In October of 2023, Cloudflare helped lead the disclosure of a zero-day vulnerability in the HTTP/2 protocol that allows for high-volume DDoS attacks against HTTP resources such as web servers and web applications. Within a few weeks of the discovered vulnerability, attackers exploited it to launch hundreds of record-breaking attacks.
Security leaders see countless ‘record-breaking’ and ‘transformative’ announcements like this one, and generally, can take most of them with a grain of salt. However, this one is different for several reasons and represents a shift in the overall threat landscape.
To successfully navigate this shift, security leaders will need to accelerate key aspects of cloud migration and gain better visibility into risk across their entire customer-facing web infrastructure.
In the 2010’s, many of the largest and most impactful DDoS attacks exploited Layers 3 and 4 of the OSI model. Attackers realized they had a relatively reliable tactic and used it repeatedly. Famous examples include 2013’s SpamHaus attack, 2016’s Dyn attack, and 2019’s Wikimedia attack, the second of which generated over 1.3 Tbps of malicious traffic.
Of course, organizations adapted over time. The rate of cloud adoption increased — giving them less of their own network infrastructure to protect — and they invested in specialized technology designed to mitigate the largest network DDoS attacks.
As history repeats itself, it’s no surprise to see attackers shift their tactics. In recent years, a number of notable DDoS attacks have exploited Layer 7 protocols, revealing the new trend. These attacks have been:
Hyper-volumetric in size
More focused on traffic volume (speed and volume of requests over period of time) rather than traffic size (bandwidth of each packet, request etc)
Based on more complex tactics — such as zero-days, recycling old techniques in new ways, and targeting specific industries and organizations
The new HTTP/2 vulnerability is a defining example of these trends and presents organizations with several unique challenges. Understanding why requires a brief explanation of how the vulnerability works.
This zero-day vulnerability earned the nickname “Rapid Reset” because it exploits HTTP/2’s stream cancellation feature.
In the HTTP/2 protocol, streams are sequences of requests and responses between a client and a server. Crucially, a requester can establish or cancel a stream unilaterally. There are plenty of legitimate reasons for using this feature — but in “Rapid Reset” attacks, threat actors generate floods of malicious cancellation requests that bypass a targeted server’s usual rate limits. (See here for a detailed technical breakdown of the exploit.)
Starting in August of 2023, Cloudflare observed attackers using this method to powerful effect. During that time, hundreds of “Rapid Reset” attacks surpassed Cloudflare’s previous record of 71 million malicious requests per second (rps). The largest of which surpassed that record by a factor of three.
Why is this concerning?
One reason is the attackers’ infrastructure. The record-breaking attack used a 20,000-machine botnet — and 20,000 is relatively modest by the standards of modern botnets. For context, Cloudflare regularly detects botnets comprising hundreds of thousands and even millions of machines.
Also, the vulnerability itself is extremely widespread. Approximately 62% of all Internet traffic uses the HTTP/2 protocol, meaning the majority of web applications and servers are inherently vulnerable. Initial Cloudflare research indicates HTTP/3 is probably vulnerable as well, making HTTP/1.1 the only unaffected protocol. And yet falling back to HTTP/1.1 is rarely a realistic option, since much of the modern Internet relies on HTTP/2 and HTTP/3’s performance improvements.
This means that the vulnerability has significant potential to be adapted and exploited in the coming months and years. As new attack groups with more resources experiment with it, it’s not unreasonable to imagine another DDoS record being set.
So what should security leaders and their teams do to ensure they are protected?
Every security practice involves a successful mix of technology and process, and responding to this next generation of Layer 7 DDoS attacks is no different.
On a technological level, security leaders should prioritize the following steps:
Move Layer 7 DDoS mitigation outside your data centers. Even the most robust DDoS mitigation hardware would likely buckle under hyper-volumetric attacks like the “Rapid Reset”. If your organization has been considering moving Layer 7 DDoS mitigation to the cloud, now is a good time to act.
Consider a secondary cloud-based Layer 7 DDoS mitigation provider for resilience. While precisely predicting future attack size is difficult, this is often a general best practice for particularly critical web applications.
Ensure relevant web server and operating system patches are deployed across all Internet-facing Web Servers. Also, ensure all automation like Terraform builds and images are fully patched so older versions of web servers are not deployed into production over the secure images by accident.
Technology alone will not provide sufficient protection. One reason has to do with patching — a simple thing to do in isolation, but a harder thing to operationalize so it happens consistently over time. For an example of this unfortunate truth, consider that one year after the aforementioned Log4J vulnerability was disclosed and a patch was released, a majority of organizations were still partially exposed.
Also, modern web applications are more reliant than ever on partnerships and third-party integrations — all of which could also be vulnerable. Thus, it’s equally important for security leaders to prioritize these additional steps:
Understand your partner network’s external connectivity. Are those partners and other third parties fully aware of the vulnerability? Are they acting on the aforementioned technological steps?
Understand your existing processes and habits for detecting and responding to an attack and remediating network issues. The beginning of an active attack is no time to start evaluating your team’s resiliency and efficiency. Now is the moment to turn incident management, patching, and evolving your security protections into ongoing processes.
With these process improvements, organizations will take a more judicious stance against possible future “Rapid Reset” exploitation, and also prepare their organization for other shifts in the broader DDoS landscape.
Cloudflare was one of the first organizations to identify this zero-day and has continually tracked its evolution, working across the industry to ensure organizations are protected. These efforts include developing and launching purpose-built new technology to stop these attacks and further improve the Cloudflare network’s ability to mitigate other massive attacks further down the line.
These improvements build on existing Cloudflare advantages aimed at helping organizations protect themselves from the largest attacks:
Over 228 Tbps of network capacity, to absorb the largest volume of malicious traffic
Globally distributed mitigation, so your customer experience doesn’t suffer due to traffic backhauling
Machine learning models powered by uniquely broad threat intelligence, to catch many zero-days before they’re announced
Cloudflare is the leading connectivity cloud company. It empowers organizations to make their employees, applications and networks faster and more secure everywhere, while reducing complexity and cost. Cloudflare’s connectivity cloud delivers the most full-featured, unified platform of cloud-native products and developer tools, so any organization can gain the control they need to work, develop, and accelerate their business.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Get the Deferring downtime: A guide to DDoS defense models ebook to learn more about DDoS mitigation.
After reading this article you will be able to understand:
How exploiting the “Rapid Reset” vulnerability results in massive DDoS attacks
How attackers combine tactics — e.g. DDoS and zero-days — to target organizations
What to do to protect your organization from the vulnerability