Google recorded the largest DDOS attack on its infrastructure, with an intensity of 398 million requests per second. This new attack is seven times greater than the previous record, where attackers managed to form a stream of 47 million requests per second. Other companies such as Amazon and Cloudflare have also experienced similar attacks. The new attack is linked to the identification of an http/2 vulnerability in the protocol (cve-2023-44487) that allows a huge flow of requests to be sent to the server with minimal load on the client.
The new attack technique, known as “rapid reset,” is caused by multiplications of communication channels provided in HTTP/2. This enables the formation of a flow of requests within an established connection, eliminating the need for new network connections and confirmation of package receipt.
In the new attack, multiple flows were created within one connection, similar to previous methods used to attack HTTP/2. However, the key difference is that instead of waiting for a response after each request, a frame with the RST_STREAM flag was immediately sent to cancel the request. This early cancellation allowed for the avoidance of reverse traffic towards the client and bypassed the restrictions on the maximum number of streams that HTTP servers could handle within one http/2 connection. As a result, the volume of requests sent to the HTTP server depended solely on the capacity of the communication channel, rather than the delays between sending a request and receiving a response (RTT, Round-Trip Time).
