Internet-Wide Zero-Day Bug Fuels Largest-Ever DDoS Event

Ongoing Rapid Reset DDoS flood attacks exposed organizations need to patch CVE-2023-44487 immediately to head off crippling outages and business disruption.

An Internet-wide security vulnerability is at the root of a zero-day attack dubbed HTTP/2 Rapid Reset, which resulted in a distributed denial-of-service (DDoS) flood that was orders of magnitude larger than any previous attack ever recorded. It marks a new chapter in the evolution of DDoS threats, researchers noted.
Amazon Web Services, Cloudflare, and Google Cloud each independently observed the attack in question, which featured multiple waves of traffic that lasted for just minutes each. They targeted cloud and Internet infrastructure providers, and the attack took place over Aug. 28–29. Unknown perpetrators are behind the event, but its clear that they exploited a bug in the
HTTP/2 protocol
, which is used in about 60% of all Web applications.
AWS, Cloudflare, and Google worked with other cloud, DDoS security, and infrastructure vendors in a coordinated effort to minimize any real-world impact of the Rapid Reset attacks, mainly with load balancing and
other edge strategies
. But that doesnt mean the Internet is protected; plenty of organizations are still susceptible to the attack vector and will need to proactively patch their HTTP/2 instances to be immune to the threat.
The pioneering attack vector represents an important evolution of the DDoS landscape, according to Alex Forster, Cloudflares technical lead over DDoS engineering.
The threat of DDoS attacks is evolving quickly, and are far from a low-level annoyance that they used to be thought of as, he says. This attack – the largest in the history of the Internet – shows just how critical it is to increasingly pay mind to and consider DDoS as a key way for threat actors to disrupt businesses and wreak havoc.
The susceptibility to the attack within HTTP/2 is tracked as CVE-2023-44487, and it carries a high-severity CVSS score of 7.5 out of 10.
According to Cloudflare, HTTP/2 is a fundamental piece to how the Internet and most websites operate. HTTP/2 is responsible for how browsers interact with a website, allowing them to request to view things like images and text quickly, and all at once no matter how complex the website.
The attack technique involves making hundreds of thousands of HTTP/2 requests at once, then immediately canceling them, according to the companys analysis.
By automating this request, cancel, request, cancel pattern at scale, threat actors overwhelm websites and are able to knock anything that uses HTTP/2 offline, according to
Cloudflares advisory on the Rapid Reset attacks
, posted on Oct. 10.
During the peak of the August campaign, Cloudflare saw more than 201 million requests per second (rps), it said in a media statement provided to Dark Reading, with some organizations witnessing even larger numbers due to the timing of their mitigations. Thats triple the size of the previous record holder,
a DDoS attack last year that peaked at 71 million rps
.
Google, meanwhile, observed a peak of 398 million rps, seven and a half times larger than any previous attack against its resources; AWS detected a peak of more than 155 million rps targeted at the Amazon CloudFront service.
For a sense of scale, this [peak] two-minute attack generated more requests than the total number of article views reported by Wikipedia during the entire month of September,
Google researchers pointed out
in a post on Oct. 10.
We cant predict the future of DDoS attacks, but this recent series of attacks moves the trend in observed attacks closer to the anticipated exponential growth of doubling every 18 months or so, a Google spokesperson tells Dark Reading. Defending services from attacks like these requires consistent capacity planning, as well as the ability to monitor for attacks and respond quickly.
The power of the method is such that the August tsunami was launched using a modestly sized botnet — fewer than 20,000 nodes. This makes Rapid Reset not only a powerful weapon but a highly efficient one as well.
Cloudflare regularly detects botnets that are
orders of magnitude larger than this
— comprising hundreds of thousands and even millions of machines, according to the companys analysis. For a relatively small botnet to output such a large volume of requests, with the potential to incapacitate nearly any server or application supporting HTTP/2, underscores how menacing this vulnerability is for unprotected networks.
While the Rapid Reset attacks havent had the critical impact that the cyberattackers behind them may have hoped, the fact that threat actors were able to pioneer the technique in the first place should put companies on notice, especially given that
DDoS attacks continue to be an important tool in cyberattackers arsenals
.
Cybersecurity is a race, Forster explains. While attackers carry out increasingly sophisticated and more impactful attacks,
defenders develop cutting-edge methods
and technology to combat them...After today, threat actors will be largely aware of the HTTP/2 vulnerability. It will inevitably become trivial to exploit and kick off the race between defenders and attacks — first to patch vs. first to exploit. Organizations of all sizes should assume that systems will be tested, and take proactive measures to ensure protection.
And indeed, attackers are launching DDoS attempts on an ongoing basis using the bug, despite extensive mitigations being put into place by cloud providers and DDoS security vendors in the wake of the initial zero-day offensive in August.
Over those two days, AWS observed and mitigated over a dozen HTTP/2 rapid reset events, and through the month of September, continued to see this new type of HTTP/2 request flood, the
cloud giant said in a post today
.
According to Google researchers, any enterprise or individual that is serving an HTTP-based workload to the Internet may be at risk from this attack. Web applications, services, and APIs on a server or proxy able to communicate using the HTTP/2 protocol could be vulnerable.
They added, Organizations that are managing or operating their own HTTP/2-capable server (open source or commercial) should apply vendor patches for CVE-2023-44487 when available.
While the HTTP/2 Rapid Reset vulnerability may have been record-breaking in size, the broader takeaways are not novel, Forster adds: Turn incident management, patching, and evolving your security protections into ongoing processes. Patches for each variant of a vulnerability reduce risk, but they never fully eliminate it.
Forster provided Dark Reading a list of actionable recommendations for shoring up defenses against Rapid Reset and other DDoS threats:
Understand your external and partner network’s external connectivity to remediate any Internet facing systems with the mitigations provided by vendors;
Understand your existing security protection and capabilities you have to protect, detect, and respond to an attack, and immediately remediate any issues you have in your network;
Ensure your DDoS protection resides outside of your data center, because if the traffic gets to your data center, it will be difficult to mitigate a DDoS attack;
Ensure you have DDoS protection for applications (Layer 7), and ensure you have Web Application Firewalls. Additionally as a best practice, ensure you have complete DDoS protection for DNS, network traffic (Layer 3), and API firewalls;
Ensure Web server and operating system patches are deployed across all Internet-facing Web servers. Also, ensure all automation like Terraform builds and images are fully patched, so older versions of Web servers are not deployed into production over the secure images by accident;
As a last resort, consider turning off HTTP/2 and HTTP/3 (potentially also vulnerable) to mitigate the threat. This is a last resort only, because there will be a significant performance issues if you downgrade to HTTP/1.1;
And, consider a secondary, cloud-based DDoS Layer 7 provider at perimeter for resilience.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Internet-Wide Zero-Day Bug Fuels Largest-Ever DDoS Event