In late August 2023 [5], Cloudflare and other vendors faced a surge in hyper-volumetric HTTP distributed denial-of-service (DDoS) attacks [2]. These attacks, known as HTTP/2 Rapid Reset attacks [2] [8], exploited a vulnerability that emerged during this time.
Description
These attacks involved thousands of attacks over HTTP/2, reaching a peak of millions of requests per second [5]. The average attack rate was 30M rps [5], with some attacks exceeding 100M rps and the largest one hitting 201M rps [5]. Cloudflare’s systems were able to automatically detect and mitigate the majority of these attacks [5]. Emergency countermeasures were deployed [5], and improvements were made to the mitigation systems to ensure network availability for both Cloudflare and its customers [5].
As a result of these attacks, there was a 65% increase in HTTP DDoS attack traffic in Q3 compared to the previous quarter [1] [2] [3] [4] [6] [8], with a total of 8.9 trillion HTTP DDoS attack requests. The HTTP/2 Rapid Reset vulnerability allowed botnets to generate up to 5,000 times more force per botnet node [6], enabling them to launch hyper-volumetric DDoS attacks [1] [3] [4] [6]. The top industries targeted by these attacks include gaming [1] [2] [3] [4] [6], IT [1] [2] [3] [4] [6], cryptocurrency [1] [2] [3] [4] [6], computer software [1] [2] [3] [4] [6], and telecom [1] [2] [3] [4] [6].
The US [1] [2] [3] [4], China [1] [2] [3] [4], Brazil [1] [2] [3] [4], Germany [1] [2] [3] [4], and Indonesia were the biggest sources of application layer DDoS attacks [1] [2] [3] [4], while the US [1] [2] [3], Singapore [1] [2] [3], China [1] [2] [3] [4], Vietnam [1] [2] [3], and Canada were the primary targets [2]. DNS-based DDoS attacks were the most common [1] [2] [3] [4], accounting for almost 47% of all attacks [1] [2] [3] [4]. Ransom DDoS attacks have decreased [1] [2] [3] [4] [6], possibly due to organizations refusing to pay ransoms [2]. Cloudflare successfully defended against multiple attack attempts on Israeli and Palestinian websites following the Israel-Hamas conflict [2].
DDoS attacks increased in the third quarter [7], with a zero-day vulnerability in HTTP/2 Rapid Reset leading to record-breaking incidents [7]. Cloudflare reported 89 attacks exceeding 100 million requests per second [7], with the largest attack peaking at 201 million requests per second [7]. Gaming and gambling companies were the most targeted industries [7], coinciding with major ransomware attacks on Las Vegas casinos [7]. Threat groups [7], including political hacktivists [7], developed capabilities that transformed DDoS attacks into powerful cyber activities [7]. Cloudflare [1] [2] [3] [4] [5] [6] [7] [8], Google [1] [2] [3] [7], and AWS issued warnings about the vulnerability [7], urging organizations to patch and make configuration changes [7]. Fastly and F5 also observed high volumes of attacks and recommended mitigation measures [7]. Cloudflare also noted attacks on Israeli media and financial institutions [7], as well as rising activity against Palestinian websites [7].
Conclusion
These attacks had significant impacts, leading to a 65% increase in HTTP DDoS attack traffic and targeting various industries. Cloudflare and other vendors were able to detect and mitigate the majority of the attacks, but emergency countermeasures were necessary. The vulnerability exploited in these attacks highlights the need for organizations to patch and make configuration changes to protect against future incidents. The decrease in ransom DDoS attacks may be attributed to organizations refusing to pay ransoms. The involvement of threat groups, including political hacktivists [7], in transforming DDoS attacks into powerful cyber activities raises concerns about the evolving nature of these attacks. Continued vigilance and mitigation measures are crucial to ensure network availability and security.
References
[1] https://cyberaffairs.com/news/record-breaking-100-million-rps-ddos-attack-exploits-http-2-rapid-reset-flaw/
[2] https://vulnera.com/newswire/unprecedented-100-million-rps-ddos-attack-exploits-http-2-rapid-reset-vulnerability/
[3] https://vulners.com/thn/THN:B6CC2EBF1025D0E36D09782B010B33C0
[4] https://www.redpacketsecurity.com/record-breaking-million-rps-ddos-attack-exploits-http-rapid-reset-flaw/
[5] https://blog.cloudflare.com/ddos-threat-report-2023-q3/
[6] https://thehackernews.com/2023/10/record-breaking-100-million-rps-ddos.html
[7] https://www.cybersecuritydive.com/news/zero-day-surge-ddos-attacks/697928/
[8] https://www.bankinfosecurity.com/breach-roundup-winter-vivern-hunting-for-emails-a-23409
