Cloudflare Failed Hyper-Volumetric DDoS Attacks Exploiting HTTP/2 Rapid Reset

Cloudflare has successfully defended against a significant wave of hyper-volumetric HTTP distributed denial-of-service (DDoS) attacks, many of which leveraged a recently disclosed vulnerability known as HTTP/2 Rapid Reset. 

Eighty-nine of these attacks exceeded 100 million requests per second (RPS).

Details about the Campaign

This campaign led to a substantial 65% increase in HTTP DDoS attack traffic during Q3 compared to the preceding quarter. 

In general, DDoS attacks can be segregated by which layer of the Open Systems Interconnection (OSI) model they attack. They are most common at the Network (layer 3), Transport (Layer 4), Presentation (Layer 6) and Application (Layer 7) Layers. pic.twitter.com/xqvUBy49Id

— Mkala (@carlosmkala) July 27, 2023

There was a 14% rise in L3/4 DDoS attacks. In the third quarter, the total number of HTTP DDoS attack requests surged to 8.9 trillion, up from 5.4 trillion in Q2 2023 and 4.7 trillion in Q1 2023, surpassing the Q4 2022 count of 6.5 trillion.

HTTP/2 Flaw

The flaw in question, HTTP/2 Rapid Reset (CVE-2023-44487), was unveiled this month due to an industry-wide coordinated disclosure. 

It exposed DDoS attacks perpetrated by an unidentified actor who harnessed this vulnerability to target significant providers like Amazon Web Services (AWS), Cloudflare, and Google Cloud. 

Fastly, revealed countering a similar attack, which peaked at around 250 million RPS and lasted approximately three minutes.

Cloudflare emphasized that botnets utilizing cloud computing platforms and exploiting HTTP/2 could generate up to 5,000 times more power per botnet node. 

This capability enabled them to launch hyper-volumetric DDoS attacks even with relatively small botnets, typically comprising 5-20 thousand nodes.

Who’s the Main Target?

The sectors most frequently targeted by HTTP DDoS attacks are gaming, IT, cryptocurrency, computer software, and telecom. 

The nations primarily responsible for application layer (L7) DDoS attacks were identified as the United States, China, Brazil, Germany, and Indonesia. 

The United States, Singapore, China, Vietnam, and Canada were the principal targets of HTTP DDoS attacks.

DNS-based DDoS attacks retained their status as the most prevalent attack type for the second consecutive quarter, representing almost 47% of all attacks. 

There was a 44% increase compared to the previous quarter. SYN floods held the second position, followed by RST floods, UDP floods, and Mirai attacks.

What’s the good news? Ransom DDoS attacks exhibited a decline. Cloudflare attributed this trend to the realization among threat actors that organizations are becoming less inclined to pay ransoms.

Securing Against DDoS Attacks in the Future

The future will likely witness further innovations in DDoS attack techniques and tools. 

Threat actors will persist in their attempts to exploit emerging vulnerabilities, making it crucial for cybersecurity professionals to remain vigilant and continually update their defense strategies. 

The declining trend in ransom DDoS attacks indicates that organizations are becoming less susceptible to extortion, but it also highlights the need for more concerted efforts to deter malicious actors.