a flaw in the HTTP/2 protocol. All modern web servers were included in this.

“CVE-2023-44487 is a different manifestation of HTTP/2 vulnerability. However, to mitigate it we were able to extend the existing protections to monitor client-sent RST_STREAM frames and close connections when they are being used for abuse. The legitimate client uses for RST_STREAM are unaffected”, Cloudflare reports.

The attack technique has been shared with web server suppliers by Cloudflare, Google, and AWS; all hope that these companies will roll out updates.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and their…

1 hour ago

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…

14 hours ago

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…

18 hours ago

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…

18 hours ago

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…

18 hours ago

Metasploit Framework Released with New Features

The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…

21 hours ago