Google managed to mitigate the most significant DDoS attack sever registered in its infrastructure, which was only possible due to a vulnerability in the HTTP/2 protocol.
Large DDoS attacks happen all the time, but we rarely hear about them because internet service providers and other types of organizations thwart the attacks. This means that attackers are constantly looking for ways to increase their output, hoping they’ll somehow manage to overwhelm existing protections.
Google highlights a worrying trend regarding the size of DDoS attacks yearly. It’s not just that they’re increasing in size, which is to be expected, but they’re growing much more than anyone would assume.
The largest DDoS attacks mitigated by Google in 2022 reached around 46 million requests per second (rps). This new one was 7.5 times higher, clocking in at 398 rps. The main difference is that attackers used a new HTTP/2 “Rapid Reset” technique, which takes advantage of a vulnerability in the HTTP/2 protocol.
“The most recent wave of attacks started in late August and continues to this day, targeting major infrastructure providers including Google services, Google Cloud infrastructure, and our customers,” saidGoogle. “Although these attacks are among the largest attacks Google has seen, our global load-balancing and DDoS mitigation infrastructure helped keep our services running.”
“For a sense of scale, this two minute attack generated more requests than the total number of article views reported by Wikipedia during the entire month of September 2023.”
The HTTP/2 vulnerability is already being tracked as CVE-2023-44487, with a CVSS score of 7.5 out of 10. Attackers use a functionality named stream multiplexing but in a different way. They open up multiple streams at the same time and cancel them immediately.
“The HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately,” Google also explained.
tags
Silviu is a seasoned writer who followed the technology world for almost two decades, covering topics ranging from software to hardware and everything in between.
View all postsNovember 14, 2024
September 06, 2024