Google, Amazon, Cloudflare all issue warnings after dealing with the largest-ever DDoS attack they have ever seen
Big name tech firms have all warned about a new type of distributed denial of service (DDoS) event that began in late August.
The warnings came separately from Alphabet’s Google, Cloudflare and Amazon Web Services on Tuesday, when they collectively confirmed the largest DDoS attack to date, which they said they had mitigated.
Google however warned in a blog post that the record-breaking DDoS attack began in late August and “continue to this day, targeting major infrastructure providers including Google services, Google Cloud infrastructure, and our customers.”
Last year, Google said it had blocked the largest DDoS attack recorded at the time. But in August, 2023, it stopped an even larger DDoS attack – 7½ times larger – that also used new techniques to try to disrupt websites and Internet services.
And it warned that the DDoS utilised a new technique.
“This new series of DDoS attacks reached a peak of 398 million requests per second (rps), and relied on a novel HTTP/2 ‘Rapid Reset’ technique based on stream multiplexing that has affected multiple Internet infrastructure companies,” said Google. “By contrast, last year’s largest-recorded DDoS attack peaked at 46 million rps.”
Amazon Web Services also issued a blog post on Tuesday, noting that “since late August 2023, AWS has detected and been protecting customer applications from a new type of distributed denial of service (DDoS) event.”
“Between August 28 and August 29, 2023, proactive monitoring by AWS detected an unusual spike in HTTP/2 requests to Amazon CloudFront, peaking at over 155 million requests per second (RPS),” said AWS.
“Within minutes, AWS determined the nature of this unusual activity and found that CloudFront had automatically mitigated a new type of HTTP request flood DDoS event, now called an HTTP/2 rapid reset attack,” it said. “Over those two days, AWS observed and mitigated over a dozen HTTP/2 rapid reset events, and through the month of September, continued to see this new type of HTTP/2 request flood.”
Meanwhile web performance and security specialist Cloudflare also issued its own warning about the DDoS attack.
Earlier today, Cloudflare, along with Google and Amazon AWS, disclosed the existence of a novel zero-day vulnerability dubbed the “HTTP/2 Rapid Reset” attack,” Cloudflare warned. “This attack exploits a weakness in the HTTP/2 protocol to generate enormous, hyper-volumetric Distributed Denial of Service (DDoS) attacks.”
“Cloudflare has mitigated a barrage of these attacks in recent months, including an attack three times larger than any previous attack we’ve observed, which exceeded 201 million requests per second (rps),” it said. “Since the end of August 2023, Cloudflare has mitigated more than 1,100 other attacks with over 10 million rps – and 184 attacks that were greater than our previous DDoS record of 71 million rps.”
All three companies urged IT teams to update their web servers to remove the vulnerability.
At the time of writing, there was no indication from any of the tech giants as to the origin of the DDoS attack, or who was responsible.
Meanwhile the US government’s cybersecurity watchdog, CISA, issued an advisory about the matter on X (aka Twitter), and urged organisations providing HTTP/2 services to apply patches when available.
Cyber threat actors are exploiting an HTTP/2 protocol-based vulnerability (CVE-2023-44487) known as Rapid Reset to conduct #DoS and #DDoS attacks. Orgs providing HTTP/2 services should apply patches when available. See mitigations and read more at https://t.co/fgtzqKls21
— CISA Cyber (@CISACyber) October 10, 2023